What is SOC?

A SOC stands for Security Operations Center, which is a team of cybersecurity personnel dedicated to monitoring and analyzing an organization’s security while responding to potential or current breaches. The team is responsible for scanning all the security systems in real-time. This first line of defense works around the clock to protect an organization’s security infrastructure from potential cyber threats.

There were 4.1 billion records exposed in the first half of 2019.

– Source: Norton

The average total cost of a breach in 2019 was $3.92 million.

– Source: Ponemon Institute’s Cost of a Data Breach report

In the first half of 2019, there was an over 54% increase in reported breaches in comparison to the first six months of 2018.

– Source: Norton

become a soc analyst
The data clearly shows the increase in the probability of a breach is directly proportional to the cost of a data breach. It indicates how desperately businesses need human involvement to constantly keep an eye on possible security threats and create strategies to eliminate them. Integrating a SOC into an overall security strategy can help solve the constant threat of being targeted by malicious threat actors.

The World Needs SOC Staff

(Source: LinkedIn Jobs)

The following graph represents how organizations from different parts of the world are keen on deploying cyber security operations centers. They are constantly hiring SOC specialists, such as SOC engineers and SOC analysts to keep their infrastructure secure.

Industries that must have a SOC

Various industries are dependent on SOCs

Payment Card Industry



Financial Services

Government Agencies


Why Must Organizations Have Log
Management and SOC?

Log management is an organized approach to deal with large volumes of computer-generated log data. It allows multiple operations on data – its generation, collection, centralization, parsing, transmission, storage, archival, and disposal.

The common roles and responsibilities of a penetration tester are summarized here

  • comply with applicable regulatory standards such as PCI-DSS, HIPAA, RMiT, ISO 27001, and others.
  • Protect their servers that store sensitive data from internal and external threats.
  • Secure proprietary information and intellectual property.
Besides log management, SOC professionals can also integrate SIEM tools – Security Information and Event Management in their process. These software tools aggregate security data from multiple sources, such as network devices, servers, and other locations. SIEM tools then connect the dots to discover the trends and detect cyber threats so that organizations can act on the alerts.

siem soc for threat intelligence

Industry-Wise Analysis

  • Healthcare industry: Deals with health data on consumers – enough said.
  • Manufacturing industry: Owns a lot of intellectual properties and technologies
  • Financial services: Deals with data on monetary transactions, real-time monitoring of activities is vital.
  • Government Agencies: They may store personal information along with criminal records, religious and political inclinations.
  • Education Industries: Change in personal records in schools, universities, and training institutes can misrepresent individuals and their skills.

Apart from these industries, companies belonging to food and beverage, oil and gas (O&G), fashion, and many other industries also need constant security monitoring and log management services.

How does a SOC help?

Positive Technologies revealed that Q3 2019 registered 64 percent of data theft attacks of the year, of which, 23% were aimed at obtaining credit card numbers.

For the Payment Card Industry (PCI), it is mandatory to maintain a SOC. According to the PCI Compliance Security Standard Council, any merchant processing and storing credit card data should be PCI compliant. PCI compliance helps to ensure secure online transactions and protection against identity theft.

In such an environment, a SOC helps to:

  • monitor firewall, their logs, and any configuration change to identify an irregularity.
  • increase the speed of incident remediation.
  • check firewall and router configuration standards by comparing them with documented services, ports, and protocols.

Nearly two-thirds of healthcare institutions experience a cyberattack in their lifetime, while 53% were targeted in the past 12 months.

protected health information
As the healthcare industry contains crucial health data, such as holistic reports of patients including personalized diagnoses and treatments, it is an alluring target to cybercriminals. Threat actors monetize patient data by selling it to the highest bidder or blackmailing the victim.

For keeping protected health information (PHI) secure, healthcare organizations require a SOC 2 audit. SOC 2 compliance ensures

  • Customer trust
  • Brand reputation
  • Business continuity
  • Competitive advantage

As per the 2019 Deloitte and MAPI Smart Factory Study, 4 in 10 manufacturers faced a cyber incident that impacting their operations in the last 12 months.

The Manufacturing sector has always been a vulnerable industry as it possesses intellectual property and advanced technologies. Consider a Department of Defense (DoD) contractor for example: it is a must to meet the NIST cybersecurity standards to maintain DFARS (Defense Federal Acquisition Regulation Supplement) compliance. The NIST SP 800-171 outlines guidelines for Audit and Accountability, Configuration Management, Identification, and Authentication, with several other criteria.

For manufacturing industry SOC specialists are needed to:

  • set up alerts to monitor potential threats.
  • promptly remediate ongoing and possible security threats.

According to a 2019 report by Boston Consulting Group (BCG), financial services firms are 300 times more likely to be targeted by a cyberattack than other enterprises.

Cybercriminals are attracted to Financial services for their bulk transactions and real-time monitoring of activities. Apart from external attacks, institutions are also vulnerable to lost employee devices (like phones) and insider threats.

Banking and Financial services should perform SOC Type 1 and SOC Type 2 audits along with annual SOC 1 SSAE 18 reports. Being in clear nexus with the ICFR (Internal Control Over Financial Reporting) concept, these audits effectively report on internal controls. They reveal

  • weaknesses in security controls like improperly provisioned information systems, weak authentication parameters, lack of multiple layers of security, and others.
  • shortcomings in operational controls.
  • flaws in documentation.

