What is a Security Operations Center?
A security operations center (SOC) is a centralized facility that houses an information security team that is responsible for continuously monitoring, analyzing, and improving an organization’s security posture. The goal of the SOC team is to prevent, detect, analyze, and respond to cybersecurity incidents, around the clock. SOC teams protect assets such as intellectual property, personnel data, business systems, and brand integrity. SOCs are often built around a hub-and-spoke architecture, where security information and even management (SIEM) system aggregates and correlates data from security feeds.1 The spokes of this model can incorporate various systems such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP). The SOC is typically led by a SOC manager, and may be staffed with incident responders, SOC analysts, threat hunters, and incident response managers. The SOC reports to the CISO, who reports to the CIO or CEO.
Key functions performed by the SOC team:
Asset inventory and protection. The SOC team is responsible for devices, processes, applications, and the tools used to protect them. The SOC team locates and maps all of the digital assets on various types of endpoints, servers, software, and through third-party services and traffic between assets. The SOC team uses cybersecurity tools to identify and fortify vulnerable points.
Prevention. The SOC team is informed about the latest trends and innovations in cybercrime and cybersecurity so that they can prepare security roadmaps and disaster recovery plans. They perform preventative maintenance to protect against cyberattacks such as maintaining and updating systems, updating firewalls, applying patches, whitelisting, blacklisting, and securing applications.
Monitoring. The SOC team uses tools to continuously monitor the network for any abnormal or suspicious activity. This 24/7 monitoring allows the SOC to react swiftly to emerging threats- allowing them to either prevent or mitigate harm.
Alerts. Monitoring tools issue alerts and the SOC team is responsible for triaging these in order to respond to the most urgent threats the soonest.
Threat response. Once an incident is confirmed, the SOC team acts as the first responder, performing activities such as shutting down endpoints, terminating harmful processes, and deleting files.
Recovery. After an incident, the SOC team will work to restore systems and to recover lost or compromised data. Depending on the type of cyberattack, this could involve restarting endpoints, reconfiguring systems, or deploying viable backups to circumvent ransomware.
Logging. The SOC team is responsible for collecting, maintaining, and regularly reviewing network activity and communication logs. This helps them to define a baseline and monitor for suspicious or abnormal activity.
Investigation. After an incident, the SOC team is responsible for figuring out the root cause and preventing similar incidents in the future.
Security improvement. The SOC teams stays current on trends and updates the Security Road Map continuously to ensure that it reflects the most up-to-date strategies and processes.
Compliance. The SOC team is responsible for regularly auditing their systems to ensure compliance with regulations such as GDPR, HIPAA, and PCI DSS.
1 McAfee, 2021, “What is a Security Operations Center (SOC)?”