Our global survey finds that security organizations face more — and more serious — challenges than ever. But they’re evolving their strategies to stay ahead of threats.
Published Date: August 12, 2022
A security operations center (SOC) acts as the hub for an organization’s security operations. Also called an information security operations center (ISOC), a SOC is a centralized location where information security professionals use technologies to build and maintain the security architecture that monitors, detects, analyzes and responds to cybersecurity incidents, typically around the clock.
The security team, which consists of both security analysts and engineers, oversees all activity on servers, databases, networks, applications, endpoint devices, websites and other systems in order to pinpoint potential security threats and thwart them as quickly as possible. They also monitor relevant external sources (such as threat lists) that may affect the organization’s security posture.
A SOC must not only identify threats, but analyze them, investigate the source, report on any vulnerabilities discovered and plan how to prevent similar occurrences in the future. In other words, they’re dealing with security problems in real time, while continually seeking ways to improve the organization’s security posture.
On a larger scale, there are also Global Security Operations Centers (GSOC), coordinating security offices that literally span the globe. If you have offices around the world, a GSOC (rather than establishing a SOC for each international location) can:
- Prevent each location from repeating tasks and functions
- Reduce overhead
- Ensure that the security team has a big-picture view of what’s happening across the entire organization
Below, we’ll cover the basic functions of a SOC or GSOC in addition to key aspects of establishing a SOC.
What are the benefits of a SOC?
By relying on threat intelligence, SOCs offer assurance that threats will be detected and prevented in real time. Looking at a big-picture perspective, SOCs can:
- Respond faster: The SOC provides a centralized, complete, real-time view of how the entire infrastructure is performing from a security standpoint, even if you have several locations and thousands of endpoints. You can detect, identify, prevent and resolve issues before they cause too much trouble for the business.
- Protect consumer and customer trust: Consumers, already skeptical of most companies, are worried about their privacy. Creating a SOC to protect consumer and customer data can help build trust in your organization, which also includes preventing breaches.
- Minimize costs: While many organizations think establishing a SOC is cost prohibitive, the cost associated with a breach — including the loss and corruption of data or customer defection — are much higher. Additionally, SOC personnel will ensure that you’re using the right tools for your business to their full potential, so you won’t waste money on ineffective tools.
These benefits are hard to put a price on because they quite literally keep your business running. But do you absolutely need a SOC? If you’re subject to government or industry regulations, have suffered a security breach or are in the business of storing sensitive data — like customer information — the answer is yes.
What does a SOC do?
The SOC leads real-time incident response and drives ongoing security improvements to protect the organization from cyber threats. By using a complex combination of the right tools and the right people to monitor and manage the entire network, a high-functioning SOC will:
- Provide proactive, around-the-clock surveillance of networks, hardware and software for threat and breach detection, and incident response.
- Offer expertise on all the tools your organization uses, including third-party vendors, to ensure they can easily resolve security issues.
- Install, update and troubleshoot application software.
- Monitor and manage firewall and intrusion prevention systems.
- Scan and remediate antivirus, malware and ransomware solutions.
- Manage email, voice and video traffic.
- Help with patch management and whitelisting.
- Provide deep analysis of security log data from various sources.
- Analyze, investigate and document security trends.
- Investigate security breaches to understand the root cause of attacks and prevent future breaches.
- Enforce security policies and procedures.
- Supply backup, storage and recovery.
However, the SOC does more than just handle problems as they arise. What does a SOC do when it’s not detecting threats?
The SOC is tasked with finding weaknesses — both outside and within the organization — through ongoing software and hardware vulnerability analysis, as well as actively gathering threat intelligence on known risks. So even when there are seemingly no active threats, SOC staff are proactively looking at ways to improve security. Vulnerability assessment includes actively trying to hack their own system to find weaknesses, known as penetration testing. Additionally, a core role of SOC personnel is security analysis: ensuring that the organization is using the correct security tools optimally and assessing what is and isn’t working.
With a complex combination of the right tools and the right people to monitor and manage the entire network, a high-functioning SOC will detect and thwart threats and proactively improve security.
What are the three most common SOC types?
There are three most common types of SOC: internal, virtual, and outsourced. Here is how each function within the organization as a whole:
- Internal SOCs: The internal SOC comprises a physical room where all the action takes place, usually with a full-time staff based on-premises.
