BUILDING A BARRIER: REVAMPING SECURITY OPERATIONS CENTER(SOC) FRAMEWORK FOR
CAMPUS AREA NETWORK
Anazel P. Gamilla Thelma D. Palaoag, DIT
Department of Information Technology Department of Computer Science
Central Luzon State University University of the Cordilleras
Science City of Munoz Nueva Ecija Baguio City
apgamilla@clsu.edu.ph tdpalaoag@gmail.com
Abstract—The constant implementation of online
processes of transactions driven by aspiration to improve
services in higher education, particularly during pandemic,
and the continuous growth of technology to institute a
SMART Campus, draw various attacks which makes
higher education's reputation as a target of mass
exploitation, attracts a variety of threats. The urge to
protect their assets and support their processes provided
an opportunity to construct a foundation of a resilient
network security infrastructure. The study sought to
develop an improved framework for the Campus Area
Network that supports the primary functions of Security
Operations Center(SOC) to aid in establishing, mitigating
and implementing best practices for potential difficulties
and threats and providing layers of barrier for the
protection of the potential users. The systematic analysis
of the current SOC framework was examined to help in
developing the revised framework in the campus network
setup and evaluated the acceptability by the security
experts through descriptive method Likert scale. The
acceptability from security expert review is encouraging,
and it provided valuable responses that the approach can
improve security against anticipated security threats and
reduce vulnerabilities. This suggests that future studies
can use it to test the effectiveness in monitoring and
analyzing network traffic for potential threats in order to
improve security risk management.
Keywords— security operations center, framework, smart
campus,network operations, threats
I.INTRODUCTION
When a pandemic strikes, institutions are pressed to make
all of their core services available online, which enables
them to improve their infrastructure to support the
subsequent complex operations and increased number of
users. Promoting the pace of innovative smart campuses
to improve educational experiences and outcomes for
students, staff, and teachers also became a target[1].
Despite opening many good opportunities, the current
difficulties of being a subject of many cyberattacks and a
perfect target for easy mass exploitation by bad actors are
exacerbated. Despite laws, the report reveals that 80
percent of educational technology did not provide
acceptable levels of protection[28]. The average number
of cyberattack per organization per week has been
steadily rising, according to cyber security specialists at
Check Point Research (CPR), with the education and
research sectors displaying a higher rate of attacks of
more than 29% increase per year than other sectors.
Moreover, 36% of higher education in other countries are
hit by a cyberattack every hour, and they face effects such
as loss of reputation and loss of their stakeholders’
trust[3]. Attacking the hardware, Firmware, Operating
System and application and its policy gave a big headache
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
to all the administrators. This shows that keeping the
modern information technology (IT) enterprise's
confidentiality, integrity, and availability is a serious
responsibility, and as the infrastructure increases, so do
the security concerns and risks.[5].
This fills in a vital missing piece to be responsible for
maintaining and defending the system in the event of a
threat. With this, a greater emphasis should be placed on
continuous monitoring and enhancing the security posture
of the institution while preventing, identifying, evaluating,
and responding to cybersecurity incidents which is the
intention of having an Operations Security
Center(SOC)[4]. Establishing SOC, gave an intensive
focus on identifying and preventing assaults. To
effectively determine, discover, and mitigate threats,
ideally before any harm is done, they combine a variety of
people, procedures,technologies, governance, and
compliance[29].Additionally, while dealing with threats
and attacks and understanding their patterns, it is
important to check how they began. Reflecting on
occurrences and making sure we are adhering to
standards,policy and rules particularly when working with
huge numbers of users, can prevent repeat disasters.
The study aims to revamp SOC framework design in
preparation to mitigate the continuous growth of threats
and security problems. It added layers of barrier that
emphasizes the importance of user responsibility when
accessing cyberspace. This gives the administrator
guidance in implementing SOC integrating methodologies,
tools and best practices towards the execution of reliable
and secured network infrastructure for higher education
institutions.
II.MOTIVATION AND RELATED WORKS
The conventional approach to network security might
result in a cyber event repeating itself and leave you
unprepared to stop upcoming assaults since you don't
know what needs to be protected and when, where, and
how it originated from. Security can be strengthened by a
variety of external variables in addition to knowledge of
cyber threats. According to the information recorded,
most institutions haven't placed a high priority on
constructing SOCs and have instead focused on simply
preserving network functionality, with a 360-degree
perspective of security being a distant aim. In previous
research, there's no specific international guidelines that
were used in implementing SOC and there was no clear
vision and scope of SOC [6]. Current research only
focuses on the core functions of the SOC, understanding
and improving its processes to be more effective in their
organization[6][11][30]. There is some research that
highlights the importance and present deep impact on the
individual components in establishing SOC[4]. There are
studies that the need of establishing frameworks or
 guidelines for setting up a SOC should be created in the
future[7].
