Cybersecurity Structures 101: What is a SOC

Security operations centres (SOCs), sometimes called information security operations centres (ISOCs), are teams responsible for improving an organisation’s cybersecurity posture by preventing, detecting and responding to cyber threats.

Whether in-house or outsourced to a managed security service provider (MSSP), a SOC is generally running 24/7.

A SOC should monitor all aspects of an organisation’s information systems and its assets, from websites, applications, software and databases to hardware like data centres and servers desktops and other endpoints as well as network appliances.

In the 1980s and 1990s, some advanced military and government agencies, such as the US National Security Agency (NSA) and Department of Defense (DoD) had early computer emergency response teams (CERTs) but not yet a centralised SOC model.

In the 1990s, large enterprises, especially in finance and defence, began setting up dedicated security monitoring teams with SIEM precursors using off-the-shelf solutions like NetIQ, ArcSight and IBM QRadar.

In the early 2000s, after high-profile cyber-attacks, such as Code Red, Nimda or SQL Slammer, companies like IBM, Symantec and Cisco started offering managed security services with SOC-like functions and the term SOC became more widely adopted.

By the mid-2000s, SOCs became standard in large enterprises, banks and critical infrastructure. Cloud-based SOCs (also known as CloudSOC or SOC-as-a-Service) emerged in the 2010s, offered by companies like Secureworks, CrowdStrike and Palo Alto Networks.

SOC teams manage and triage security alerts through a security information and event management (SIEM), which centralizes all logs and alerts.

They also work with a range of security tools, including endpoint detection and response (EDR) solutions, intrusion detection systems (IDS), intrusion prevention system (IPS), log management systems, network behaviour analysis tools, firewalls and more.

Modern SOCs now integrate more advanced solutions and approaches like user entity behaviour analytics (UEBA) and security orchestration, automation, response (SOAR), and extended detection and response (XDR) platforms.

The SOC typically operate as a distinct function within an organization, separate from other cybersecurity teams. While SOC analysts focus on monitoring, detecting and responding to security incidents in real time, other teams handle different aspects of the organization’s security strategy.

For example, the Chief Information Security Officer (CISO) oversees the overall cybersecurity posture, vulnerability and patch management teams address system weaknesses, offensive security teams (such as penetration testers and red teams) proactively test defenses, cyber threat intelligence teams analyze emerging threats, and governance, risk, and compliance (GRC) teams ensure regulatory and policy adherence.

SOC teams are also often separate from the incident response team, which primarily focuses on containment and remediation after a cyber incident or confirmed attack.

Today, ‘the SOC’ is used as a general term referring to very different structures depending on an organisation’s resources and needs.

Here are some of the main type of SOC operating models:

• Internal (or in-house) physical SOC: The SOC team is set up within the business and part or all of the members of the SOC are employees of the organization
• Internal virtual SOC (vSOC): The internal SOC team doesn’t have a dedicated facility, but is set up virtually
• Outsourced physical SOC: The business does not have its own SOC or SOC staff. Instead, an independent third-party vendor (MSSP) provides the same service as an internal physical SOC
• Outsourced vSOC: An independent third-party vendor provides the same service as an internal virtual SOC
• Co-managed (or hybrid) SOC: The internal SOC team works together with an outsourced vendor to manage cybersecurity needs
• Command SOC and tiered SOCs: Larger SOCs oversee smaller SOCs across a large region

SOCs can also be set up to manage a specific aspect of an organisation’s attack surface, such as a CloudSOC, which monitors cloud service use within an enterprise.

Every SOC is overseen by a SOC manager, who is responsible for the operational oversight of teams, tools, workflows and daily activities – and usually works in cooperation with the organisation CISO.

The core SOC team is made of SOC analysts in three categories:

• Tier 1 analysts. The first line of defence, they are responsible for collecting and triaging raw data, reviewing alarms and alerts and confirming or adjusting their criticality by cross-analysing relevant data. When an alert is confirmed, it is escalated to a tier 2 analyst
• Tier 2 analysts. The incident responders: They investigate escalated security alerts, perform deep-dive analysis and lead incident response for confirmed threats. When an attack is very sophisticated, it can be escalated to tier 3 analysts
• Tier 3 analysts. The threat hunters: These senior experts proactively hunt for sophisticated threats, perform deep forensic analysis, reverse engineer malware, design advanced detection rules and handle the most critical incidents and attacks

Other key SOC staff include security engineers and architects, who help design and maintain an organisation’s cybersecurity architecture and infrastructure.

The SOC is the heartbeat of an organisation’s cybersecurity, constantly watching, analysing and responding to threats in real time.

Unlike other security teams that focus on prevention, testing or compliance, the SOC’s mission is always-on defence, blending technology, skilled analysts and structured workflows to stop attacks before they cause harm.

Whether in-house, outsourced or hybrid, a SOC’s strength lies in its ability to adapt, leveraging automation, threat intelligence and expert analysis to stay ahead of cyber risks. 

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?