A security operations center (SOC) is a command center facility for a team of IT professionals with expertise in information security that is responsible for monitoring, analyzing and protecting an organization from cyber attacks. In the SOC, internet traffic, corporate area networks (CAN), desktops, servers, endpoint devices, databases, applications and other systems are continuously examined for signs of a security incident. The SOC staff may work with other teams or departments, but is typically self-contained with employees that have high-level information technology and cybersecurity skills. Additionally, most SOCs function around the clock as employees work in shifts to constantly log activity and mitigate threats.
Prior to establishing an SOC, an organization must define its cybersecurity strategy that aligns with current business goals and problems. Department executives will reference a risk assessment that focuses on what it will take to maintain the companies mission and subsequently provide input on what objectives need to be met, what infrastructure and tooling is required to meet those objectives along with what types of skills are needed for the staff.
Forming an SOC has become more important for large organizations as security breaches are on the rise and the cost associated with data loss is often high. An effective SOC not only helps minimize the cost of a data breach by responding to intrusions quickly, but also by constantly improving detection and prevention practices.
SOCs are most commonly found in the industries of healthcare, education, finance, e-commerce, government, military operations and advanced technology. Businesses that rely on large amounts of highly sensitive data and have plenty of financial resources should consider developing an SOC.
What does a security operations center do?
The overarching strategy of a security operations center revolves around collecting data and analyzing that data for suspicious activity in order to make the entire organization more secure. Raw data that is monitored by an SOC team is security-relevant and typically comes from firewalls, threat intel, intrusion prevention and detection systems, probes and security information and event management (SIEM) systems. Alerts are then put in place that immediately communicate to team members if any of the data is abnormal or displays indicators of compromise (IOCs).
In general, the basic responsibilities of an SOC are:
- Asset discovery and management- This includes obtaining a high awareness of all tools, software, hardware and technologies used within the SOC. It also focuses on making sure all assets are working properly and regularly updated.
- Continuous behavioral monitoring- All systems are examined 24/7. This allows SOCs to place equal weight on proactive and reactive measures as any irregularity in activity is instantly detected. Behavioral models are used to train data collection systems on what counts as suspicious activity and can be used to adjust information that might register as false positives.
- Keeping activity logs- All communications and activity across the organization should be logged by the SOC. This enables team members to backtrack or pinpoint previous actions that may have resulted in a breach.
- Alert severity ranking- One piece of vulnerability management is making sure that the most severe or pressing alerts are handled first. This is part of an SOC team’s job to rank cybersecurity threats in terms of potential damage.
- Defense development and evolution- An SOC team should create an incident response plan (IRP) to help defend systems against attacks. Additionally, it is their responsibility to adjust the plan as necessary when new information is obtained.
- Incident recovery- In addition to preventing and stopping data breaches from occurring, an SOC is also in charge of recovering data that has been compromised. This could include reconfiguring, updating or backing up systems.
- Compliance maintenance- All team members in an SOC must follow regulatory compliance standards when carrying out business plans. Typically, one team member is in charge of educating and enforcing compliance.
Building a security operations center team
A security operations center can take a variety of forms based on requirements, technical skills of employees, physical resources and organizational models. Therefore, building a SOC and its team is a personalized approach.
SOCs are staffed with a variety of individuals that play a particular role in overarching security operations. Job titles and responsibilities that may be found in an SOC include:
- SOC manager- This employee is responsible for managing the everyday operations of the SOC and its team. It is also a part of their role to communicate updates with the organization’s executive staff.
- Incident responder- This employee handles attacks or breaches that have successfully occurred, implementing whatever practices necessary to reduce and remove the threat. Some incident responders have experience with white hat
- Forensic investigator- This employee is in charge of identifying the root cause and locating the source of all attacks, collecting any supporting evidence that is available.
- Compliance auditor- This employee makes sure that all SOC processes and employee actions meet compliance requirements.
- Security analyst- This employee reviews security alerts to organize them by urgency or severity and runs regular vulnerability assessments. Skills this employee might have include knowledge of programming languages, sysadmin capabilities and security best practices.
