What is a security operations center (SOC)?

Whether the modern-day security operations center (SOC, pronounced “sock”) is a physical or virtual space, the purpose is always the same: It’s where security teams manage monitoring tools, analyze activity, conduct triage on alerts, collaborate on incident response, and mitigate and remediate threats.

Organizations charge SOC teams with monitoring and protecting assets such as intellectual property, personnel data, business systems, and brand integrity. There is an expectation that SOCs are staffed 24×7. A SOC can be established in-house, outsourced to a managed security services provider (MSSP), or as a hybrid model, which involves managed security services and outsourced SOC operations in addition to some internal detection and response capabilities.

What’s the value of a SOC?

Maintaining security against attacks isn’t a 9-to-5 gig—it’s a complex task that demands round-the-clock attention. Large organizations must be vigilant to defend themselves against today’s always-evolving threats. Staying secure also requires integrated and complementary technological solutions, and experts with the knowledge to interpret what they see. Enter the SOC, where these elements—people, tech, and processes—are synchronized and orchestrated.

A SOC combines the right security personnel with the right security tools, eliminating security silos and increasing efficiencies—as well as reducing stress on security teams. The SOC team can determine which alerts matter the most by correlating network, endpoint, security information and event management (SIEM), and extended detection and response (XDR) events, including events in the cloud.

What are the capabilities a SOC needs?

End-to-end visibility

Attack vectors can form anywhere. Detailed visibility into every endpoint, resource, and network node is critical. Various systems can generate this visibility data, including endpoint protection platforms (EPPs), endpoint detection and response (EDR), security information and event management (SIEM), and extended detection and response (XDR), The DOC may also have tools for protecting cloud environments, such as a cloud-native application protection platform (CNAPP) or cloud detection and response (CDR) tools.

Orchestration

If your security practitioners are doing security work (and not just pushing buttons and keeping the security tech running), chances are they’ve got orchestration. It’s a concept in security operations that basically boils down to streamlining investigation and remediation workflows.

Continuous monitoring

Because seconds count in the event that a threat turns into an attack, continuous monitoring of systems is one of the SOC’s core functions. Organizations also need ongoing monitoring of threat intelligence for continuous and real-time refinement and adjustment of security postures.

Detection

Detection is the process of turning the visibility data into usable insights. Automated analysis helps generate these insights so skilled security analysts can apply their knowledge to the most-serious threats.

Investigation and analysis

Most security products aren’t good storytellers. A correctly staffed SOC has the right people to investigate critical alerts and tell a story about what happened. Investigation answers the what, when, where, and how questions that inform the security response.

Incident response

Once an investigation is done, it’s important to have clear answers about what to do next. A SOC team with remediation capabilities tells you how to fix the bad thing that just happened—and how to hopefully prevent it from happening again. If needed, the SOC staff can disable a looming attack—for example, by logging off a suspicious user or by disconnecting compromised endpoints.

If the attack has already begun, mitigation actions might include deleting or isolating infected files, shutting down affected applications, and running anti-malware software. Eventually, it will be the SOC team’s responsibility to restore the company’s networks to their previous states.

Incident investigation

SOC team members can assemble a timeline and digital trail of every activity an intruder has undertaken. The timeline and trail help security analysts better understand the exploited vulnerabilities, and create a path forward for post-incident refinement of policies and security posture.

Threat hunting

More mature SOC teams often invest time/resources into either scanning their environment proactively for particular known threats, or looking back across their environment to ensure there hasn’t been unwanted infiltration. This is known as threat hunting.

In-house vs. managed SOCs

SOC teams struggle with alert fatigue, talent shortages, constant pressure, and lack of time for more-impactful strategic work. Meanwhile, security leaders wrestle with hiring, training, and retaining talent, leading to even more resource constraints. Many large organizations facing these challenges see value in managed SOC services that provide the required levels of expertise, readiness, and service. Ideally, the SOC will have a deep collaborative relationship with the organization’s internal security team.