SOCs: Security Operation Centers Explained

When it comes to your cybersecurity and daily security operations, a security operations center (SOC) acts as the hub, the central place for all these activities. In this in-depth SOC explainer, we’ll look at:

• What a SOC does and why
• Types of SOCs
• The security pros who support SOCs
• Tools & technologies
• Best practices

And if you’re wondering whether you really need an SOC for your organization, the answer is probably yes. Read on and you’ll see why — and how.

What is a SOC?

Also called an information security operations center (ISOC), a SOC is a centralized location where security professionals build and maintain the security architecture that monitors, detects, analyzes and responds to cybersecurity incidents and threats, typically around the clock — 24/7/365 or as needed for your organization).

SOCs do not merely identify threats. Personnel in the SOC are responsible for finding weaknesses — both outside and within your organization.

The security team, which consists of both security analysts and engineers, oversees all activity on servers, databases, networks, applications, endpoint devices, websites and other systems in order to:

• Pinpoint security threats and thwart them as quickly as possible.
• Assess vulnerabilities and penetrations.
• Monitor and gather threat intelligence on known risks.
• Analyze the organization’s security posture, ensuring that you’re using security tools and other technologies optimally and assessing what is and isn’t working.

We can say a SOC’s purpose is twofold: dealing with security problems in real time, and continually seeking ways to improve your organization’s security posture.

Benefits of a SOC

Today, security must be a part of everything your organization considers. So, there’s countless benefits to a centralized SOC. Let’s sum up the biggest SOC benefits. SOCs enable your organization to:

• Respond faster: The SOC provides a centralized, complete, real-time view of how the entire infrastructure is performing from a security standpoint, across all locations and thousands of endpoints. You can detect, identify, prevent and resolve issues before they cause much trouble.
• Protect consumer and customer trust: Your customers are increasingly worried about privacy. Creating a SOC to protect consumer and customer data can help build trust in your organization.
• Minimize costs: Having a SOC is not cost prohibitive — the cost associated with a breach or loss of data sure is. Even better? SOC personnel will ensure that you’re using the right tools to full potential.

These benefits are hard to put a price on because they quite literally keep your business running.

Security vs. network operations centers (NOCs)

Yes, SOCs and NOCs might have some overlap. According to IT expert Joe Hertvik, network operations centers and SOCs share two common goals:

• To minimize downtime and ensure the continuous availability of services, applications and data over your networks.
• To prevent, detect and recover from service, application, and data failures caused by network problems, performance issues and cyberattacks.

Although they have similar objectives, NOCs and SOCs achieve these goals by monitoring different IT operational areas</a>, with some overlap. The simple distinction is that NOCs are really concerned with the performance of the entire network, while SOCs are hyper-focused on security operations (SecOps) and your overall security posture.

(Read Joe’s full explainer on NOCs vs. SOCs.)

Types of SOCs

In this article, we’re mostly talking about a SOC in the context of a large business or organization that has at least one physical SOC that you manage internally. But, let’s be clear — there are many ways of running a SOC. Here’s an overview:

• Internal SOCs. The internal SOC comprises a physical room where all the action takes place, usually with a full-time staff based on-premises.
• Virtual SOCs. Virtual SOCs are not on-premises and are made up of part-time or contracted workers who work together in a coordinated manner to resolve issues as needed. The SOC and the organization set parameters and guidelines for how the relationship will work, and how much support the SOC offers can vary depending on the needs of the organization.
• Global SOCs. Global Security Operations Centers (GSOCs) coordinate all your security offices. If you have offices around the world, rather than establishing a SOC for each international location, a GSOC can: prevent each location from repeating tasks and functions, reduce overhead, enable a macro-view of what’s happening across the entire organization.
• Outsourced SOCs. Here, you outsource some or all functions to an external managed security service provider (MSSP) that specializes in security analysis and response. Sometimes these MSSPs provide specific functions to support an internal SOC, and sometimes they handle everything.

SOC tasks, activities & operations

The SOC leads real-time incident response and drives ongoing security improvements to protect your enterprise. A combination of the right tools and the right people enables you to monitor and manage the entire network as effectively and efficiently as possible.