This study demonstrates the multidisciplinary integration
of feature to reinforce the SOC's core. This demonstrates
the comprehension of the elements required to construct
the SOC goals as well as offering strategies and best
practices that will assist the administrator in establishing
one in the campus network setup. Additionally, it adds a
barrier to comprehend the obligations of the parties
involved in institutional procedures.
III.DESIGN AND COMPREHENSION OF THE
PROPOSED FRAMEWORK
The proposed framework in Figure 1 suggests three(3)
layers that will consist of different components to pursue,
plan, implement, and execute creation of Smart Campus
Security Operations Center (SOC) for a higher education
institution that holds an additional surety in processing
any academic transactions.
Figure 1: Three Layered Barrier SCSOC Framework
A. Core Layer
The core layer components established the SOC's primary
objective, which focuses on techniques for fully
visualizing and examining potential threats and how to
handle them in order to fully comprehend where, when,
and how they begin and can be used to improve an
institution's defense against cyber threats.
1. Analyst
Building the right team members is an essential factors to
properly implement the functionality of the security center
that handles the overall operations, responsible in
checking the workflow of the SOC, which divided into
three tiers[25]:
1.1 Monitoring Team- handles the real time monitoring
processing the increasing events and reduces the number
of false positives.
1.2 Investigators- Ability to customer queries and
construct blast zones analysis and remediates.
1.3 Hunters- Hunt for unknown threats with deep
analytics and machine learning.
Figure 2.Tiers of SOC Analyst
The figure 2 shows that logs were collected in different
variations of objects, from the network logs, IOT,
endpoints devices and the logs coming from the servers
which were managed by the three tiers of analysts. From
real time monitoring by the tier 1 analyst to investigate
suspicious logs by the analyst tier 2. When the need for
deep analysis and threat hunting, the analyst tier 3 takes
over but it can also do it by other tiers, depending on their
tasks assigned.
A. Inventory
To understand what is needed to protect and the readiness
of the institution to support technological evolution, an
audit of the logical and physical access control must take
place. When evaluating your physical environment, it's
critical to take a thorough inventory of not only electronic
data, but also physical devices that could potentially store
or access that data via remote technology[15]. The
inventory focuses on the following criteria based on the
security plan.
a. Inventory of Authorized and Unauthorized Devices
and software-To reduce the ability of attackers to find
and exploit unauthorized and unprotected systems, having
active monitoring and configuration management to
maintain an up-to-date inventory of devices connected to
the enterprise network, including servers, workstations,
laptops, and remote devices as well as the approved
software that was used must be listed see table 1. Since
campus contains different types of users such as
employees, students as well as guests, inventory will help
to properly check and plan limitations of users device
connection as well as how to design the network.
Table 1. Security Control Inventory List
Details High Med Low
Inventory of Authorized and Unauthorized Devices
1. All systems connected to the REQ REQ REQ
network and the network devices
themselves.
2. Portable Device REQ REQ REQ
3. Information assets that REQ REQ REQ
identifies their critical information and
maps critical information to the
hardware assets
 4.Network inventory monitoring tools. REC OPT OPT
rejections could signal the spread of a password-guessing
worm across a network or bots being active that attacks
the network.
4. Use Network Access Control REC OPT OPT
technology to authenticate and authorize
devices before allowing them on the
network.

Inventory of Authorized and Unauthorized Software

1.Deployed software such as Operating REQ REQ REQ

systems(servers, computers etc.)

2. List of authorized software REQ REC OPT

3. Security Tools
Defining the right technology to use must be integrated
based on the identified maturity curve of learning. The
team can start with the basic security controls like
antivirus, intrusion detection,firewalls for detection and
protection and can enhance techniques such as honey pots
and endpoint threat detection and response.In security
analytics, you may make sure you're reviewing security
event data first, then add forensic-level information later.
You can start with a simple workflow for service Figure 3. Logging and Checking Intrusion
management and then add response orchestration for
automation as shown in Table 2.[19]. 5. Threat Identification and Hunting
Table 2. Technologies for Protection[19] The intrusion detection from the security tools is only the
first step to understand what is circling in the network but
Types Technologies
knowing and understanding the encountered threat is one
Detection and Protection Next-generation firewalls of the major roles of the SOC. Knowing how it impacts
Email security gateway the entire network and being able to regulate it can help
Web security gateway Intrusion you propose the incident's priority, the best policy to
detection/prevention system
Antivirus (network and endpoint)
follow, and the controls that should be put in place on the
Integrity monitoring and change network.
detection
Advanced threat detection/prevention
The table 3 shows details of attacks and its cause that took
Honeypots and decoys Endpoint threat place on the smart campus, which had multiple
detection and incident response unprotected devices, systems, and apps that transmitted
Security analytics and Security information and event data across insecure media and used weak protocols like
incident response management HTTP, FTP, and telnet[22].
