Simply put, a security operations center (SOC – pronounced “sock”) is a team of experts that proactively monitor an organization’s ability to operate securely. Traditionally, a SOC has often been defined as a room where SOC analysts work together. While this is still the case in many organizations, the advent of COVID-19 and other factors has led the SOC team to be more remotely distributed. Increasingly, today’s SOC is less a single room full of people, and more of an essential security function in an organization.
A SOC team member can often function just as well working out of their home office as they can in a physical security operations center.
What Does a SOC Team Member Do?
Members of a SOC team are responsible for a variety of activities, including proactive monitoring, incident response and recovery, remediation activities, compliance, and coordination and context.
Let’s take a deeper dive into each of these tasks.
- Proactive Monitoring: This includes log file analysis. Logs can come from end points (e.g., a notebook computer, a mobile phone or an IoT device) or from network resources, such as routers, firewalls, intrusion detection system (IDS) applications and email appliances. Another term for proactive monitoring is threat monitoring. SOC team members work with various resources, which can include other IT workers (e.g., help desk technicians), as well as artificial intelligence (AI) tools and log files.
- Incident Response and Recovery: A SOC coordinates an organization’s ability to take the necessary steps to mitigate damage and communicate properly to keep the organization running after an incident. It’s not enough to just view logs and issue alerts. A major part of incident response is helping organizations recover from incidents. For example, that recovery can include activities such as handling acute malware or ransomware incidents.
- Remediation Activities: SOC team members provide data-driven analysis that helps an organization address vulnerabilities and adjust security monitoring and alerting tools. For example, using information obtained from log files and other sources, a SOC member can recommend a better network segmentation strategy or a better system patching regimen. Improving existing cybersecurity is a major responsibility of a SOC.
- Compliance: Organizations secure themselves through conformity to a security policy, as well as external security standards, such as ISO 27001x, the NIST Cybersecurity Framework (CSF) and the General Data Protection Regulation (GDPR). Organizations need a SOC to help ensure that they are compliant with important security standards and best practices.
- Coordination and Context: Above all, a SOC team member helps an organization coordinate disparate elements and services and provide visualized, useful information. Part of this coordination is the ability to provide a helpful, useful set of narratives for activities on the network. These narratives help shape a company’s cybersecurity policy and posture for the future.
A SOC team member helps an organization identify the primary causes of cyberattacks. When a SOC analyst does this, they are said to engage in root-cause analysis. In short, a SOC analyst works to figure out exactly when, how and even why an attack was successful.
To this end, a SOC analyst reviews evidence of attacks. Such evidence is called an indicator of attack. If an attack is successful, a SOC analyst will then study indicators of compromise to help the organization respond appropriately, as well as make changes so that similar attacks don’t happen in the future.