Security Operations Center (SOC)

What’s a SOC?

A Security Operations Center (SOC) is a command center that deals with security issues, constantly monitoring and defending against cyber threats. The SOC (pronounced ‘sock’) serves as a centralized unit where security personnel work together to detect, analyze, respond to, and mitigate security incidents.

Most large (Fortune 500) companies have a SOC, and small and medium sized businesses often rely on a SOC behind the scenes. For example, if you’re a Security Essentials customer, you already have a dedicated SOC protecting your business 24/7.

While small businesses rarely employ a SOC directly, it’s still important for small business cybersecurity to know what a SOC is at a very high level. It can help to understand how technology like MDR, SIEM, and XDR works under the hood and also is very informative about how big companies actually do cybersecurity.

How a SOC Works

From the perspective of someone outside IT, it may seem like everything IT-related should be taken care of by the same group of people, i.e. ‘IT people’. But IT is a broad field and there’s a lot of specialization, even when it comes to maintaining and securing a network.

As a result, cybersecurity has become a highly specialized field and many cybersecurity roles have little overlap with other IT roles. For example, there are defenders who specialize in actively monitoring and defending large networks, and others who perform in-depth forensic investigations after an attack occurs.

These defenders (and others) work together in the SOC, often forming what’s called a blue team. The blue team is responsible for the defense of the company and its digital assets.

The blue team (in the SOC) works closely with the company’s IT team who maintain the network. And, the SOC may recruit their team members from the company’s IT team. Many IT people have a strong general knowledge of cybersecurity but lack hands-on cybersecurity skills. And, cybersecurity practitioners have a great understanding of how networks are built and administered. But in general, cybersecurity folks are not IT folks.

As time goes on, different roles have become increasingly specialized. Even the bad guys (‘black hat’ hackers) are highly specialized today, with different roles and different groups responsible for developing different software (malware) types that are used together. Let’s get back to the topic of the SOC.

A SOC is essentially a command center staffed by skilled cybersecurity defenders. The people working in the SOC have highly specialized, well-defined roles that enable the SOC to function together as a single entity.

SOCs rely on many of the technologies that we’ve already covered, and the primary component used is a SIEM (security information and even management software) although today with different technologies, the use of MDR and XDR have somewhat blurred the lines between network defense technologies.

As we’ve learned, a SIEM ties together alerts and logs generated from across many sources including all of the endpoints, firewalls, and other devices on a network.

This includes data from:

  • System and application logs from every device on the network – collected from SIEM agent or from EDR/MDR agents
  • Antivirus (AV) and EDR/MDR on each host
  • Firewalls
  • Network monitoring tools
  • Specialized alerts set up on critical systems like servers
  • Alerts from honeypots and other active defensive measures

All together, this is a massive amount of data! The SIEM provides a centralized platform so that team members working together in a SOC can quickly assess all of the potential threats identified across the network.

Roles in a Typical SOC

In order to better understand how a SOC works, let’s take a quick look at common roles. SOCs use a well-defined structure of Tiers (Tier 1, Tier 2, Tier 3) which they escalate through, starting with Tier 1:

  • Tier 1 Analyst / Security Analyst: Sometimes referred to as a triage specialist, they are responsible for analyzing alerts and examining them to determine whether or not they should be escalated for further review. This is called triaging and involves trying to determine whether the alert is a false positive, and escalating if there is any doubt.
  • Tier 2 Analyst / Incident Responder: Investigates anything escalated by Tier 1; performs a thorough investigation to determine if a threat is real and gathers as much data as possible about the event. As with Level 1 analysts, an important component of this role is to further escalate potential incidents when needed. However, in many/most SOCs, Tier 2 analysts are expected to perform thorough investigations and only escalate the most critical to Tier 3.
  • Tier 3 Analyst / Threat Hunter: Considered a subject-matter expert in defensive cybersecurity; seeks threats who are actively attacking assets on the network. The goal of threat hunting is to be as proactive as possible about identifying attackers who are still on the network, in order to stop them as quickly as possible.
  • Forensic Analyst: Conducts in-depth investigations following incidents. They collect and analyze data from disk and memory, and use a specialized toolset allowing them to dig deep into the available data. Forensic analysts also commonly work outside of SOCs and there are highly skilled companies and freelancers specializing in this field. Careful forensic analysis that preserves the quality of digital evidence is commonly used in legal cases as well.

Why Small Businesses Need to Know About SOCs

We want it to be clear that most small or even many medium-sized businesses aren’t going to be managing a SOC anytime soon! Manning a SOC requires a lot of skilled people with specialized roles at the helm.

So why is it important that small businesses learn about SOCs? There are two reasons.

First, SOCs are used by virtually every large company and many medium-sized ones. It’s important for SMBs to understand how SOCs work in order to scale their approach to cybersecurity accordingly as the business grows.

Second, managed security services commonly used by small businesses (such as managed EDR / MDR or managed SIEM) use a SOC behind the scenes. Now that you know how these services are delivered using a SOC, you should hopefully be better informed about what they are actually providing.

For example, any MDR service (like the one included in our Security Essentials) essentially uses a SOC to manage the EDR software and any alerts it generates. When an alert is generated, it gets triaged in the SOC.

First a Tier 1 analyst will look into the alert and determine whether there’s a possibility that the issue will need to be escalated. In essence, the Tier 1 analyst is trying to rule out the possibility of it being malicious in nature. If there’s even a small possibility that the alert is due to something malicious, then the Tier 1 analyst quickly escalates to a Tier 2 analyst. The Tier 2 analyst has more experience; performs a thorough investigation, and determines if the issue needs to be escalated further.

We think it’s important that our customers understand how this works so that it can inform their decision-making process.