Data analytics
Malware analysis (static and dynamic) Table 3.0 Smart Campus Susceptible Attacks[22]
Host and network forensics
Visualization and analytics tools Attacks Cause
Software Attacks
4. Audit and Logging Virus, Worms, Trojan Horse, Email attachments, Downloading
Spyware and AwareVirus, files
When the security tools is established in the network, one Worms, Trojan Horse, Spyware
of the main sources of evidence when tracking a and Aware
suspicious incident is the auditing of logs that was carried
Encryption Attacks
out in the tools that were used in the network. One of the
simplest ways to ensure that access control systems are Cryptanalysis Attacks Knowing the encryption key and
working properly is to review security audit logs within gaining access to encrypted data.
an IT system. Audit log reviews are largely a detective Side-channel Attacks Exfiltrate cryptographic keys, by
control[26]. measuring coincidental hardware
emissions.
The figure 3 defines a flow in monitoring the logs and
Data Privacy Attacks
keeping an eye for the additional abnormalities in the
network. One good example is a collective antivirus logs Data breaches Unauthorized user access data
from different components can have a large visualization source
of the current state of malware. Antivirus alarms paired Data loss Data deletion
with a spike in failed authentication alerts from
Account or Service Hijacking Stealed credentials
authentication servers or a spike in outbound firewall
Network Attacks
Traffic Analysis Attacks Intercepting and examine network
traffic without authorization
Replay Attack Participates in data exchange
between two legal parties.
Eavesdropping attacker can monitor all data
traffic on smart campus networks
without the knowledge of
authorized users (
Denial of service Service was unavailable to the
users by sending limitless traffic
to the servers and devices.
When the team evaluates and identifies the threats we can
move forward for a deep evaluation using threat hunting
which is the active information security that targets to
search iteratively through networks to detect factors that
are evading your security system. It assumes that the bad
guys are already in and need to be found. It also validates
security controls and identifies miss configurations in the
environment.
Figure 4. Proposed threat hunting process
The figure above describes the process when the Analyst
performed this phase. To be able to not be overwhelmed
with lots of gathered logs, it must start with listing your
hypotheses based on the suspicious movement on the
network. It must be specific to avoid confusion on what
you are looking for. Then, investigation can take place by
using the MITRE ATT&CK framework[24]. It contains a
set of techniques used by adversaries to accomplish a
specific objective which is to present linearly from the
point of reconnaissance to the final goal of ex filtration or
"impact". It is used to understand the tactical phase of an
attack based on your hypothesis. But since it has a lot of
permutation, adding a behavioral threat approach by
looking in your tools and checking unusual or anomalous
behavior and starting with them. The analyst can also
retrace old use cases that might exist again. Moving
towards the analysis, the team can check if the
abnormalities can cause harm in the network by weighing
the metrics and then properly take an action such as
checking the patch management and rules adjustment
from the network tools and application as well as refining
the best practice of the institution.
B. Policy Layer
While emphasizing the importance of knowing what we
are encountering in the cyberspace, adding a layer of
preparation would lessen the problem. This layer stressed
the need for the institution’s internal preparation for any
network-related cyber incidents. The two (2) parts are
designed to be used for the mitigation plan's correct
execution and the requirement for effective
communication to carry it out as soon as possible.
1. Communications
Since the SOC team is extremely monitoring the traffic
flows and possible incidents that may occur, a formal
communication plan in reaching the stakeholders involved
must be created. This includes the identification of who
owned and operated the assets involved. One strategy to
deploy and communicate with stakeholders about
computer security events and incidents is to create a
formal communication plan using designated security
points of contact[31]. This also helps to properly
disseminate the needed alerts to avoid further distraction
on the assets involved. The easy understanding of who to
contact and how to properly provide the report is made
possible by the organization's structure being clearly
identified[32]. The table 4 discusses the additional
members of the team that caters to the communication
process in the institution.
Table 4. Position and Roles for internal communication
Position Roles
SOC manager Handles the operation of the SOC
team and directly executes the
creation of the cybersecurity
strategy.
Chief information security officer Responsible for the establishing
(CISO) security strategies and working
closely to the head of the agency
for reporting issues and concerns.
