24/7 SOC Operations Centre

A government entity responsible for critical national infrastructure needed to establish a Security Operations Centre (SOC) compliant with NCA Essential Cybersecurity Controls (ECC). The organization had no centralized security monitoring — security events from 2,500+ endpoints, 150+ network devices, and 40+ servers were unmonitored. They faced increasing threat activity with no capability to detect, investigate, or respond to incidents. The SOC needed to be operational within 4 months to meet an NCA compliance deadline.

SKYLINE designed and built a 24/7 SOC with three tiers of analysts (L1 monitoring, L2 investigation, L3 threat hunting). The technology stack includes CrowdStrike Falcon for EDR across all 2,500+ endpoints, Fortinet FortiGate NGFW with IPS/IDS at all network perimeters, a SIEM platform aggregating logs from all sources with custom correlation rules for Saudi threat landscape, and Fortinet FortiAnalyzer for network forensics. We developed a complete incident response playbook library with 35 playbooks covering the most common attack scenarios relevant to government entities in the region.

The SOC achieved NCA-ECC compliance certification within the 4-month deadline. Average response time for critical incidents is under 15 minutes, with a mean time to containment (MTTC) of under 2 hours. In the first quarter of operation, the SOC detected and contained 3 advanced persistent threat (APT) attempts that would have gone unnoticed under the previous setup. False positive rate was reduced to under 5% through continuous tuning of SIEM correlation rules.