SOC analyst

SOC 101 – What Is It?

February 6, 2019 by Greg Belding

Information security is becoming increasingly important for many organizations and industries – this is indeed a well-known fact. What is not as well-known to the information security layman is whether an organization can implement something that will give it an advantage over the latest threats.

The holy grail of information security, a security operations center (or SOC), is what will keep you ahead of the threat curve. This article will explore what a SOC is, the different roles and types of SOCs available, and some of the common responsibilities assigned to SOC personnel.

What Is a Security Operations Center?

A Security Operations Center, or SOC, is a team of dedicated, high-quality IT and information security experts and the facility that they work in. There are many advantages to using a SOC – from having a team of information security experts at your fingertips to the visibility afforded by an ensemble of cutting-edge information security technologies that would be beyond cost-prohibitive for most small- to medium-sized organizations.

The SOC facility is generally manned around the clock and utilizes state-of-the-art physical security to ensure an extra layer of protection for the physical assets it houses. These facilities can be massive and some even use top-secret security measures. One data center housing a SOC team in West Chicago, Illinois is using a former NSA electronic records building with all of its former top-secret security measures – talk about secure servers!

Different Roles on a SOC Team

SOC teams can accomplish a lot with just a few people, and one of the strengths of a SOC team is that it can use a string of different experts. Below is a list of just some of the different types of SOC team roles and a general description of what they contribute to the team:

Incident Responder

This role can be viewed as a sort of cyber-first-responder. Incident responders perform the initial evaluation of security irregularities when security events occur.

Cybersecurity Analysts

Pulling up the intermediate end of a SOC team’s work is the cybersecurity analyst. After the initial identification and analysis of security events have been performed, cybersecurity analysts categorize, rank by threat severity and escalate potential threats and issues. These may be escalated to a SOC manager or, in the case of tiered facilities, the threat or issue will be escalated to the proper tier of experts.

Security Engineer

Security engineers are the experts responsible for maintaining security tools such as SIEM solutions, recommending new tools when needed and updating systems. In the case of Managed Security Service Providers (MSSPs) that provide software created in-house, security engineers are creators of this software. Security engineers often work closely with the development team of their respective organizations and can serve as liaison between the SOC and development teams.

Forensic Investigators

Forensic investigators are the experts that gather data of security incidents and preserve the evidence that they find. This evidence can be used to create new rules, shed light on new and emerging threat trends and generally keep the SOC team a few steps ahead of the threat landscape.

Compliance Auditor

These cybersecurity experts are responsible for monitoring the actions of SOC team members to ensure compliance with prescribed procedures. SOC facilities often have strict procedures and rules to ensure the highest quality of information security services possible, so making sure that SOC team members are reaching this high standard is paramount.

SOC Manager

As you may guess from the title, SOC managers are tasked with the higher-level, managerial end of SOC work. SOC managers manage SOC facility personnel, make executive budget and program decisions within the SOC and report to executive level managers within the organization. This role is also responsible for coordinating with heads of other departments within the organization to ensure compliance with applicable laws and regulations. You can think of the SOC manager as the brain and the rest of the SOC team as the body.

Different Types of SOCs

Below is a list of the different standard models of SOCs that you are most likely to encounter:

Internal SOC

Internal SOCs are comprised of different IT professionals within an organization. This model can be either made up of team members from different departments or be centrally dedicated to the security needs of the organization.

Internal Virtual SOC

This model of SOC does not have its own dedicated facility, but rather is composed of a team of part-time employees that react to alerts generated by security events occurring.

Co-Managed SOC

Co-managed SOCs are made up of a team of semi-dedicated experts that work with an MSSP to manage and maintain security operations.

Command SOC

While not as common as the other standard SOC models, command SOC facilities coordinate the operations of groups of SOC facilities. This standard model is better suited to higher-level insight than the other models.

Outsourced Virtual SOC

Outsourced Virtual SOC do not have dedicated facility and are remote, much like the internal virtual SOC. What sets this standard model apart from the others is that it is not made up of individuals within an organization, but rather is a third-party service provider that is independent from the organization.

SOC Downsides

“Downsides” is a bit of a misnomer, as there really is only one downside to managing security operations via a SOC: the cost of building a SOC. SOC facilities are often costly to buy or build (unless you buy your facility from the government for pennies on the dollar), you need to equip the facility with cutting-edge security solutions and tools (again costly) and you must be able to afford a team of expert information security professionals. For many organizations, this is a bridge too far, financially speaking.

The best solution for a small- to medium-size organization that wants the security operations edge that using a SOC can provide, MSSPs are a great alternative. For a monthly fee, you can obtain at least most of the security advantages provided by a SOC. You will not have to provide a dedicated facility, as MSSPs are generally remote.


Security Operation Centers are a way for organizations to manage and maintain security operations. Often using a dedicated facility, SOC teams of information security experts provide high-quality information security services usually 24 hours a day, 7 days a week. Using the different forms of SOC can be prohibitively expensive, but there are less-costly standard models of SOCs as well as MSSPs which can help organizations bridge the information security gap that the organization may be currently facing.


  1. What Is a Security Operations Center, and Why Is It Important?, BlackStratus
  3. What is a Security Operations Center (SOC)?, Digital Guardian
Posted: February 6, 2019
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.

Leave a Reply

Your email address will not be published.