Security Operations Center (SOC)
Security Operations Center (SOC)
One-liner: A centralized unit that monitors, detects, analyzes, and responds to cybersecurity incidents 24/7.
π― What Is It?
A Security Operations Center (SOC) is the nerve center of an organization's cybersecurity defense. It's a facility staffed by security professionals (SOC analysts) who use technology, processes, and threat intelligence to continuously monitor and protect an organization's assets from cyber threats.
π’ SOC Structure
Tier Levels
| Tier | Role | Responsibilities |
|---|---|---|
| Tier 1 | Alert Triage Analyst | Monitor dashboards, triage alerts, initial investigation |
| Tier 2 | Incident Responder | Deep investigation, containment, Incident Response |
| Tier 3 | Threat Hunter | Proactive hunting, advanced analysis, threat intelligence |
| SOC Manager | Leadership | Strategy, metrics, team management |
Key Functions
βββββββββββββββββββββββββββββββββββββββ
β SOC Core Functions β
βββββββββββββββββββββββββββββββββββββββ€
β 1. Continuous Monitoring β
β 2. [[Alert Triage]] β
β 3. [[Incident Response]] β
β 4. Threat Intelligence β
β 5. Vulnerability Management β
β 6. Security Tool Management β
β 7. Compliance Reporting β
βββββββββββββββββββββββββββββββββββββββ
π οΈ SOC Technology Stack
- SIEM β Log aggregation and correlation (Splunk, ELK Stack)
- EDR β Endpoint monitoring and response
- IPS/IDS β Network threat detection
- SOAR β Security Orchestration, Automation, and Response
- Threat Intel Platforms β Threat Intelligence Feeds
- Case Management β TheHive Project, ticketing systems
π SOC Metrics (KPIs)
- MTTD (Mean Time to Detect) β How fast threats are identified
- MTTR (Mean Time to Respond) β How fast incidents are resolved
- Alert Volume β Number of alerts per day
- False Positive Rate β Percentage of benign alerts
- Incidents Escalated β Tier 1 β Tier 2 escalations
π¨ SOC Workflow
1. Data Collection β Logs from all sources
2. Correlation β SIEM rules trigger alerts
3. [[Alert Triage]] β Tier 1 investigates
4. Escalation β True positive β Tier 2
5. [[Incident Response]] β Contain, eradicate, recover
6. Post-Incident β Lessons learned, detection tuning
π SOC Models
| Model | Description |
|---|---|
| In-house SOC | Fully owned and operated internally |
| Managed SOC (MSOC) | Outsourced to third-party provider |
| Co-managed SOC | Hybridβsome functions in-house, some outsourced |
| Virtual SOC | Distributed team without physical facility |
π‘οΈ Detection & Prevention
- Detection Engineering β Building detection rules
- Threat-based detection β Detecting attacker TTPs
- Indicator Detection β IOC-based detection
- Environment-based detection β Baseline anomaly detection
π€ Interview Angles
Q: What's the difference between Tier 1, 2, and 3 SOC analysts?
- Tier 1: First responders who triage alerts, verify true/false positives, and escalate.
- Tier 2: Incident responders who conduct deep investigations, perform containment, and lead remediation.
- Tier 3: Expert threat hunters who proactively search for threats and develop advanced detections.
Q: How do you reduce false positives in a SOC?
- Tune detection rules based on environment baseline
- Use threat intelligence for context
- Implement tiered alerting (informational vs. critical)
- Continuous feedback loop from analysts to detection engineers
π Related Concepts
- Blue Teaming β Defensive security philosophy
- CSIRT β Incident response team structure
- Detection Engineering β Building the detections
- Purple Teaming β Collaborative red/blue exercises
- MITRE ATT&CK β Threat detection framework