Essential tasks of any SOC include security monitoring, incident response, log management, compliance reporting and policy enforcement. We can break all that down and say that a high-functioning SOC will be able to:

• Provide proactive, around-the-clock surveillance of networks, hardware and software for incidents, threats, and breaches.
• Analyze, investigate and document security trends to understand the root cause of issues and prevent future breaches.
• Analyze security log data from various sources.
• Monitor and manage firewall and intrusion prevention systems.
• Scan and remediate antivirus, malware and ransomware.
• Offer expert advice and suggestions on every tool your organization uses.
• Help with patch management and allowlisting.
• Enforce security policies and procedures.

In short, even when there seems to be no active threats, SOC staff are proactively looking at ways to improve security.

With a complex combination of the right tools and the right people to monitor and manage the entire network, a high-functioning SOC will detect and thwart threats and proactively improve security.

(Power your SOC with full visibility and security monitoring from Splunk.)

Who works in a SOC?

The SOC is made up of highly skilled security analysts and security engineers, along with supervisors who ensure everything is running smoothly. These are professionals trained specifically to:

• Monitor and manage security threats.
• Help create and maintain a secure architecture for their organization.

These professionals are not simply using tools: they understand networks and typical remediation processes to get at the heart of a given issue.

In general, a security engineer is responsible for designing and implementing an enterprise’s security architecture, comprising (but not limited to) telecommunication networks, security infrastructure, cloud services, disaster recovery and virtual infrastructure.

A security analyst then supports the maintenance of this architecture by monitoring the network to detect, mitigate and contain threats and breaches. Experienced security analysts likely possess some of all of these skills:

• Ethical hacking: SOC personnel who actively try to hack your system to find unknown vulnerabilities.
• Cyber forensics: Analysts must investigate issues and apply analysis techniques to both understand and preserve evidence from the investigations. If a case were to go to court, the security analyst must be able to provide a documented chain of evidence to show what occurred and why.
• Reverse engineering: This is the process of deconstructing software or rebuilding it to understand how it works and, more importantly, where it’s vulnerable to attacks so that the team can take preventive measures.

Structure of a SOC

Similar to incident review levels, most SOCs adopt a hierarchical approach. In this hierarchy, analysts and engineers are categorized based on their skill set and experience. A typical team might be structured into four levels, for example.

Level 1: First response

The first line of incident responders. These security professionals watch for alerts and determine two things:

• The urgency of each alert
• When to escalate an alert up to Level 2

Level 1 personnel may also manage security tools and run regular reports.

Level 2: Incident resolution

These personnel can quickly get to the root of the problem and assess which part of your infrastructure is an issue or at risk. These SOC pros will follow procedures to remediate the problem and repair any fallout, and they’ll flag certain issues for additional investigation outside of the incident response protocol.

Level 3: Proactive security operations

Here, we begin moving from reactive to proactive security actions. Personnel are likely expert security analysts who are actively searching for vulnerabilities within the network and hunting for threats. They will use advanced threat detection tools to diagnose weaknesses and make recommendations for overall security improvement.

Within this group, you might also find specialists, such as forensic investigators, compliance auditors or cybersecurity analysts.

Level 4: SOC performance & integration with business

At the SOC’s most advanced level are managers and chief officers. This group oversees all SOC team activities and is responsible for hiring and training, plus evaluating individual and overall performance.

Level 4s step in during crises, and, specifically, serve as the liaison between the SOC team and the rest of the organization. They are also responsible for ensuring compliance with organization, industry and government regulations.

Tools & technologies a top-performing SOC needs

Use this as a checklist when establishing or optimizing your SOC.

