What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) is a critical cybersecurity functional group that is a crucial component to business cyber security. SOCs may be provided by in-house personnel, outsourced to a SOC-as-a-Service provider, or a combination of both. In this blog post, we detail the key functions of a SOC and what your organization should look for if you’re considering bringing a SOC into your security arsenal.


What is a Security Operations Center (SOC)?

SOCs are teams of cybersecurity professionals that both monitor an organization’s networks for cyberattacks and suspicious behavior, as well as improve that organization’s ongoing internal security controls and procedures. These teams can be in-house or accessed via managed services partners. SOCs are equipped with tools, applications, security information and event management (SIEM) systems, data lakes, and other strategic assets to enable security analysts and researchers to continuously monitor logs, alarms, events, notifications, alerts, and incidents from various organizational systems and network-based devices for potential signs of an attacker incursion or security incident. Red flags a SOC looks out for often include suspicious traffic, which can be an indicator of cyberattacks, data leakage, or other malicious activities.

Any business that needs to protect the firm’s network against internal or external threats while meeting compliance regulations can greatly benefit from a SOC, where security experts can review, monitor, and respond to threats in real-time.

When visualizing what a SOC looks and sounds like, the image in popular imagination might include multiple monitors showing various world maps, live news channels, and data-laden dashboards, with security analysts sitting in front of multiple monitors analyzing code. That image isn’t far off at all from reality at our SOC here at SilverSky. For example, we have dashboards that capture the attack map, which can help us geographically pinpoint where a flood of attacks is coming from or are actively targeting. Also, analysts do have multiple monitors where they review raw data from logged events, run command line codes to fetch and filter data, search for potential indicators of security incidents or compromise, and document their findings on a different screen.

Who runs a SOC?

The SOC itself is an organization within any company that requires 24x7x365 security coverage. In today’s threat landscape, this round-the-clock attention is critical for most companies. The SOC team includes security analysts, researchers, threat hunters, data scientists, and subject matter experts on topics like SIEM, deployment and onboarding of devices, writing parsers, scripts, and other areas. A well-structured SOC has sub-teams and departments — such as monitoring, support, and/or engineering teams — with enough dedicated resources for each function.

While some large enterprises will have a SOC in-house, for many organizations owning and running an internal SOC is simply out of the question. To gain the 24x7x365 security monitoring that a SOC provides, you need to employ a minimum of five to seven full-time SOC professionals. Many businesses simply do not have the resources to support a dedicated security team of that size, so they instead seek help from managed SOC services.

Companies should constantly evaluate their cybersecurity processes and technologies against new threats. If your people cannot keep up with this challenge, or you are uncertain if your technology—such as a SIEM or log management solution—is being used effectively, you should consider a managed SOC security company.

How does a SOC work?

The SOC team monitors the customer’s systems, networks, and remote devices 24x7x365 for security, compliance, and anomalies. All incoming data and logs are normalized, prioritized, and processed via the SIEM’s threat intelligence, rules, indicators of compromise (IOC) lookups, and other patterns. Any incident generated by the SIEM is reviewed, analyzed, and documented by security analysts. If the incident needs to be escalated, the analyst reports this incident to customers via email and/or phone call following the customer incident response plan. The analyst may block the attacker’s IP, isolate the infected system, or disable any malicious user accounts, depending on the level of access they have. This type of remediation is critical to address, regardless of whether it’s in-house or you enable your outsourced SOC to perform the fixes.

Threat Research: SOC analysts stay on the lookout for newer, emerging threats. They subscribe to and read various security feeds and perform manual searches for any IOCs or patterns that could be added to the SIEM or analytics for detection.

Threat Hunting: SOC analysts review customer logs for anomalous behavior or IOCs, or if any new threat information is available. They also analyze the logs for suspicious patterns and report their findings as applicable.

How does a SOC help with compliance?

A SOC must always log and report on security vulnerabilities, patches, and monitoring for compliance. You should consider a SOC that has compliance experts in-house. For example, SilverSky has people experienced in a variety of certifications frameworks, including ISO, SOC2, NIST, PCI, and FFIEC.

If you are looking to supplement your SOC or have your entire SOC managed by another provider, we suggest that you consider three items from your SOC-as-a-Service provider to be successful.

  1. Service – A SOC-as-a-Service provider should clearly define what services will be delivered. This includes:
  • A clearly defined SLA. Does the SLA match the organization’s compliance requirements?
  • Does the monitoring include all assets? Is there a limit on the number of devices or EPS caps?
  • Depth and breadth of service. What does security monitoring look like? Does it include reviewing events and alerts, or active threat hunting?
  1. Technology – Your SOC-as-a-Service provider should advise you on what cybersecurity services and technologies you may need. They should also offer a centralized dashboard so you and the provider can both see all SOC incident response and compliance activities in your environment.
  2. People – A SOC-as-a-Service provider should have a team of experts in place that works as an extension of your internal team, adding their 24x7x365 coverage and expertise to the work your in-house team does. They should be credentialed and highly skilled.


What are other considerations for a SOC-as-a-service provider?

Threats come from anywhere, so your SOC can be anywhere. Look for a SOC located in a hub of cybersecurity excellence. Also, find a provider that gives you the SOC team you need, but also combines dedicated company resources – such as a dedicated cybersecurity advisor – that knows your business and account.

When you choose a SOC-as-a-Service provider, you want to know you can trust the team. At SilverSky, we run a global SOC team in 3 geographical centers that offer three tiers of security experts from level 1s to 3s. Many of our SOC team members hold master’s degrees and PhDs in cybersecurity and come from SOC, network operations centers (NOC), software engineering, and IT backgrounds. We also have a team hierarchy for each SOC-as-a-Service customer that includes security analysts, team leads, managers, directors, VPs, and account managers. This diversity and experience in real-world environments allow us to deliver value to all our customers, no matter if they use Linux in AWS, Windows in Azure, or a hybrid cloud mixture of network hardware and software in on-premises solutions.

When you work with a SOC-as-a-Service provider, you benefit from a cost-effective solution that doesn’t require hiring a minimum of five to seven in-house employees. You get better security monitoring with more eyes on your environment, so that when an incident occurs you get to resolution or remediation faster. SOC experience and preparedness pay dividends in improving customer trust as well: If breached, you’ll be able to respond immediately, close the breach, and demonstrate that you have remediated the impact on your data and network.

If you’d like to learn more about SilverSky’s SOC-as-a-service offerings and how our team of security experts can help your business, you can learn more here.