- Virtual SOCs: Virtual SOcs are not on-premises and are made up of part-time or contracted workers who work together in a coordinated manner to resolve issues as needed. The SOC and the organization set parameters and guidelines for how the relationship will work, and how much support the SOC offers can vary depending on the needs of the organization.
- Outsourced SOCs: In an outsourced SOC, some or all functions are managed by an external managed security service provider (MSSP) that specializes in security analysis and response. Sometimes these companies provide specific services to support an internal SOC, and sometimes they handle everything.
Who works in a SOC?
The SOC is made up of highly skilled security analysts and engineers, along with supervisors who ensure everything is running smoothly. These are professionals trained specifically to monitor and manage security threats, and help create and maintain a secure architecture for their organization. Not only are they skilled in using a variety of security tools, they know specific processes to follow in the event that the infrastructure is breached. SOC professionals use a range of tools that collect data from across the network and various devices, monitor for anomalies and alert staff of potential threats.
While there is overlap between the two professions, there are some differences in terms of the skills and role they each bring to the SOC. In general, a security engineer is responsible for designing and implementing an enterprise’s security architecture, comprising (but not limited to) telecommunication networks, security infrastructure, cloud services, disaster recovery and virtual infrastructure.
A security analyst then supports the maintenance of this architecture by monitoring the network to detect, mitigate and contain threats and breaches. Both types of SOC professionals — alongside their supervisors — work to keep their organization safe from potentially harmful cyber threats that can impact business operations.
How does an SOC work?
Most SOCs adopt a hierarchical approach to manage security issues, where analysts and engineers are categorized based on their skill set and experience. A typical team might be structured something like this:
- Level 1: The first line of incident responders. These security professionals watch for alerts and determine each alert’s urgency as well as when to move it up to Level 2. Level 1 personnel may also manage security tools and run regular reports.
- Level 2: These personnel usually have more expertise, so they can quickly get to the root of the problem and assess which part of the infrastructure is under attack. They will follow procedures to remediate the problem and repair any fallout, as well as flag issues for additional investigation.
- Level 3: At this level, personnel consist of high-level expert security analysts who are actively searching for vulnerabilities within the network. They will use advanced threat detection tools to diagnose weaknesses and make recommendations for improving the organization’s overall security. Within this group, you might also find specialists, such as forensic investigators, compliance auditors or cybersecurity analysts.
- Level 4: This level consists of high-level managers and chief officers with the most years of experience. This group oversees all SOC team activities and is responsible for hiring and training, plus evaluating individual and overall performance. Level 4s step in during crises, and, specifically, serve as the liaison between the SOC team and the rest of the organization. They are also responsible for ensuring compliance with organization, industry and government regulations.
What Is the difference between a SOC and a NOC?
While the SOC is focused on monitoring, detecting and analyzing an organization’s security health 24/7/365, the main objective of the NOC, or network operations center, is to ensure that the network performance and speed are up to par and that downtime is limited.
SOC engineers and analysts search for cyberthreats and attempted attacks, and respond before an organization’s data or systems are compromised. NOC personnel search for any issues that could slow network speed or cause downtime. Both proactively monitor in real-time, with the goal of preventing problems before customers or employees are affected, and search for ways to make continual improvements so that similar issues don’t crop up again.
SOCs and NOCs should collaborate to work through major incidents and resolve crisis situations, and in some cases the SOC functions will be housed within the NOC. NOCs can detect and respond to some security threats, specifically as they pertain to network performance, if the team is properly trained and looking for those threats. A typical SOC wouldn’t have the capability to detect and respond to network performance issues without investing in different tools and skill sets.
What are best practices for building a SOC?
Best practices for running a SOC include: developing a strategy, getting organization-wide visibility, investing in the right tools, hiring and training the right staff, maximizing efficiency and designing your SOC according to your specific needs and risks.
Develop a strategy: A SOC is an important investment; there’s a lot riding on your security planning. To create a strategy that covers your security needs, consider the following:
- What do you need to secure? A single on-premises network, or global? Cloud or hybrid? How many endpoints? Are you protecting highly confidential data or consumer information? What data is most valuable, and most likely to be targeted?
- Will you merge your SOC with your NOC or create two separate departments? Again, the capabilities are very different, and merging them requires different tools and personnel skills.
- Do you need 24/7/365 availability from your SOC staff? This affects staffing, cost and logistics.
- Will you build the SOC entirely in-house, or outsource some or all functions to a third-party vendor? A careful cost-benefit analysis will help define the trade-offs.
Make sure you have visibility across your entire organization: It’s imperative that your SOC has access to everything, no matter how small or seemingly insignificant, that could impact security. In addition to the larger infrastructure, that includes device endpoints, systems controlled by third parties and encrypted data.
Invest in the right tools and services: As you think about building your SOC, focus first on the tools. The sheer number of security events will be overwhelming without the right automated tools to deal with the “noise” and subsequently elevate significant threats. Specifically, you need to invest in:
- Security information and event management (SIEM): This single security management system offers full visibility into activity within your network, collecting, parsing and categorizing machine data from a wide range of sources on the network and analyzing that data so you can act on it in real time.
- Endpoint protection systems: Every device that connects to your network is vulnerable to attack. An endpoint security tool protects your network when said devices access it.
- Firewall: It will monitor incoming and outgoing network traffic and automatically block traffic based on security rules you establish.
- Automated application security: Automates the testing process across all software and provides the security team with real-time feedback about vulnerabilities.
- Asset discovery system: Tracks the active and inactive tools, devices and software being used on your network so you can evaluate risk and address weaknesses.
- Data monitoring tool: Allows you to track and evaluate data security and integrity.
- Governance, risk and compliance (GRC) system: Helps you to ensure you’re compliant with various rules and regulations where and when you need to be.
- Vulnerability scanners and penetration testing: Lets your security analysts search for vulnerabilities and find undiscovered weaknesses within your network.
- Log management system: Allows you to log all those messages that come from every piece of software, hardware and endpoint device running on your network.
Hire the best and train them well: Hiring talented staff and continually improving their skills is central to success. The market for security talent is competitive. Once you get people hired, continually invest in training to improve their skills; this not only enhances security, it improves engagement and retention. Your team must understand application and network security, firewalls, information assurance, Linux, UNIX, SIEM, and security engineering and architecture. Your highest-level security analysts should possess these skills:
- Ethical hacking: You want one of your people actively trying to hack your system to uncover vulnerabilities within your system.
- Cyber forensics: Analysts must investigate issues and apply analysis techniques to both understand and preserve evidence from the investigations. If a case were to go to court, the security analyst must be able to provide a documented chain of evidence to show what occurred and why.
- Reverse engineering: This is the process of deconstructing software or rebuilding it to understand how it works and, more importantly, where it’s vulnerable to attacks so that the team can take preventive measures.
- Intrusion prevention system expertise: Monitoring network traffic for threats would be impossible without tools. Your SOCs need to know the ins and outs of how to use them properly.
How can SIEM improve your SOC?
SIEM makes the SOC more effective at securing your organization. Top security analysts — even those with the most advanced setups — can’t review the endless stream of data line by line to discover malicious activities, and that’s where SIEM can be a game changer.
As we’ve mentioned, a SIEM collects and organizes all the data coming from various sources within your network and offers your SOC team insights so that they can quickly:
- Detect and respond to internal and external attacks
- Simplify threat management
- Minimize risk
- Gain organization-wide visibility and security intelligence
SIEM is critical for SOC tasks, such as monitoring, incident response, log management, compliance reporting and policy enforcement. Its log management capabilities alone make it a necessary tool for any SOC. SIEM can parse through huge batches of security data coming from thousands of sources — in mere seconds — to find unusual behavior and malicious activity and stop it automatically. Much of that activity goes undetected without the SIEM.
The SIEM helps the SOC pull the logs together and make rules that enable automation and can drastically reduce false alerts. Security analysts are freed up to focus their attention on the real threats. Additionally, the SIEM can offer robust reporting that helps with both forensic investigations and compliance requirements.
Every organization needs tight security. Whether you incorporate SIEM and security functionality into your NOC, outsource most or all SOC functionality to third-party service providers or staff up an in-house team, it’s important to address the security questions a SOC is meant to answer.
Start with “What are our security needs?” and progress to “How can we most effectively and efficiently meet them?”

Splunk Data Security Predictions 2023
Our security experts predict an action-packed year. Get the latest on key trends.