The IT security firm Barracuda Networks, revealed in its 2019 report that nearly two-thirds of all ransomware attacks targeted government agencies.

As government agencies store personal information along with criminal records and religious and political inclinations, they are a prized target for cyber attackers.

Government institutions need SOCs for

  • network monitoring in real-time.
  • analyzing activities on servers, endpoints, and databases.
  • looking for an incident or signs of a breach.

Verizon’s Mobile Security Index 2020 Report found that 44% of educational organizations suffered a security compromise involving a mobile device.

Education establishments are easy targets for cybercriminals. They not only carry personal data but also valuable research data and allow access to larger networks.
A SOC can help an educational institution’s IT staff respond to growing security threats by

  • identifying and monitoring institutional assets and data.
  • neutralizing threats.
  • providing cybersecurity metrics to the IT staff

What Are The Responsibilities of a SOC?

SOCs use strategic methodologies and processes for active surveillance and real-time analysis of an organization’s security infrastructure. The team carries out the following tasks.

Task Description
Identify assets SOC operations start with gaining a holistic understanding of the tools and technologies at their disposal. The team learns about the hardware and software running on the systems. Their in-depth understanding helps in the early detection of potential cyber threats and existing vulnerabilities.
Proactive monitoring A SOC primarily focuses on detecting malicious activities on the network before they can lead to substantial harm.
Manage logs, configuration change, and response Thorough management of activity logs help a cyber forensic investigator trace back to the point where something may have gone wrong.
Rank alerts as per their severity Whenever a SOC detects a threat or irregularity, it is responsible for ranking the severity of the incident. This data helps in prioritizing the response to the event.
Adjust defenses A SOC adjusts its defenses by vulnerability management and increasing its awareness about threats. It helps the team stay vigilant for breaches.
Check compliance SOCs can checks if the organization complies with applicable regulations and standards.
Notify on security breach Organizations aim for minimal or no network downtime when hit by unexpected security incidents. A SOC alerts the stakeholders as quickly as possible to keep ensure business continuity.

7 Steps To Build a Great SOC

The Following Steps Help You Build a SOC

Step 1:
Develop your strategy
Step 2:
Design a solution
Step 3:
Create processes, procedures, and training
Step 4:
Prepare your environment
Step 5:
Implement your solution
Step 6:
Deploy end-to-end use cases
Step 7:
Maintain and evolve your solution

Step 1: Develop your strategy

Start by assessing the existing SOC capabilities of the organization in terms of people, processes, and technologies. Stick to the four major operations of SOC: monitoring, detection, response, and recovery. To effectively discharge the duties, the team should create a strategy that considers business objectives. For instance, identifying which systems and data are vital for sustaining operations to keep the business afloat will help determine the priorities of the SOC team as well.

Phase 2 – Attack Phase

Instead of relying on a broad-function SOC solution, limiting the scope to the situation of the organization is a best practice. When designing your SOC, be on the lookout for scope creep to keep it scalable to meet future needs. A focused solution reduces the amount of time invested in implementation and achieves quick results. The design should include:

  • Functional requirements like monitored log and event sources, utilized threat intelligence sources, and performance requirements (such as response times).
  • Which SOC model your SOC will be. Whether you implement a dedicated SOC, virtual SOC, outsourced SOC, or hybrid SOC will be foundational to your design.
  • Technical architecture. Plan the composition and configuration of the components of the solution, identify business and information systems, define event workflows to align with processes, automate the required solution, and determine whether tabletop exercises are needed.

Step 3: Create processes, procedures, and training

The SOC solution must follow the six phases of the Threat Lifecycle Management (TLM) framework, which are forensic data collection, the discovery of potential threats, qualification of discovered threats to assess potential impact on the business, investigation, threat neutralization, and recovery. In the case of a hybrid or outsourced SOC model, coordinate with the service provider.

Step 4: Prepare your environment

Check whether all the required elements are in place before deploying the solution. Key elements include remote access mechanisms, strong authentication for remote access, and protection of SOC staff equipment.

Step 5: Implement your solution

To execute the solution, you must

  • Establish a log management system
  • Organize a minimal number of critical data sources
  • Set up the security analytics capabilities
  • Structure the security automation and orchestration capabilities

Once done, check the alignment of systems with the workflow.

Step 6: Deploy end-to-end use cases

Next, deploy use cases that focus on end-to-end threat detection and response realization. It should be implemented across the analytics tier, security automation, and orchestration tier. Test all forms of the automation solution rigorously. Furthermore, verify the readability and security of the remotely accessed solution.

Step 7: Maintain and evolve your solution

The solution will require continuous maintenance and updating at regular intervals. Updating based on how the SOC functions in the organization’s environment will help increase the efficiency and threat detection rate of the SOC solution.

How a SOC is Different from CSIRT

The infographic shows how the primary responsibilities of a SOC analyst or a SOC manager are different from the incident leaders or any other CSIRT members.

For those who want to make a career in SOC, EC-Council offers its CSA certification. Our Certified SOC Analyst course will help you get the industry-demanded CSA training and establish yourself as a certified SOC analyst.

entry level soc analyst salary

Why Consider a SOC Course

become soc
Get Trained