- Threat hunter- This employee reviews data that is collected by the SOC to identify threats that are hardest to detect. Resilience and penetration testing may also be a part of their routine schedule.
- Security engineer- This employee develops and designs systems or tools that are necessary for carrying out effective intrusion detection and vulnerability management capabilities.
In addition to deciding which job roles are included on the team, the different types of organizational models that an SOC can implement are:
- Dedicated- This model has a dedicated facility on-premises with staff that is hired in-house.
- Virtual/Cloud- This model uses part-time, virtual staff members that respond to security alerts with no dedicated, physical facility.
- Distributed/Co-managed- This model has semi-dedicated team members that are hired in-house to work alongside a third-party managed security service provider.
- Command- This model provides threat intelligence insights and security expertise to other, typically dedicated, security operations centers. It is not involved in the actual security operations or processes, just the intelligence side.
- Fusion- This model oversees any type of security-focused facility or initiative, including other types of SOCs or IT department teams.
- Multifunction- This model has a dedicated facility and in-house staff, but roles and responsibilities extend to other critical areas of information technology management, such as network operations.
However, all of the above options must have a strong and regularly tested business continuity plan (BCP) that may require combining or replacing the chosen organizational models.
Security operations center best practices
As cybersecurity technology and initiatives have continued to grow and advance, there are several agreed upon best practices for running an SOC. The most common suggestion is to implement security orchestration, automation and response (SOAR) processes whenever possible. Combining the productivity of an automation tool with the technical skills of an analyst helps improve efficiency and incident response times. It also enables the center to function more effectively without interruption.
Additionally, SOCs rely heavily on the knowledge of individual team members. Therefore, managers should ensure that ongoing training is provided to stay on top of emerging cybersecurity threats, incident reports and vulnerabilities. Any SOC monitoring tools should then be updated to reflect any new changes.
Similarly, an SOC is only as effective as the strategies it has in place. Therefore, managers should implement strong operational protocols that are robust enough when a consistent, fast and effective response is expected. A few other SOC best practices include collecting as much data as possible as often as possible, taking advantage of data analytics and developing processes that are easier to scale for growth.
Benefits of a security operations center
When implemented correctly, a security operations center can provide an organization with the following benefits:
- Uninterrupted monitoring and analysis for suspicious activity.
- Improved incident response times and practices.
- Decreased gaps between time of compromise and mean time to detection (MTTD).
- Software and hardware assets are centralized for a more holistic approach to security.
- Effective communication and collaboration are highly emphasized.
- Costs associated with security incidents are minimized.
- Customers and employees may feel more comfortable sharing sensitive information.
- More transparency and control over security operations.
- Established chain of control for data which is needed if an organization is expected to prosecute those attributed to a cybercrime.
Network operations center vs security operations center
A network operations center (NOC) is similar to an SOC in that its basic responsibilities are to identify, investigate, rank and fix issues. NOCs also function with a NOC manager, or shift team lead, that oversees all employees and processes within the center. Most employees in a NOC are network or traffic engineers that may have more specialized or technical backgrounds to cover a diverse range of incidents.
Unlike in the SOC, an NOC team handles only issues that arise in relation to network performance and availability. This can include implementing processes for network monitoring, device malfunctions and network configuration. Additionally, an NOC is in charge of making sure the network meets service-level agreement (SLA) requirements, such as minimum downtime.
A major difference in the type of incidents that SOCs and NOCs respond to is their nature. Network issues are typically naturally occurring system events, such as a malfunction or traffic overload. Security issues are more “intelligent” and may come from sources outside of the organization’s control. Due to this, a NOC has to cover hardware and physical equipment repairs more regularly as most SOC incidents happen virtually.
NOCs are most common in organizations that require high network availability such as universities and government agencies. It could also be useful for organizations that rely heavily on an accessible website and a strong internet connection, such as an e-commerce business. A security operations center may include an NOC if it follows the multifunction organizational model.