Understanding a Security Operations Center (SOC) and How it Works

Aug 19th 2021

Understand a SOC - How it Works

Today, organizations of all sizes now become targets of cyber threats. There is always the ominous risk that cybercriminals can gain access to an organization’s network – which is still, despite all efforts of moving data to the cloud, the central backbone of many organizations’ infrastructure.

Once an attacker is in, they can wreak havoc, resulting in an irreversible loss of data, money, and of course, reputation. Threats such as data breaches, cyberattacks, and malware infections are so widespread that most IT departments must detect and mitigate them on a daily basis before they cause harm. For organizations that want to enhance their cybersecurity by analyzing and responding to such threats, Security Operations Centers (SOC) need to provide continuous monitoring. Just “assume you are compromised today”, describes Jim Byrge, Sr. cyber security engineer at Valvoline the necessary attitude to face the new normal.

What is a SOC?

An SOC is a facility where an IT security team normally operates. The team focuses on the security posture of its organization by centrally monitoring and analyzing its IT environment for alerting behavior of tools or data. They also initiate the incident response process, and manage and own the threat management activities, such as alert validation, incident detection and response, incident impact assessment, vulnerability management, threat detection and hunting. Incident response teams work closely with the SOC or may be part of the SOC to respond quickly if needed.

Common Core Roles Within a SOC

A SOC is made up of multiple roles with different responsibilities. Analysts who focus on security incidents are categorized into three tiers:

  • Tier 1 – Triage Specialist
    • Registering and assigning incidents
    • Classifying, verifying, and prioritizing security incidents
    • Health monitoring of security sensors if applicable
    • Collecting data required for Tier 2 analysts
  • Tier 2 – Incident Handler
    • Incident analysis and response
    • Advising with containment and remediation actions
    • Coordinating and supporting incident response
    • Periodic review of Tier 1 analyst work
  • Tier 3 – Security expert
    • Threat hunting
    • Incident analysis and response at Tier 3
    • Developing and tuning detection logic
    • Detecting logic development and tuning
    • Developing a security monitoring system
    • Review of Tier 2 analyst work

Additional common core roles of a SOC include:

  • SOC Manager
  • SOC System Admin
  • Threat Intelligence Analyst
  • Digital Forensics Analyst
  • Malware Analyst

No two SOCs are alike. Depending on the size of the SOC, individuals may be responsible for covering several different roles.

IT departments may choose to deal with their cybersecurity issues by managing their own SOC or use a third-party Managed Security Services Provider (MSSP). And there are numerous advantages to outsourcing a SOC to an MSSP, which include, but are not limited to:

Paying for a service version rather than employing an entire IT department and purchasing new hardware and software is more cost-effective. Reduced downtime because the MSSP focuses solely on the security aspect.
Outsourcing also has its downsides. As Alexandra Günnewig from VMRay states, “you cannot outsource responsibility”. Furthermore, a company should not overlook the opportunity to build up their own internal intel. How else could a company ever be in a position to judge the performance of the MSSP once they start working with one. In addition, there are the efficiencies gained through an internal continuous improvement process (CIP or KAIZEN).

And internal SOC infrastructure should be built around tangible business needs. Jim Byrge at Valvoline, for instance, started the internal SOC team pragmatically: Hire a good CISO who is senior enough to support the program and communicate it to the board, pick “a great network person, an email person and a desktop/server person” and get started.

Just like Gartner, Jim Byrge emphasizes the need for C-level involvement (“cyber-savvy boards”). “Security is something that if you do it well people, don’t see. Keep it in front of the leaders. Give reports on events, processes coming out of the program, and how you are improving the security of your company”.

How Does a SOC Work?

IT leaders appreciate the importance of human impact in preventing cyber incidents. The SOC team is responsible for continuously studying and monitoring current and emerging threats. But, as Jim Byrge puts it, the SOC “is NOT another Help Desk, and should be treated as an elite group outside the line of helpdesk”.

Tools used by the SOC team, moreover, need to alleviate alert fatigue and free up members by providing easy to read context information that allow members to work faster and more effectively at focusing on the right alerts. However, each SOC should have a defined target operating model that outlines its mission, responsibilities, KPIs, and timelines for achieving its goals and maturity levels.

When determining which technologies would best advance the SOC’s missions and capabilities, organizations should ask several key questions, including:

  • What are our top risks and threats?
  • What is our SOC’s maturity level?
  • What is our maturity goal?
  • What is our timeline & KPIs for reaching our maturity goal?
  • What technologies are we already using?
  • Will new technologies easily integrate with our existing technologies?
  • What expertise and resources are available to us and which do we need to add?
  • How do we improve the efficiency and effectiveness of our team & tool landscape?

A Side-Note on Artificial Intelligence & Machine Learning

Artificial intelligence (AI) and machine learning (ML) powered technologies can be used as tools to highly fully automate a SOC. While these and other technologies can prevent basic attacks, major incidents almost always require human analysis. As a result, in order to support its goals and abilities, a SOC requires skilled staff and fine-tuned processes for using and operating its tools.

The SOC collects information from the following sources using its threat intelligence system(s):

  • Incident reports
  • Threat briefs
  • Vulnerability reports
  • External sources
  • Relevant news feeds

The information collected is correlated with the organization’s data in order to detect activities that could be of a malicious nature. The SOC team is in charge of updating threat intelligence data to its tools so that it can be  correlated with the organization’s data.


Security automation is used by high-end SOCs to make them more efficient and effective. Applying Security Orchestration, Automation and Response Solutions (SOAR) allows embedding threat detection into a highly effective and efficient process flow. It enables them to work with a limited workforce, with significantly shorter detection times and success.

Combining these automations with security experts enhances the ability to increase security measures and defend against security breaches and cyber-attacks. Depending on their needs and specificity, every organization needs to optimize the mix of internal and external expertise. Internal proficiency is essential to maintain control of incident response and to be able to exercise responsibility and accountability. In order to manage its internal continuous improvement process, each organization needs to aggregate intelligence on its attack vectors.

Clear filter
Sorry, there are no results found
Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator