Building an NCA-Compliant SOC — Tools, Staffing, Runbooks

Overview

ECC 2-10 (log management) and 2-11 (incident management), together with the CSCC 24/7 requirement, mean every critical-sector entity in KSA must operate a real Security Operations Centre — not a vague "we have Splunk". This guide is the practitioner's blueprint: tools, staffing, run-books and metrics that map directly onto NCA's audit questions.

Who this applies to

• Critical-sector entities (mandatory 24/7).
• ECC-bound entities (minimum business-hours SOC with documented after-hours escalation).
• Cloud-native services that store Restricted data.

The stack

A NCA-defensible SOC needs at minimum:

1. SIEM for log aggregation, correlation, dashboarding.
2. EDR on every endpoint.
3. NDR / NIDS for east-west traffic.
4. SOAR for automated response.
5. Threat intelligence platform for IoC enrichment.
6. Case management that ties tickets to evidence.
7. Asset CMDB that the SIEM enriches against.

Open-source reference stack

┌────────────────────────────────────────────┐
│ Wazuh manager (SIEM + EDR + FIM + SCA)     │
│  ↘ rules / decoders                         │
│ Filebeat → Logstash → OpenSearch (storage) │
│ Suricata (NIDS) → Wazuh                     │
│ Zeek (deep flow logs) → Wazuh                │
│ MISP (TI) → Wazuh integration               │
│ TheHive + Cortex (case + analyzers)         │
│ Shuffle (SOAR)                              │
└────────────────────────────────────────────┘

If budget allows, a paid stack (Splunk + CrowdStrike + Vectra + XSOAR) reduces engineering effort but adds licence cost.

Step 1: Log sources to onboard

In order of value:

1. AD domain controllers — security event log, every authentication.
2. VPN / ZTNA — every session.
3. Email gateway — every inbound/outbound.
4. Firewalls — drops and accepts at the perimeter.
5. EDR — process tree, network connections.
6. DNS — every query.
7. Cloud control planes — CloudTrail / Activity Log / Audit Log.
8. Critical application logs — POS, ERP, banking core.
9. PAM / vault — every privileged session.
10. Database audit logs.

Step 2: Detection content

Aim for the MITRE ATT&CK coverage NCA expects: at minimum every Tactic, with detections for at least the top 10 techniques per Tactic. Sample Wazuh rule for the Initial-Access "external remote services" technique:

<group name="nca_ecc,initial_access,mitre_t1133">
  <rule id="200001" level="12">
    <if_sid>60106</if_sid>
    <description>Successful RDP from external IP outside KSA</description>
    <field name="EventID">4624</field>
    <field name="LogonType">10</field>
    <field name="srcip">!^10\.|!^172\.16\.|!^192\.168\.|!^2\.88\.</field>
    <mitre>
      <id>T1133</id>
    </mitre>
    <group>authentication,nca_ecc_2_11_1,initial_access</group>
  </rule>
</group>

Step 3: Staffing model

A defensible 24/7 SOC needs ~14 people minimum:

| Role | Count | Shift | |---|---|---| | SOC Manager | 1 | Days | | Tier 1 Analyst | 6 | 24/7 (2 per shift × 3 shifts) | | Tier 2 Analyst | 3 | Days × 2, Eves × 1 | | Tier 3 / IR Lead | 1 | On-call rotation | | Threat Hunter | 1 | Days | | SIEM Engineer | 1 | Days | | Detection Engineer | 1 | Days |

Lighter setups (business-hours-only with paid MDR after-hours) are acceptable for non-critical ECC entities, provided the contract is in writing and the MDR provider holds a valid Saudi licence.

Step 4: Run-books

Every alert class needs a run-book. Structure:

RUNBOOK — Suspicious Outbound DNS Tunnelling (T1071.004)
1. Validate alert (correlate with EDR process tree).
2. If process is svchost.exe → triage as suspicious.
3. Pull EDR endpoint to isolation.
4. Collect:
   - DNS query log for the host (last 24h).
   - Network traffic capture (PCAP) for 5 minutes.
   - Running process list.
5. Open ticket in TheHive, attach evidence.
6. Notify Tier 3 if confidence >= medium.
7. Eradication: remove implant, rebuild endpoint if persistence found.
8. Recovery: re-image, restore from gold image.
9. Lessons learned: update detection content within 5 working days.

Step 5: Key performance indicators

NCA assessors will ask for:

• Mean Time To Detect (MTTD) — target ≤ 15 min for critical alerts.
• Mean Time To Respond (MTTR) — target ≤ 60 min for critical alerts.
• False-positive rate per analyst per week.
• Coverage — percentage of MITRE ATT&CK Techniques with at least one detection.
• Threat hunting hours per month (target ≥ 40 per hunter).

Step 6: Threat intel ingestion

Subscribe to at least:

• KSA Saudi CERT advisories.
• A commercial feed (Recorded Future, Mandiant, Group-IB) or community (MISP feeds, AlienVault OTX, abuse.ch).
• Sector ISAC for your industry (Banking ISAC, ICS-CERT).

Pull IoCs into the SIEM nightly and into the SOAR for automatic enrichment.

Common gotchas

• Logging volume but no detection content — the SIEM becomes an expensive disk.
• 24/7 staffing on paper but only one analyst on night shift — fails CSCC.
• Run-books in a shared drive nobody opens — keep them inside the case-management tool.
• KPI dashboards manually compiled monthly — automate or they go stale.

Verification

• Tool inventory and architecture diagram.
• Shift roster for the last 12 months.
• Run-book catalogue with last review date per run-book.
• MITRE ATT&CK coverage heatmap.
• Sample of 30 closed tickets with full timeline.
• KPI dashboard with trend lines for MTTD / MTTR.

Conclusion

A NCA-compliant SOC is boring and consistent before it is clever. Get the log sources, write the run-books, staff the shifts, and the detections will follow. Then layer threat hunting and engineering on top.

Related guides

• NCA ECC v2 — Full Compliance Guide
• NCA CSCC — Critical Systems
• NCA Mapping to NIST CSF and ISO 27001