Focal Person The person who is the direct
contact for each unit when the
incident occurs.
2. Incident Response Procedure
The institution must develop its incident response model
based on the procedures and policies that were
implemented in the institution when an incident happens.
Private and professional data are regularly compromised
by attacks, thus it's crucial to act promptly and when
security breaches take place successfully. In the provided
handling guide from National Institute of Standards and
Technology(NIST), it offers principles for addressing
incidents, especially for analyzing incident-related data
and choosing the best course of action for every
occurrence[33]. The process must determine if it qualifies
as an incident or an event and must also include the steps,
people, and resources required for locating those
responsible for unfavorable events or incidents[17].The
capacity to better prepare for handling incidents by using
the knowledge gathered during issue handling will be an
advantage for future problems.
C. Standard Layer
Building a 360 degree of security requires a delicate
participation of the users who actively participating on the
access on different sites, collecting of data and some
random cybersecurity incident due to bad practice.In
addition to the build security it added a wall of standards
to understand the be guided on the weight of action to
fully prioritized the needed security.
1. Data Privacy Standards
The data privacy standards seek to protect all the
information, be it private, personal or sensitive to
ensuring the free flow of information to promote
innovation and growth[23].When most of our transactions
moved online, data privacy became a trend. The worry
about disclosing our personal information has grown
lately. This crafts the importance of being accountable to
what data that was shared and accessed in the
organizations and being compliant to the regulations that
were executed and being aware of our digital behavior. In
addition, knowing it, helps to become at ease for the user
to share their information.
Figure 5. Data Privacy Standards
Understanding the importance and content of the data
privacy standard, helps the SOC manager to craft their
own procedures and communication when dealing with
the incident, not compromising the privacy of the
involved stakeholder.
2. Cybersecurity Standards
Cybersecurity standards are critical in ensuring that an
organization guarantees that its security strategy and
policies are consistently and quantified. It represents a key
step in the governance of IT processes such as managing
and containing risk to acceptable levels[27].
Figure 6. Cyber Security Standards List
In figure 6 above the institution can implement different
types of compliance based on the transactions that were
catered to the institution. External compliant users can use
the NIST risk management framework to control
enhancement of the security.The generic standards helps
to identify the essential criteria for implementing quality
management. The internal standards compose of the
specific requirement approach to control the risk and
guard against the liabilities of the institution.
REFERENCES
[1] Anne Bakupa Mbombo, Nadire Cavus.(2021).Smart University:
A University In the Technological AgeTEM Journal, 10(1), 13-17.
[2] "2021 Cyber Security Statistics Trends & Data". 2020. Purplesec.
https://purplesec.us/resources/cyber-security-statistics/.
[3] 2022.Nextgensecurityforeducation.Com.https://www.nextgensecu
rityforeducation.com/wp-content/uploads/VMWare-UK-University-
Challenge-Cyber-Security.pdf.
[4] E. Agyepong, Y. Cherdantseva, P. Reinecke and P. Burnap,
"Towards a Framework for Measuring the Performance of a Security
Operations Center Analyst," 2020 International Conference on Cyber
Security and Protection of Digital Services (Cyber Security), 2020, pp.
1-8, doi: 10.1109/CyberSecurity49315.2020.9138872.
[5] Eleventh Hour CISSP® | ScienceDirect . (2022). Retrieved 15
June 2022, from https://www.sciencedirect.com/book/97
[6] Abd Majid M, Zainol Ariffin KA (2021) Model for successful
development and implementation of Cyber Security Operations Centre
(SOC). PLoS ONE 16(11): e0260157.
https://doi.org/10.1371/journal.pone.0260157
[7] Dun, Yau & Faizal, Mohd & Zolkipli, Mohamad & Bee, Tan &
Firdaus, Ahmad & No,. (2021). Grasp on Next Generation Security
Operation Centre (NGSOC): Comparative Study.
10.22075/IJNAA.2021.5145.
[8] (2022). Retrieved 13 May 2022, from
https://www.ibm.com/downloads/cas/1ZO3JEBZ
[9] Vielberth, Manfred. (2021). Security Operations Center (SOC).
10.1007/978-3-642-27739-9_1680-1.
[10] Schlette, Daniel & Vielberth, Manfred & Pernul, Günther. (2021).
CTI-SOC2M2 – The quest for mature, intelligence-driven security
operations and incident response capabilities. Computers & Security.
111. 102482. 10.1016/j.cose.2021.102482.
[11] Schinagl, Stef & Schoon, Keith & Paans, Ronald. (2015). A
Framework for Designing a Security Operations Centre (SOC). 2253-
2262. 10.1109/HICSS.2015.270.
