What is a Security Operations Center?

The security operations center (SOC) has become a core element of cybersecurity strategy. SOCs take many forms, but what they all have in common is a mission to operationalize security policies and processes. SOCs take action to protect organizations from cyber threats. This article explores the SOC, what it is, and how it works.

What is a SOC?

A SOC, sometimes referred to as an information security operations center (ISOC), comprises a team of people with specialized tooling whose job is to monitor the IT estate, detect security events, and respond to alerts and security incidents. A SOC typically runs 24 hours a day and is based out of a dedicated physical space. Some SOCs are staffed by full-time employee teams. Other times, an external vendor, such as a managed security services provider (MSSP) delivers SOC services to its clients.  A SOC also usually involves itself in developing security policies and undertaking preventive measures.

The word “center” is a key to understanding the nature and purpose of the SOC. A SOC is a centralized security detection and response team. A SOC pulls together sources of security information, such as device logs and other sensors, and analyzes them in a coherent, holistic way. The goal is to unify and coordinate all the various security tools, policies, practices, and workflows that exist in an organization. If the SOC is working as intended, it will provide faster, better responses to security events than is possible with the alternative: a piecemeal approach and scattered, loosely coordinated team members.

Why does a SOC do?

The SOC is responsible for defending the organization’s digital assets. These run the gamut from devices to applications to data. The SOC may also be in charge of protecting the network, but that varies by company. The primary enabling factor here is visibility. The SOC cannot defend what it can’t see. For this reason, the SOC employs specialized tooling that gives the SOC team a complete view of endpoints, servers, applications, and databases, as well as threats and security alerts.

Assuming visibility, the SOC’s areas of operation generally belong in one of three categories:

• Plan, prepare, prevent — Getting a SOC to run effectively requires a great deal of planning and preparation, as well as preventive measures. For instance, the SOC needs to compile and then maintain a complete inventory of digital assets that require protection, as well as the security tools they use to realize that defense. The SOC may then oversee maintenance, including updates and patches, according to procedures the SOC has established. The SOC also creates plans and procedures for incident response. The SOC will then test those plans.
• Monitor, detect, respond — Monitoring digital assets and security tools is the day-to-day activity of the SOC. This might involve the use of security incident and event management (SIEM) solutions that analyze log data from multiple devices, such as firewalls, to detect threats or attacks. Data from endpoint detection and response (EDR) and extended detection and response (XDR) solutions also streams into the SOC. The SOC toolset may provide analysis using artificial intelligence (AI), which can spot patterns and anomalies that suggest the presence of an attack or threat. If the SOC determines that a security incident is occurring, it will initiate incident response workflows, perhaps using a security orchestration, automation, and response (SOAR) solution. The SOAR “playbooks” may call for the use of a wide range of tools, such as anti-virus software, to remediate threats.
• Recover, refine, comply — It’s not enough for the SOC to respond to a threat and mitigate its impact. The SOC needs to oversee the recovery of any affected digital assets and remediate the effects of the attack. Every incident is an opportunity to learn and get better at protection for the next time. This might mean updating policies to reflect the nature of an attack, making sure that all relevant patches are up to date, and so forth. On a related front, the SOC usually takes care of compliance requirements that are based on security policies, such as identity and access management (IAM) and IT controls over financial systems.

SOC roles and responsibilities

The SOC team usually comprises a mix of backgrounds and roles. In addition to the SOC manager, who is in charge of the SOC and usually oversees security operations in general, there are security engineers, security analysts, and threat hunters. Threat hunters detect and contain advanced threats, such as advanced persistent threats (APTs), zero days or other novel threats that get past existing defenses.

Security engineers build and manage the security architecture. This involves evaluating and testing security tools, and then maintaining them once they are put to work. Security engineers also typically engage with developers and DevSecOps teams to ensure that security is part of the software development lifecycle (SDLC).

Security analysts are responsible for monitoring the IT estate for threats and responding to security incidents. Much of this work involves investigating alerts and performing triage, with the goal of prioritizing the most serious issues. They then oversee the incident response workflow, perhaps using a SOAR solution and its various playbooks. This can be quite challenging, because sometimes a seemingly minor alert is an indication of a major security incident, while many false positives form a problematic distraction. The work can be stressful, with burnout a common difficulty facing security analysts.

SOC vs NOC

The network operations center (NOC) is analogous to the SOC, but it is focused on ensuring reliable network functioning, rather than security. The two team constructs are similar, and this is not an accident. The idea for the SOC grew out of the success of NOCs or “NOC rooms.” A company needs both. It’s not an either/or choice, and the two centers tend to have overlapping responsibilities. A great deal of security monitoring in the SOC involves analyzing network performance because threats often first appear as network anomalies.

SOC vs CSIRT

The computer security incident response team (CSIRT) is a group that handles security incidents. It is distinct from the SOC in that it is more advanced and multi-disciplinary. The CSIRT focuses on intensive, serious incidents, versus the SOC, which is always on duty for every threat and alert. The CSIRT is also usually responsible for setting security policies and preventive measures implemented by the SOC. The two groups have some overlapping responsibilities and often work together on incident response.

SOC vs PSIRT

The product security incident response team (PSIRT) is responsible for responding to security incidents involving a company’s products. It does not have a lot to do with the SOC. In contrast to the CSIRT, which teams up with the SOC to handle threats to the organization, the PSIRT is largely externally focused.

Conclusion

The SOC is always on duty, monitoring for threats and attacks around the clock. SOC team members are the frontline responders against malicious actors. The SOC also gets involved in security policy development and preventive measures. By detecting and responding to security incidents, the SOC keeps the organization functioning in the face of serious cyberthreats.