Open in app

Sign in

Write

Sign in

Introduction to the SOC

Dan Covic
7 min readApr 24, 2023

--

This article introduces you to the nerve-center of an organization’s cybersecurity defense, the Security Operations Center or SOC. This article assumes you are familiar with the core concepts of information technology and have some familiarity with cybersecurity. In this module you will:

  • Learn what a SOC does and why it is important to your organization.
  • Understand the different roles in a SOC.
  • Learn about the tools and solutions used in the SOC.
  • Understand some of the best practices of a successful SOC.
  • See how the SOC collaborates with other teams.
credit: dall-e

What Is the SOC?

The security operations center, or SOC, is more than just a room with lots of large-screen monitors and fancy locks on the door. It is a collection of people, processes, procedures, and tools responsible for identifying, analyzing, and responding to the variety of security threats that an organization faces.

In some organizations, the SOC is referred to slightly differently. Examples include:

  • ISOC: Information Security Operations Center
  • NSOC: Network Security Operations Center
  • SIOC: Security Intelligence and Operations Center
  • IPC: Infrastructure Protection Center

No matter what acronym is used, they all work toward the same goal. That is, protecting the organization from bad actors and their cyber threats and attacks that seek to damage systems and resources, steal money, or access sensitive data.

Why does an organization need a SOC?

The most obvious answer to this question might be, “to stop bad guys from breaking into our network”. However, that answer is only partially correct. Most organizations put several layers of security in place to stop malicious activity from reaching their resources. Those resources consist of servers, desktops, infrastructure hardware, data, sensitive information, intellectual property, and more. The SOC is one of those security layers — and an important one. Yes, SOCs do work to prevent malicious activity. However, their job is much more operationally strategic than simply acting as a gatekeeper to prevent breaches. Without a SOC, an organization would be unable to be effective in preventing, detecting, and responding to the ever-growing and changing threat landscape.

Consider these findings from the annual Cost of a Data Breach report from IBM and the Ponemon Institute:

  • The average cost of a data breach is $3.86 million globally.
  • In the US, the average cost of a data breach is $8.64 million.
  • The average time it takes an organization to identify and contain a breach is 280 days.

Threat actors are becoming more innovative with their tactics, techniques, and procedures. Therefore, organizations are facing hundreds of thousands of new malware variants each day. To effectively defend against, identify and contain these attacks, an organization needs a team of trained security professionals equipped with the right tools and technology. That’s what they get with a SOC.

What Does a SOC Analyst Do?

The SOC analyst is typically the first responder to a security incident. This role may be separated by different levels or tiers, based on knowledge, skills, and experience.

Much of a SOC analyst’s daily tasks involve investigating alerts and analyzing traffic and other logs. For example, an analyst may be expected to review emails that have been reported as suspicious. This means checking them against various tools and security solutions for any signs that they may be malicious or potentially harmful. If the analyst determines that something may be a threat, they would either begin mitigation and containment efforts or escalate it up to the next tier of analysts for handling.

Another common task for SOC analysts is reviewing logs for indicators of compromise (IOCs). These logs are typically fed into a security incident and event management (SIEM) solution. This allows the analyst to see real-time alerts generated by the different applications, hardware, and other solutions whose log data is ingested by the SIEM. When there is an alert, the analyst investigates to see if it is potentially malicious or a false positive and takes action from there.

Skills for success

Successful SOC analysts enjoy the investigative elements of their jobs. They are asking questions and finding answers. Much of their day is spent combing through alerts and information, trying to find out what the root cause or nature of something is. This job also requires attention to detail and thoroughness. A good SOC analyst checks a potential threat against a variety of different sources because they know that if they miss something it could be disastrous. If they catch something malicious, however, they could potentially save their organization a great deal of money and protect personal and sensitive information from falling into the wrong hands.

Some of the more technical skills that a SOC analyst should have include:

  • A strong understanding of information systems.
  • Knowledge of IT operations.
  • An understanding of the motivations behind cyberattacks, and tools and techniques used to launch them.
  • A solid understanding of security concepts, such as perimeter security, technical controls, data loss prevention, kill chain analysis, and security metrics.
  • An ability to assess risks and escalate issues when needed.

Roles in the SOC

SOC analysts are not the only people who work in the security operations center. Additionally, a SOC may employ security engineers tasked with maintaining the different tools and solutions used by the analysts. They may also work with other development and engineering teams to ensure the applications and customizations they build are secure.

