Security Operations Center (SOC) Fundamentals

SOC stands for Security Operations Center. SOC team detects, analyzes and responds to cyber security incidents.

SOC Models

SOC models depends on security requirements and budget. There are four types of SOC models :-

In-house SOC — Enterprise builds its own cyber security team.

Virtual-SOC — Does not have its own facility and often works remotely.

Co-managed SOC — Consists of internal SOC with external Managed Security Service Provider (MSSP).

Command SOC — Senior group that oversees smaller SOCs in a larger region organization. For example :- Telecom providers and defense agencies.

People, Process and Technology (PPT)

Core principle of SOC is People, Process and Technology (PPT). In SOC, coordination of PPT is necessary.

People — Highly trained.

Process — Implementation of security standards (for example :- NIST).

Technology — Latest products or tools for testing/monitoring.

SOC Positions

SOC Analyst — Classifies the alert, looks for the cause and advises on remedial measures.

Incident Responder — Threat detection and performs initial assessment of security breaches.

Threat Hunter — Finds vulnerabilities.

Security Engineer — Maintains security infrastructure of SIEM solutions and SOC products.

SOC Manager — Management responsibilities such as budgeting, strategizing, managing, personnel and coordinate operations. Deals with operational rather than technical matters.

General routine of a SOC Analyst

• Examine alerts on SIEM.
• Uses EDR, Log Management, Threat Intelligence Feed, and SOAR.

SOC Analyst must be skilled in Operating Systems, Networking, and also Malware Analysis.