A security operations center (SOC) is a hub staffed by security personnel who continuously monitor an organization’s entire IT infrastructure. A SOC collects security event data from applications, security devices, data centers, cloud resources, and other systems via a Security Information Event Management (SIEM) system.
How a SOC Works
SOCs usually operate through a hub-and-spoke model, where the SIEM gathers data from a range of specialised security technologies. Such security tools include:
- Firewall
- Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
- Governance, Risk, Compliance (GRC) Tool
- Endpoint Detection and Response (EDR) Tool
- Log Management System (LMS)
- Penetration Testing
- Application Security Tool
- Asset Discovery Tool
- Data Monitoring Tool
- Security Orchestration, Automation, and Response (SOAR) Tool
- User and Entity Behavior Analytics (UEBA)
- Threat Intelligence Platform (TIP)
Types of SOCs
There are 7 broad categories of SOCs:
- Dedicated (Self-managed) SOC
- Distributed (Co-managed) SOC
- Managed SOC
- Command (Global) SOC
- Multifunction SOC (SOC/NOC)
- Virtual SOC
- SOCaaS (SOC-as-a-service)
