A security operations center (SOC), also called an information security operations center (ISOC), is a centralized location where an information security team monitors, detects, analyzes and responds to cybersecurity incidents, typically on a 24/7/365 basis.
The security team, which consists of both security analysts and engineers, oversees all activity on servers, databases, networks, applications, endpoint devices, websites and other systems for the sole purpose of pinpointing potential security threats and thwarting them as quickly as possible. They also monitor relevant external sources (such as threat lists) that may affect the organization’s security posture.
A SOC must not only identify threats, but analyze them, investigate the source, report on any vulnerabilities discovered and plan how to prevent similar occurrences in the future. In other words, they’re dealing with security problems in real time, while continually seeking ways to improve the organization’s security posture.
On a larger scale, there are also Global Security Operations Centers (GSOC), coordinating security offices that literally span the globe. If you have offices around the world, a GSOC (rather than establishing a SOC for each international location) can prevent each location from repeating tasks and functions, reduce overhead and ensure that the security team has a big-picture view of what’s happening across the entire organization.
Below, we’ll cover the basic functions a SOC or GSOC, in addition to key aspects of establishing a SOC.