• Security information and event management (SIEM) is a single system that offers full visibility into activity within your network, collecting, parsing and categorizing machine data from a wide range of sources on the network and analyzing that data so you can act on it in real time. (More on SIEMs in the next section.)
• Endpoint protection systems protects your network particularly around devices—endpoints—that access it.
• Firewalls monitor incoming and outgoing network traffic and automatically block traffic based on security rules you establish.
• Automated application security automates the testing process across all software and provides the security team with real-time feedback about vulnerabilities.
• Asset discovery systems track active and inactive tools, devices and software being used on your network so you can evaluate risk and address weaknesses.
• Data monitoring tools track and evaluate data security and integrity.
• Governance, risk and compliance (GRC) systems ensure you’re compliant with various rules and regulations where and when you need to be.
• Vulnerability scanners and penetration testing tools are used by security analysts to search for vulnerabilities and find undiscovered weaknesses within your network.
• Log management systems enable you to log all messages that come from every piece of software, hardware and endpoint device running on your network.

(Splunk supports all the operations inside a SOC, for centralized and streamlined security operations.)

A SIEM solution brings together data across disparate sources within your network infrastructure

The role of SIEM inside your SOC

Put simply: A SIEM makes your SOC more effective.

Top security analysts, no matter their technologies and skills, simply cannot review the endless stream of data line by line to discover malicious activities. This is where SIEMs change the game, upleveling you to a whole new way of working.

A SIEM collects and organizes all the data coming from various sources within your network and offers your SOC team insights so that they can do important things quickly, like:

• Detect and respond to internal and external attacks.
• Simplify threat management.
• Gain organization-wide visibility and security intelligence.

SIEM centralizes SOC tasks of monitoring, incident response, log management, compliance reporting and policy enforcement. In fact, a good SIEM’s log management capabilities alone make it a necessary tool for any SOC.

SIEMs can parse through huge batches of security data coming from thousands of sources — in mere seconds — to find unusual behavior and malicious activity and stop it automatically. Much of that activity goes undetected without the SIEM.

The SIEM helps the SOC pull the logs together and make rules that enable automation and can drastically reduce false alerts. Security analysts are freed up to focus their attention on the real threats. Additionally, the SIEM can offer robust reporting that helps with both forensic investigations and compliance requirements.

(Read our full SIEM guide & check out the must-have SIEM features.)

Best practices for building a SOC

Getting started with a SOC does not have to be overwhelming. Know your business and follow existing guidelines, such as those from a cybersecurity organization like Splunk or government best practices as laid out in the U.S. government’s Executive Order for Cybersecurity or ISO/IEC 27001.

Here’s a brief look at best practices.

Develop the right strategy

A SOC is an important investment, so there’s a lot riding on your security planning. To create a strategy that covers your security needs, consider the following:

• What do you need to secure? A single on-premises network, or global? Cloud or hybrid? How many endpoints? Are you protecting highly confidential data or consumer information? What data is most valuable, and most likely to be targeted?
• Will you merge your SOC with your NOC or create two separate departments? Again, the capabilities are very different, and merging them requires different tools and personnel skills.
• Do you need 24/7/365 availability from your SOC staff? This affects staffing, cost and logistics.
• Will you build the SOC entirely in-house, or outsource some or all functions to a third-party vendor? A careful cost-benefit analysis will help define the trade-offs.

Make sure you have visibility across your entire organization

It’s imperative that your SOC can see into and have access to everything, no matter how small or seemingly insignificant. In addition to the larger infrastructure, that includes device endpoints, systems controlled by third parties and encrypted data.

Invest in the right tools & services

As you think about building your SOC, focus first on the tools. The sheer number of security events will be overwhelming without the right automated tools to deal with the “noise” and subsequently elevate significant threats. From the tools, you can also understand what skillsets your staff have or need to upskill.

Hire the best & continue training

Hiring talented staff and continually improving their skills is central to success. The market for security talent is competitive. Once you get people hired, continually invest in training to improve their skills — this enhances security, and it also improves employee engagement and retention.

SOC trends: Invest in a team of security professionals

Every organization needs tight security. Whether you incorporate SIEM and security functionality into your NOC, outsource most or all SOC functionality to third-party service providers or staff up an in-house team, it’s important to address the security questions a SOC is meant to answer.

Start with “What are our security needs?” and progress to “How can we most effectively and efficiently meet them?”