[12] (2022). Retrieved 21 May 2022, from
https://www.nist.gov/system/files/documents/2018/05/14/framework_v1.
1_with_markup.pdf
[13] (2022). Retrieved 24 May 2022, from https://ched.gov.ph/wp-
content/uploads/CMO-No.-9-s.-2020-Guidelines-on-the-Allocation-of-
Financial-assistance-for-State-Universities-and-Colleges-for-the-
Development-of-Smart-Campuses-provided-in-Section-10-i-of-RA-
11494.pdf
[14] Sun, G., & Shen, J. (2016). Towards organizing smart
collaboration and enhancing teamwork performance: a GA-supported
system oriented to
mobile learning through cloud-based online course. International Journal
of Machine Learning and Cybernetics, 7(3), 391-409.
[15] SOC 2 COMPLIANCE HANDBOOK: THE 5 TRUST SERVICES
CRITERIA
[16] (2022). Retrieved 8 June 2022, from
http://zenhadi.lecturer.pens.ac.id/kuliah/Jarkom2/Modul%205%20Acces
s%20Control%20List.pdf
[17] Create a Security Operations Center on Your Campus. (2022).
Retrieved 8 June 2022, from
https://er.educause.edu/articles/2017/1/create-a-security-operations-
center-on-your-campus
[18] NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
SPECIAL PUBLICATION 800-61 REVISION 2 NATL. INST. STAND.
TECHNOL. SPEC. PUBL. 800-61 REVISION 2, 79 PAGES (AUG. 2012)
[19]https://www.tcs.com/content/dam/tcs/pdf/technologies/Cyber-
Security/Abstract/Building-Your-Own-Security-Operations-Center.pdf
[20]A Threat-Driven Approach to Modeling a Campus Network Security
[21]Michael Muckin, Scott C. Fitch . “A Threat-Driven
Approach to Cyber Security.” Retrieve from:
https://lockheedmartin.com/content/dam/lockheed/data/is
gs/documents/Threat-
Driven%20Approach%20whitepaper.pdf
[22]Ikrissi, G. & Mazri, Tomader. (2020). A STUDY OF SMART
CAMPUS ENVIRONMENT AND ITS SECURITY ATTACKS. ISPRS
- International Archives of the Photogrammetry, Remote Sensing and
Spatial Information Sciences. XLIV-4/W3-2020. 255-261.
10.5194/isprs-archives-XLIV-4-W3-2020-255-2020.
[23] (2022). Retrieved 13 June 2022, from
https://www.privacy.gov.ph/wp
content/files/quickguide/DPA_QuickGuidefolder_insideonly.pdf
[24] (2022). Retrieved 14 June 2022, from
https://www.mitre.org/sites/default/files/publications/mitre-getting-
started-with-attack-october-2019.pdf
[25] E. Agyepong, Y. Cherdantseva, P. Reinecke and P. Burnap,
"Towards a Framework for Measuring the Performance of a Security
Operations Center Analyst," 2020 International Conference on Cyber
Security and Protection of Digital Services (Cyber Security), 2020, pp.
1-8, doi: 10.1109/CyberSecurity49315.2020.9138872.
[26] Eleventh Hour CISSP® | ScienceDirect . (2022). Retrieved
15 June 2022,
fromhttps://www.sciencedirect.com/book/9780128112489/ eleventh-
hour-cissp?via=ihub=#book-description
[27] Understanding Cybersecurity Standards
[28] CYBERSECURITY IN THE PHILIPPINES: GLOBAL
CONTEXT AND LOCAL CHALLENGES a report by Secure
Connections an initiative of The Asia Foundation
[29] Vielberth, Manfred & Böhm, Fabian & Fichtinger, Ines &
Pernul, Günther. (2020). Security Operations Center: A Systematic
Study and Open Challenges. IEEE Access. PP.
10.1109/ACCESS.2020.3045514.
[30] Danquah, Paul. (2020). Security Operations Center: A
Framework for Automated Triage, Containment and Escalation. Journal
of Information Security. 11. 225-240. 10.4236/jis.2020.114015.
[31] Create a Security Operations Center on Your Campus. (2022).
Retrieved 13 July 2022, from
https://er.educause.edu/articles/2017/1/create-a-security-operations-
center-on-your-campus
[32] Cassetto, O. (2022). What is Security Operations Center -
SOC: Roles & Responsibilities - Exabeam. Retrieved 16 July 2022, from
https://www.exabeam.com/security-operations-center/security-
operations-center-roles-and-responsibilities/
[33] NIST Guide for Conducting Risk
Assessment(2012),Computer Security Division Information technology
Laboratory