Demystifying the SOC, Part 3: Whether You Know It or Not, You Have a SOC

In our previous posts, we discussed why every organization, including yours, needs a security operations center (SOC) and why prevention is not enough. Here we’ll discuss why, whether you know it or not, you already have a SOC. And if you look around and there is nobody else in the security team, then you — are — the SOC!!

SOCs are about keeping the organization in a known good state

As previously discussed, the SOC’s mission is to keep the organization’s infrastructure operating securely in a known clean state. Today it ’s assumed that it’s only a matter of time before an organization suffers a security breach. When it does, the SOC acts as a competency center for threat detection, investigation and remediation (TDIR), returning the organization to a known good state as quickly as possible.

But what does a SOC actually do from day to day?

  • It monitors events and logs, and consumes context information to detect a breach in progress.
  • When a breach is detected, it performs investigation to scope the blast radius and understand root cause.
  • It then coordinates with IT to make sure the right steps are taken to address the breach and bring the organization back to a good state. Then works to make sure that “the hole is plugged” and that this incident cannot happen again.
  • If the incident cannot be remediated with the resources and expertise of internal staff, the SOC may work with an outside incident response firm and help coordinate activities with the outside firm and your organization.
  • On a more tactical level, the SOC also needs to fulfill requests from human resources regarding any employees involved, and from the legal department about affected files and data and who may have had access to them.
  • Finally, the SOC informs senior management about the organization’s security posture, any serious incidents, and any other security-related events that may have an impact on the business.

Your SOC

A SOC used to be one or more rooms where a team of security analysts would collaborate in close physical proximity, monitoring screens and working together to address security issues. With remote access, virtual collaboration tools, and Covid 19, that is no longer the case. Today many people, including SOC teams, work from home and collaborate via virtual collaboration tools such as Slack, Microsoft Teams, and Instant Messenger. And a SOC is not necessarily a large team.

In fact, today a SOC is no longer a thing, it’s more of a concept. There really are no longer any specific requirements in terms of number of people staffing a SOC or a physical location where SOC happens.

Are you a small business with a handful of people who know something about security, or even one part-time person who has some security knowledge and is the go-to person for anything security related? That’s your SOC. Look around at your security team. Are you the only there? Well, then you — are — the SOC!!

So, yes, you have a SOC. But are you really measuring and tracking the efficiency of your SOC using the right metrics? That is the subject of our next blog.

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.