Demystifying the SOC, Part 1: Whether You Know It or Not, You Need a SOC

Gorka Sadowski
3 min readDec 28, 2020


This is the first in a series of a dozen or so blog posts entitled “Demystifying the SOC” covering several topics on security operations centers (SOCs). My goal is to help dispel many of the myths and answer many of the questions that I heard over thousands of conversations with clients while I was a technology analyst at Gartner covering SOCs.

When I was at Gartner covering Security Operations Centers (SOCs), I had hundreds of discussions with organizations looking reluctantly to build a SOC after a breach was declared, or to buy a security information and event management (SIEM) solution after failing an audit. “Isn’t it a waste?” they would often ask. “I’m a mid-market company selling widgets. Why would hackers be interested in me?”

As you’ll see, it’s very dangerous to assume you’re not a target. The good news is that you don’t need a Pentagon-style war room filled with scores of full-time screen monitoring security experts to have a SOC.

In fact, as I’ll discuss in Part 3, you likely already have a SOC. Here, I’ll break down the reasons you need a SOC.

You’re a Target

The mission of a Security Operations Center (SOC) is to keep the organization in a known good state, operating securely on a clean infrastructure. If, or rather when, the organization suffers a security incident, such as an insider threat, malware attack or data exfiltration attempt, the SOC is responsible for detecting, investigating and remediating the threat (TDIR) until it returns the infrastructure to that known, good state.

Why does every organization, including yours, need a SOC? First, there’s no such thing as an organization too small to be a target. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 28% of security breaches in 2019 targeted organizations with less than 1,000 employees. Further, according to IBM’s 2020 Cost of a Data Breach Report, the average total cost of a data breach was $2.64 million for organizations under 500 employees.

Perhaps you think that your organization or market category is not one with the type of sensitive data prized by a nation state or criminal hacker. However, this doesn’t mean that you are safe.

You’re not Safe

Even if your company isn’t directly a target, a hacker might use your company infrastructure to target a much larger organization, whether as part of a botnet launching a distributed denial of service attack on another company’s network, or simply as an entryway to a much better protected large enterprise. For example, the infamous Target attack of 2013 began with an email-based malware attack on an HVAC contractor for the nationwide mega-retailer. Hackers were able to penetrate the smaller, less protected HVAC company network and steal credentials that helped them breach Target’s security. The result: More than 110 million consumers’ credit card and personal information were exposed.

Your company may even suffer a cyberattack simply as collateral damage from an attack on a bigger target. The notorious non-Petya attack of 2017 targeted financial institutions in the Ukraine but also inflicted collateral damage on numerous other organizations worldwide using the same infected software update site. The losses were steep even though those companies were not targets, ranging as high as $870 million for pharmaceutical giant Merck, with a lot of smaller companies damaged in its wake.

The more recent SolarWinds attack is another example of organizations being collateral damage in a wide campaign.

Perhaps you think that you have all the required prevention tools, and that such a scenario cannot happen to you? In the next post, we’ll discuss why prevention is not enough. You need threat detection, investigation and response, you will need to bring your organization back to a known, good state, you truly need a SOC.



Gorka Sadowski

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.