There are also some SOCs that employ specialty analysts. You may find forensic investigators, threat hunters, reverse malware engineers, incident responders, and regulatory/compliance auditors as part of the team. These individuals typically have specialized training and experience in the day-to-day operations of a SOC.

Finally, there will be a layer of management. SOC managers oversee the different teams and typically report to a director or a vice president that oversees all security for an organization. Finally, the Chief Information Security Officer (CISO) usually sits at the top of the management team, overseeing all security-related functions for the organization.

Tools of the Trade

One of the most important competencies to master while working in a SOC is knowing how to use all the various tools and security solutions that analysts have at their disposal. Generally, these are specialized software systems designed to identify, analyze and contain the attacks launched against enterprises. The following are brief descriptions of some of the more common tools found in SOCs.

  • Security Incident and Event Management (SIEM): Tool that ingests logs and data from different applications, hardware, and other security solutions to provide real-time analysis of different alerts generated by incidents and events that occur.
  • Security Orchestration, Automation and Response (SOAR): Enables SOC staff to apply workflow automation playbooks to the first level of investigation. By automating the basic investigation tasks, SOARs free up analysts to dive deeper into alerts on threats that are likely to cause damage.
  • Governance, Risk and Compliance (GRC): Solutions that help to manage an organization’s risk analysis and policies, and how well it is maintaining compliance with all its regulatory requirements.
  • Threat Intelligence Feeds (TIFs): Streams of data that contain information about the different threats and threat actors. They provide both context and specificity that helps analysts research and identify potential threats.
  • Threat Intelligence Platform (TIP): Tools that help SOCs to collect and aggregate the multiple threat intelligence feeds with which the analysts work. The threat intel feeds are typically fed into the TIP through CSV, XML, or JSON files. STIX/TAXII are two of the standards that dictate what type of intelligence the feed provides and how the information in the feed is relayed to the TIP respectively.
  • Firewalls: Used to monitor and control incoming and outgoing network traffic. Next-generation firewalls use deep packet inspection to identify malicious traffic more accurately.
  • Intrusion Detection Systems (IDS): Tools for intrusion detection and prevention of network attacks, as well as physical detection tools like wireless intrusion prevention. The purpose of these solutions is to warn analysts of potential attacks (detection) and actively block potential attacks (prevention).

Best Practices for the SOC

Not all SOCs operate in the same ways. Processes, job descriptions, and tools can differ greatly. However, several characteristics and features are common among many of the top-performing SOCs.

Reliance on data

The more threat intelligence and log data the teams can incorporate into their various SOC tools, the better visibility they will have into benign traffic and malicious activity. Having greater insight into these events helps analysts to make better decisions when it comes to potential threats.

Documented escalation processes

Junior-level SOC analysts generally escalate potential incidents to more senior SOC analysts. Having solid documentation of these escalation processes is an essential best practice for effectively managing potential threats. Of course, it is also important to make sure that all analysts are familiar with this documentation.

Continual training

The threat landscape is always evolving, so a SOC analyst needs to keep their knowledge up to date and their skills sharp. In fact, it’s a must if they want to be able to effectively recognize attacks and IOCs. That means implementing ongoing training for SOC staff. Part of this training should be hands-on simulations that test skills in real-world situations.

Automation of the basics

Bringing more data and intelligence into a SOC means there will be more alerts and events that analysts will need to address. Integrating solutions, such as a SOAR, for example, will automate the initial analysis, thereby freeing up the SOC team to focus on more strategic security tasks.

Security Does Not Stop at the SOC

The SOC is the epicenter of an organization’s information security efforts and responsibilities. That said, there are several other teams that SOC analysts need to work with to ensure that the organization is safe, the business can function, and people can do their jobs.

It is common for SOC teams to work with other technical groups within their organization, such as IT, network operations, and DevOps. In addition to these technical teams, SOC analysts need to work with the different business teams across the organization. Not only do they provide additional data about suspicious behavior, but the actions the SOC takes to shut down potential attacks may temporarily hinder their ability to do their jobs. The ability to communicate the ramifications of the SOC team’s actions across the organization is extremely important. Also, knowing how to correctly weigh the risk versus the impact of potential SOC actions is a crucial decision-making skill for SOC team members to possess.

Cybersecurity
Information Security
Soc Analyst
Blue Team

--

--

Dan Covic

Written by Dan Covic

159 Followers

A disciple of curiosity, experience and knowledge

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams