A security operations center, or SOC, is a physical room or area in an organization’s office where cybersecurity analysts work to monitor enterprise systems; defend against security breaches; and identify, investigate and mitigate cybersecurity threats.
SOCs were created to facilitate collaboration among security personnel. They streamline the security incident handling process as well as help analysts triage and resolve security incidents more efficiently and effectively.
What Does a SOC Do?
Security incident handling requires several key functions, which security operations teams commonly deliver using a tiered structure that accounts for the experience levels of their analysts:
Tier 1 – Triage: This is where security analysts typically spend most of their time. Tier 1 analysts are typically the least experienced analysts, and their primary function is to monitor event logs for suspicious activity. When they feel something needs further investigation, they gather as much information as they can and escalate the incident to Tier 2.
Tier 2 – Investigation: Tier 2 analysts dig deeper into suspicious activity to determine the nature of a threat and the extent to which it has penetrated the infrastructure. These analysts then coordinate a response to remediate the issue. This is a higher-impact activity that generally requires more experienced analysts.
Tier 3 – Threat hunting: The most experienced analysts support complex incident response and spend any remaining time looking through forensic and telemetry data for threats that detection software may not have identified as suspicious. The average company spends the least time on threat hunting activities as Tier 1 and Tier 2 consume so many analyst resources.
How Is a SOC Structured?
For most organizations, cybersecurity has evolved into a major priority from its roots as a part-time function of the IT team. Some security operations teams still function as part of IT, whereas others are separated into their own organization. SOCs may operate:
As part of an infrastructure and operations team
As part of the security group
As part of the network operations center, or NOC
Directly under the CIO or CISO
As an outsourced function (wholly or in part)
What tools are used in a SOC?
SOCs use a range of tools for prevention, event logging, automation, detection, investigation, orchestration and response. Many SOC teams have multiple sets of siloed tools for different parts of their infrastructure. Research by analyst firms such as Ovum and ESG have found that the majority of enterprises use more than 25 separate tools in their SOCs.
XDR is a new class of detection and response tool that integrates as well as correlates data from the endpoint, network and cloud. XDR replaces several of the key tools security operations teams rely on and is designed to increase security visibility, efficiency and efficacy. For more on how XDR optimizes security operations, visit paloaltonetworks.com/detection-response/xdr.