How to Determine If You Need a SOC Team, CSIRT Team or Both
SOC and CSIRT teams have distinctive roles and responsibilities. In this article we describe the differences between a SOC and CSIRT to help you determine which team will fill your organization’s needs.
A SOC stands for security operations center. Obviously, the term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that. A SOC is either an information security hub that centralizes cybersecurity activities in a given organization or a cybersecurity team that deals with anything concerning protection of an organization’s information systems:
- Incident management/response
- Compliance and risk management
What Does a SOC Do?
A SOC is dedicated solely to protecting the enterprise’s IT assets. Consequently, every IT security plan must be approved by the SOC. In addition, SOCs must enforce regulatory requirements, for instance, PCI DSS or CESG GPG53, and oversee all people, processes and technologies within an organization that must comply.
What separates a SOC from other cybersecurity units is the fact that it tends to provide a centralized and dedicated department that focuses on pairing techniques, talent and technology with intelligence gathering capabilities in order to increase the chances an organization has to ward off potential threats. Although its specialty is not incident prevention and management — something in which the CSIRT has the high ground — a SOC covers this activity as well, since it is a unit with all-embracing functions as far as cybersecurity is concerned.
SOC-as-a-service is not uncommon. EY is one organization that offers that option to its clients. According to EY’s studies, “over half (56%) of organizations are unlikely to detect a sophisticated cyber attack, and a similar number (53%) lack the skilled resources to handle them.”
The CERT Division of the
Software Engineering Institute (SEI) considers a Computer Security Incident Response Team (CSIRT) to be “a service organization that is responsible for receiving, reviewing and responding to security incident reports and activity.” It is either a formalized or an ad-hoc team, and it usually performs services for an already designated constituency (e.g., a corporation, government or client).
What Does a CSIRT Do?
By definition, every CSIRT must provide — at a minimum — incident management. A CSIRT is usually the central point of contact if security incidents arise. Just like a fire department, a CSIRT must “put out a fire” and restore the status quo in the wake of cyberattacks and security breaches. Depending on how quickly a CSIRT reacts to an incident, it could be able to limit the damage resulting from an incident by providing a rapid response and recovery solution(s). This will ensure business continuity and lower overall costs at the same time.
Incident handling has a trinity structure as it embraces three functions — reporting, analysis and response. Viewed in a more elaborate manner, CSIRT-related incident handling activities usually include:
- Understanding cybersecurity incidents: CSIRTs must know what the nature of the incident is and its technical repercussions. Maintaining a repository of the incident, for instance, will help the CSIRT analyse the trends and patterns of a particular cyberattack, which may allow the team to draw an important conclusion in order to avoid recurrence of the same or similar incidents.
- Dealing with the negative impact: CSIRTs must do all they can to research the problem and recommend feasible solutions and workarounds. The real implementation of response strategies, e.g., a business continuity plan, should be accompanied by coordinating and supporting operations (with third parties, for instance).
- Help others stay alert: CSIRTs distribute security alerts among the organization’s members on the latest risks, exploits threats and information attacks.
- Craft mitigation strategies
A CSIRT may have secondary duties, such as:
- Recommending best practices and strategies for secure configuration and in-depth protection of critical assets (e.g., infrastructure reviews)
- Vulnerability assessment (e.g., penetration testing, vulnerability scanning, etc.)
- Active participation in the computer forensic evidence collection phase (e.g., providing support for legal and law enforcement agencies)
- Awareness training and education
- Security policy development
Although there is no unified standard to consolidate the functions and services every CSIRT should offer, and each team is free to tailor its functions/services to match the needs of its constituency or parent organization, protection of critical infrastructure is a key goal of every CSIRT.
Should I Establish a SOC or CSIRT Team?
One author sheds some light on the SOC-CSIRT relationship on the Gartner blog network. According to his observations, his “clients with THE MOST mature security operations” apply a “tri-team” model for detection and response, which consists of:
- SOC: Purpose is “primarily monitoring and
in near real-time, and of course
- CSIRT: Ensures effective and timely incident response.
- Threat center: Refines threat intelligence, profiling threat actors and creating internal databases for threat prevention and detection.
SOCs and CSIRTs can not only co-exist, but also be complemented by other similarly structured entities to maximize the cybersecurity protection.
In terms of structure and information sharing, SOCs work in isolation and in reality do not regularly cooperate with other SOCs because of confidentiality clauses signed with customers, whereas CSIRTs may be vertically structured into sector CSIRTs and could be obligated to report to a national CSIRT.
As far as scope is concerned, SOCs typically operate to serve a single organization. CSIRTs could also function that way but at both a national and public level.
Under normal circumstances, the CSIRT is the team responsible for incident management. Provided that there is no CSIRT, however, the SOC will assume this responsibility. In case that both teams co-exists within the corporate environment, then the SOC will provide assistance to the CSIRT with regard to collecting information needed for counteracting and responding to cybersecurity threats in an effective manner.
Figure 1: SOC & CSIRT Characteristics
This graph is based on “Table 6: SOC and CSIRT common and unique services,” which can be found in E-CMIRC: Towards a Model for the Integration of Services Between SOCs and CSIRTs by Jacobs, P., Solms, S. & Grobler, M.
- Carnegie Mellon University. CSIRT Frequently Asked Questions (FAQ). Available at
- Chuvakin, A. (2016). About The Tri-Team Model of SOC, CIRT, “Threat Something”. Available at
- CyberSponse (2017). SOC vs CSIRT… What is the Difference? Available at
- ECCWS (2016). Proceedings of The 15th European Conference on Cyber Warfare and Security. Available at
- Jacobs, P., Solms, S. & Grobler, M. (2016). E-CMIRC: Towards a Model for the Integration of Services Between SOCs and CSIRTs. Available at
- Rapid7 Blog (2017). What is the Difference Between a SOC and a CSIRT? Available at
- Ruefle, R. (2007). Defining Computer Security Incident Response Teams. Available at
- Sanandakumar, S. (2015). EY has launched its Managed Security Operations Center (SOC) services at Kazakootam. Available at
- Soto, C. (2015). Security Operations Center (SOC) 101. Available at