SOC-as-a-Service
Managed SOC for Indonesian telecommunications operators
In short
How Indonesian telecom operators run a 24/7 SOC that watches signalling and subscriber databases and meets Kominfo and UU PDP incident-reporting rules.
A telecom operator does not choose when it gets attacked. The core network carries calls and data overnight, subscriber databases never close, and Kominfo expects the operator to notice a security incident and start reporting it. A security operations centre is the function that watches for those incidents around the clock. Most operators cannot staff one to cover every layer on their own, and that is where a managed SOC fits.
This page is about running that SOC for an Indonesian telecom operator specifically: the threats that reach signalling and subscriber systems, the Kominfo and UU PDP rules that set the pace, and what we actually monitor. For how a SOC works in general terms, see our SOC-as-a-Service service page.
Why telecom operators need a managed SOC
A telecom network is attacked because it sits at the centre of everyone else's authentication. The threat profile that reaches an operator is more specific than the generic list, and it shapes what the SOC has to watch for.
SS7 and Diameter signalling abuse
The signalling layer that connects networks can be abused to track a subscriber's location, redirect SMS, or intercept calls. SS7 attacks against SMS-delivered OTPs appear in documented financial fraud cases against Indonesian banking customers, so a signalling anomaly is not just a network problem.
SIM-swap fraud
Attackers use fake IDs at operator stores to replace a victim's SIM, then receive the OTPs that unlock linked bank accounts. The pattern lives in the provisioning and subscriber systems, which is why the SOC has to watch SIM changes, not just network traffic.
Subscriber-database breaches
Customer databases are exposed through unpatched internet-facing systems, excess data retention, and weak access controls. HLR, HSS, and BSS records hold identity and location data at scale, and a breach of them is a breach of specific personal data under UU PDP.
DDoS on network availability
Distributed denial-of-service attacks target the availability that a telecom licence is built on. A large enough attack degrades service for entire regions, and detecting and mitigating it early is a standing SOC use case rather than a one-off.
There is a wider reason this matters. Banks, e-commerce, and government services in Indonesia lean on SMS one-time passwords to authenticate users, which puts the telecom network at the base of the national authentication chain. When signalling or a subscriber SIM is abused, the damage lands in someone else's account, so the operator's monitoring is doing work for the whole ecosystem, not only its own systems.
On top of the threats, the regulator sets the pace. PP 71/2019 and Perpres 82/2022 govern electronic system operation, Kominfo PSE registration, information security management, and incident reporting, with data localisation for strategic systems. Kominfo now requires telcos to run annual security assessments and keep an incident response plan, alongside its telecom-specific rules on lawful interception, subscriber data protection, and network resilience for critical infrastructure. UU PDP adds a 72-hour breach-notification duty when subscriber personal data is involved. A managed SOC is the operational layer that makes the monitoring, detection, and reporting parts of those rules real rather than written policy.
The table below maps the monitoring-related obligations to what the SOC actually does. Governance, the asset register, and data mapping are separate control domains, not the SOC.
| Regulatory obligation | Where it comes from | How the managed SOC meets it |
|---|---|---|
| Annual security assessment and a tested incident response plan | Kominfo telecom security rules | Continuous monitoring, documented playbooks, and detection testing that feed the assessment |
| Electronic-system incident reporting | PP 71/2019 and Perpres 82/2022 | Detection and triage produce the incident record the report is built from |
| Subscriber data protection and network resilience | Kominfo telecom security rules | Monitoring of subscriber databases and signalling, plus DDoS detection on availability |
| Breach notification within 72 hours | UU PDP | Incident record supports the personal-data breach notification |
How we deliver it for telecom operators
A telecom SOC is defined by what it can see. Endpoint telemetry alone is not enough when the value sits in the signalling and subscriber layers, so we collect and correlate logs from across the network estate rather than a single layer.
The point of pulling these together is correlation. A single signalling query may look routine on its own, but read alongside an unusual SIM change and outbound traffic to an unfamiliar destination, it becomes an incident worth escalating. Our analysts are based in Indonesia and work telecom use cases, so triage is tuned to signalling and subscriber-fraud patterns rather than a generic ruleset. The service runs in four continuous phases.
The reason we correlate signalling and subscriber logs rather than watching endpoints alone is that telecom fraud rarely touches an endpoint at all. If you are weighing this against a broader detection-and-response product, our page on managed XDR sets out where that fits, and our comparison of SOC-as-a-Service versus an MSSP explains the difference between an outsourced SOC and a general managed-security contract.
What the numbers say about the sector
350M+
Mobile connections in Indonesia, more than the population (GSMA via DataReportal, 2024)
26.7M
Subscribers in the alleged 2022 IndiHome data leak, which Telkom denied (ANTARA News)
72 hours
UU PDP deadline to notify after a breach of subscriber personal data (UU 27/2022)
More than 350 million mobile connections means a subscriber database is one of the largest concentrations of personal data in the country, and any weakness in it is a weakness at national scale. The alleged 2022 IndiHome leak, reported to involve 26.7 million subscribers and denied by Telkom, is the case most operators point to internally when subscriber-data security comes up, whatever the eventual finding on the specific incident. The short UU PDP notification clock is why continuous monitoring is treated as a baseline control rather than an upgrade. A breach involving subscriber personal data also carries UU PDP penalties, covered in full on our page about the cost of UU PDP non-compliance.
If you want to understand what a managed SOC would cover for your network and how it maps to your Kominfo and UU PDP obligations, our team can set out a concrete first step.
References
- 1.Republic of Indonesia, Perpres No. 82 Tahun 2022 on Electronic System Operation
- 2.Republic of Indonesia, PP No. 71 Tahun 2019 on Electronic System and Transaction Operation
- 3.Republic of Indonesia, UU No. 27 Tahun 2022 (UU PDP)
- 4.DataReportal, Digital 2026 Indonesia (mobile connections, GSMA data)
- 5.ANTARA News, on the alleged IndiHome data leak report
Reviewed by Naren Krishnan, Cybersecurity Manager
Frequently asked questions
Yes, on the monitoring, detection, and reporting side. Kominfo now expects telcos to run annual security assessments and keep a tested incident response plan, and PP 71/2019 with Perpres 82/2022 sets electronic-system incident-reporting duties. A managed SOC provides the round-the-clock monitoring and the investigation record those rules assume. UU PDP adds a 72-hour breach notification when subscriber personal data is involved, and the SOC supplies the detection and timeline that notification has to describe. It does not replace the operator's own governance, data mapping, or the DPO who owns the regulatory relationship.
Related
Related
Solutions
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.