What is a security operations center (SOC)?

SOC team members take on the following functions to help prevent, respond, and recover from attacks.

To eliminate blind spots and gaps in coverage, the SOC needs visibility into the assets that it protects and insight into the tools it uses to defend the organization. This means accounting for all the databases, cloud services, identities, applications, and endpoints across on-premises and multiple clouds. The team also keeps track of all the security solutions used in the organization, such as firewalls, anti-malware, anti-ransomware, and monitoring software.

A key responsibility of the SOC is reducing the organization’s attack surface. The SOC does this by maintaining an inventory of all workloads and assets, applying security patches to software and firewalls, identifying misconfigurations, and adding new assets as they come online. Team members are also responsible for researching emerging threats and analyzing exposure, which helps them stay ahead of the latest threats.

Using security analytics solutions like a security information enterprise management (SIEM) solution, a security orchestration, automation, and response (SOAR) solution, or an extended detection and response (XDR) solution, SOC teams monitor the entire environment—on-premises, clouds, applications, networks, and devices—all day, every day, to uncover abnormalities or suspicious behavior. These tools gather telemetry, aggregate the data, and in some cases, automate incident response.

The SOC also uses data analytics, external feeds, and product threat reports to gain insight into attacker behavior, infrastructure, and motives. This intelligence provides a big picture view of what’s happening across the internet and helps teams understand how groups operate. With this information, the SOC can quickly uncover threats and fortify the organization against emerging risks.

SOC teams use the data generated by the SIEM and XDR solutions to identify threats. This starts by filtering out false positives from the real issues. Then they prioritize the threats by severity and potential impact to the business.

The SOC is also responsible for collecting, maintaining, and analyzing the log data produced by every endpoint, operating system, virtual machine, on-premises app, and network event. Analysis helps establish a baseline for normal activity and reveals anomalies that may indicate malware, ransomware, or viruses.

Once a cyberattack has been identified, the SOC quickly takes action to limit the damage to the organization with as little disruption to the business as possible. Steps might include shutting down or isolating affected endpoints and applications, suspending compromised accounts, removing infected files, and running anti-virus and anti-malware software.

In the aftermath of an attack, the SOC is responsible for restoring the company to its original state. The team will wipe and reconnect disks, identities, email, and endpoints, restart applications, cut over to backup systems, and recover data.

To prevent a similar attack from happening again, the SOC does a thorough investigation to identify vulnerabilities, poor security processes, and other learnings that contributed to the incident.

The SOC uses any intelligence gathered during an incident to address vulnerabilities, improve processes and policies, and update the security roadmap.

A critical part of the SOC’s responsibility is ensuring that applications, security tools, and processes comply with privacy regulations, such as the Global Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPPA). Teams regularly audit systems to ensure compliance and make sure that regulators, law enforcement, and customers are notified after a data breach.