What Is a Security Operations Center?

Simply put, a security operations center (SOC – pronounced “sock”) is a team of experts that proactively monitor an organization’s ability to operate securely. Traditionally, a SOC has often been defined as a room where SOC analysts work together. While this is still the case in many organizations, the advent of COVID-19 and other factors has led the SOC team to be more remotely distributed. Increasingly, today’s SOC is less a single room full of people, and more of an essential security function in an organization.

A SOC team member can often function just as well working out of their home office as they can in a physical security operations center.

What Does a SOC Team Member Do?

Members of a SOC team are responsible for a variety of activities, including proactive monitoring, incident response and recovery, remediation activities, compliance, and coordination and context.

Let’s take a deeper dive into each of these tasks.

• Proactive Monitoring: This includes log file analysis. Logs can come from end points (e.g., a notebook computer, a mobile phone or an IoT device) or from network resources, such as routers, firewalls, intrusion detection system (IDS) applications and email appliances. Another term for proactive monitoring is threat monitoring. SOC team members work with various resources, which can include other IT workers (e.g., help desk technicians), as well as artificial intelligence (AI) tools and log files.
• Incident Response and Recovery: A SOC coordinates an organization’s ability to take the necessary steps to mitigate damage and communicate properly to keep the organization running after an incident. It’s not enough to just view logs and issue alerts. A major part of incident response is helping organizations recover from incidents. For example, that recovery can include activities such as handling acute malware or ransomware incidents.
• Remediation Activities: SOC team members provide data-driven analysis that helps an organization address vulnerabilities and adjust security monitoring and alerting tools. For example, using information obtained from log files and other sources, a SOC member can recommend a better network segmentation strategy or a better system patching regimen. Improving existing cybersecurity is a major responsibility of a SOC.
• Compliance: Organizations secure themselves through conformity to a security policy, as well as external security standards, such as ISO 27001x, the NIST Cybersecurity Framework (CSF) and the General Data Protection Regulation (GDPR). Organizations need a SOC to help ensure that they are compliant with important security standards and best practices.
• Coordination and Context: Above all, a SOC team member helps an organization coordinate disparate elements and services and provide visualized, useful information. Part of this coordination is the ability to provide a helpful, useful set of narratives for activities on the network. These narratives help shape a company’s cybersecurity policy and posture for the future.

A SOC team member helps an organization identify the primary causes of cyberattacks. When a SOC analyst does this, they are said to engage in root-cause analysis. In short, a SOC analyst works to figure out exactly when, how and even why an attack was successful.

To this end, a SOC analyst reviews evidence of attacks. Such evidence is called an indicator of attack. If an attack is successful, a SOC analyst will then study indicators of compromise to help the organization respond appropriately, as well as make changes so that similar attacks don’t happen in the future.

Continue Reading Below You may also be interested in...

What Is Cybersecurity?

Learn what cybersecurity is and understand the definitions of different types of threats.

What is IoT Cybersecurity?

Learn why securing IoT objects and devices is increasingly important as our daily network connectivity changes.

Why is Cybersecurity Imporant?

Learn why cybersecurity is increasingly important around the globe for countries, companies and individuals.

Security Operations Center Job Roles

Of course, there are several specific positions that round out the SOC. Although specific job roles and titles will change from one organization to another, here are a few of the job titles typically found in a SOC:

• Junior security analyst: This person is responsible for regularly monitoring the security tools and applications that have been put in place and then providing useful interpretations and context based on those reports. These applications can include intrusion detection system (IDS) applications, security information and event monitoring (SIEM) applications and cybersecurity threat feed applications. Sometimes, this particular job role is called an operator or SOC operator.
• Senior security analyst: This person has many of the same responsibilities as a junior-level analyst but works on more challenging and acute issues. Many times, a senior security analyst will be responsible for leading incident response activities. In fact, sometimes a senior security analyst is referred to as an incident response manager.
• Threat hunter: This person has a unique combination of security analytics and penetration testing skills. A threat hunter also has the ability to work with technical and non-technical people alike to help an organization anticipate attacks.
• Cyber Threat Intelligence (CTI) manager: Many for-profit and non-profit organizations create useful threat intelligence feeds. A CTI manager may be asked to specialize in obtaining, sifting through and interpreting these feeds for the organization.
• Manager: This person is responsible for managing each of the team members, as well as the technology that each team member uses.

What Happens in a Security Operations Center?

First of all, a SOC team gathers information from various resources, including CTI threat feeds to log files from systems all around the enterprise. A SOC team carefully monitors a company’s assets, from on-premise servers in data centers to cloud resources. Accurate monitoring is critical. Therefore, SOC team members will monitor servers, end points and perimeter devices like firewalls and switches.

The figure below provides an abstract view of what happens in a SOC.

Abstract diagram of a Security Operations Center (SOC)

SOC team members then work to interpret this data carefully so that they have actionable information. Part of this interpretation involves eliminating duplicate data and identifying the root causes of issues. This activity is often called data normalization.

It is not enough to simply view the log files of a SIEM tool. The worker needs to have enough experience and wisdom to interpret data accurately. In many ways, the ideal SOC team member acts as a key interpreter of information.

But the SOC responsibilities don’t end there. The SOC isn’t only charged with looking for the bad guys. SOC team members spend quite a bit of time identifying conditions that create ideal feeding grounds for hackers.

This can include looking for the following:

• Unpatched servers and end points: While updating a system may seem a trivial step, it really isn’t. A SOC team member can help flag unpatched systems, or identify alternative courses of action. For example, if a system can’t be easily patched for some reason, it may be necessary to monitor un-patched systems until there is time to properly patch it.
• Vulnerable end points: This may include those that have poorly updated virus definitions or even no good working antivirus.
• Perimeter and edge devices that demonstrate characteristics of neglect: These may include routers, switches and other network devices that are on your network or just beyond your network that are not properly updated and secured.
• Reports concerning end-user activity: Social engineering is the primary way that hackers gain improper access to company information and resources. SOC members, therefore, do their best to protect people from being manipulated by hackers.

It is very possible that as a SOC team member you would work closely with managers and end users simply because individuals are the primary target of hackers.

What Skills Do You Need to Work in a Security Operations Center?

Not everyone in a SOC team has decades of security experience. In fact, some SOC team members have just a few years of experience in IT. Still, others have more.

The primary characteristic of a SOC team member is simply considerable depth and breadth of knowledge in all areas of IT, as summarized in the table below. The skills needed to work in a SOC are covered by CompTIA certifications, as noted below. Having a CompTIA certification proves to employers you have the skills they need in their security operations center.

It’s important to note that entry-level SOC analysts may not require advanced certifications like CompTIA Cybersecurity Analyst (CySA+), CompTIA PenTest+ or CompTIA Advanced Security Practitioner (CASP+). But the table above should give you an idea of the types of skills SOC analysts, or those who liaise with SOC analysts have.

Learn More About the CompTIA Cybersecurity Career Pathway

If you want a place in the SOC, the best advice is to focus on the essentials. Become an expert on how end points, servers and perimeter devices operate. It’s also vital to understand the cloud and how data flows from one resource to another. Keep studying, and one day we hope to congratulate you as a member of the SOC.

Read more about Cybersecurity.