Incident response

How to Determine If You Need a SOC Team, CSIRT Team or Both

February 28, 2018 by Dimitar Kostadinov

SOC and CSIRT teams have distinctive roles and responsibilities. In this article we describe the differences between a SOC and CSIRT to help you determine which team will fill your organization’s needs.


A SOC stands for security operations center. Obviously, the term SOC bears the connotation of an environment designed specifically to defend corporate data and networks, and it can be used to describe the facility where carrying out security tasks takes place or the people who are responsible for that. A SOC is either an information security hub that centralizes cybersecurity activities in a given organization or a cybersecurity team that deals with anything concerning protection of an organization’s information systems:

  • Prevention
  • Detection
  • Incident management/response
  • Reporting
  • Compliance and risk management

What Does a SOC Do?

A SOC is dedicated solely to protecting the enterprise’s IT assets. Consequently, every IT security plan must be approved by the SOC. In addition, SOCs must enforce regulatory requirements, for instance, PCI DSS or CESG GPG53, and oversee all people, processes and technologies within an organization that must comply.

What separates a SOC from other cybersecurity units is the fact that it tends to provide a centralized and dedicated department that focuses on pairing techniques, talent and technology with intelligence gathering capabilities in order to increase the chances an organization has to ward off potential threats. Although its specialty is not incident prevention and management — something in which the CSIRT has the high ground — a SOC covers this activity as well, since it is a unit with all-embracing functions as far as cybersecurity is concerned.

SOC-as-a-service is not uncommon. EY is one organization that offers that option to its clients. According to EY’s studies, “over half (56%) of organizations are unlikely to detect a sophisticated cyber attack, and a similar number (53%) lack the skilled resources to handle them.”


The CERT Division of the
Software Engineering Institute (SEI) considers a Computer Security Incident Response Team (CSIRT) to be “a service organization that is responsible for receiving, reviewing and responding to security incident reports and activity.” It is either a formalized or an ad-hoc team, and it usually performs services for an already designated constituency (e.g., a corporation, government or client).

What Does a CSIRT Do?

By definition, every CSIRT must provide — at a minimum — incident management. A CSIRT is usually the central point of contact if security incidents arise. Just like a fire department, a CSIRT must “put out a fire” and restore the status quo in the wake of cyberattacks and security breaches. Depending on how quickly a CSIRT reacts to an incident, it could be able to limit the damage resulting from an incident by providing a rapid response and recovery solution(s). This will ensure business continuity and lower overall costs at the same time.

Incident handling has a trinity structure as it embraces three functions — reporting, analysis and response. Viewed in a more elaborate manner, CSIRT-related incident handling activities usually include:

  • Understanding cybersecurity incidents: CSIRTs must know what the nature of the incident is and its technical repercussions. Maintaining a repository of the incident, for instance, will help the CSIRT analyse the trends and patterns of a particular cyberattack, which may allow the team to draw an important conclusion in order to avoid recurrence of the same or similar incidents.
  • Dealing with the negative impact: CSIRTs must do all they can to research the problem and recommend feasible solutions and workarounds. The real implementation of response strategies, e.g., a business continuity plan, should be accompanied by coordinating and supporting operations (with third parties, for instance).
  • Help others stay alert: CSIRTs distribute security alerts among the organization’s members on the latest risks, exploits threats and information attacks.
  • Craft mitigation strategies

A CSIRT may have secondary duties, such as:

  • Recommending best practices and strategies for secure configuration and in-depth protection of critical assets (e.g., infrastructure reviews)
  • Vulnerability assessment (e.g., penetration testing, vulnerability scanning, etc.)
  • Active participation in the computer forensic evidence collection phase (e.g., providing support for legal and law enforcement agencies)
  • Awareness training and education
  • Security policy development

Although there is no unified standard to consolidate the functions and services every CSIRT should offer, and each team is free to tailor its functions/services to match the needs of its constituency or parent organization, protection of critical infrastructure is a key goal of every CSIRT.

Should I Establish a SOC or CSIRT Team?

One author sheds some light on the SOC-CSIRT relationship on the Gartner blog network. According to his observations, his “clients with THE MOST mature security operations” apply a “tri-team” model for detection and response, which consists of:

  1. SOC: Purpose is “primarily monitoring and
    threat detection
    in near real-time, and of course
    alert triage.”
  2. CSIRT: Ensures effective and timely incident response.
  3. Threat center: Refines threat intelligence, profiling threat actors and creating internal databases for threat prevention and detection.

SOCs and CSIRTs can not only co-exist, but also be complemented by other similarly structured entities to maximize the cybersecurity protection.

In terms of structure and information sharing, SOCs work in isolation and in reality do not regularly cooperate with other SOCs because of confidentiality clauses signed with customers, whereas CSIRTs may be vertically structured into sector CSIRTs and could be obligated to report to a national CSIRT.

As far as scope is concerned, SOCs typically operate to serve a single organization. CSIRTs could also function that way but at both a national and public level.

Under normal circumstances, the CSIRT is the team responsible for incident management. Provided that there is no CSIRT, however, the SOC will assume this responsibility. In case that both teams co-exists within the corporate environment, then the SOC will provide assistance to the CSIRT with regard to collecting information needed for counteracting and responding to cybersecurity threats in an effective manner.

Figure 1: SOC & CSIRT Characteristics

This graph is based on “Table 6: SOC and CSIRT common and unique services,” which can be found in E-CMIRC: Towards a Model for the Integration of Services Between SOCs and CSIRTs by Jacobs, P., Solms, S. & Grobler, M.


Posted: February 28, 2018
Articles Author
Dimitar Kostadinov
View Profile

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.

Leave a Reply

Your email address will not be published. Required fields are marked *