Security operations center: principles & trends

Despite all the protective measures, attackers are still penetrating company networks and, for the most part, no-one notices. Yet it is vital to detect any attack quickly to avoid major losses. Which is where monitoring comes into play, carried out professionally in a security operations center (SOC). An SOC analyzes and monitors all the events in an organization’s systems. This creates an overview of the current threat situation for a system landscape and its organization. Although more than 80% of companies that have a SOC see it as an essential component in their cybersecurity strategy, 51% also complain of the diminishing return on investment (Ponemon Institute). For most companies, especially SMEs, running an in-house SOC is a huge expense since it takes at least 8 to 12 security experts to ensure 24/7 operations. For this reason, where necessary, this function can be outsourced to a managed security service provider (MSSP).

In short: what is a SOC?

A SOC brings all the relevant people, processes, and technologies under one roof. The SOC combines the function groups (e.g., analysts, security engineers, and SOC managers) needed to be able to assess the threat situation for a system landscape. The benefit of a SOC is that the employees assigned to it are able to focus on effective cyber defense, since they are often separated from regular IT operations.

Even though all SOCs work to ensure secure system operations, their focus often varies. The technical scope of a SOC can be divided into three roles:

1. Control and monitoring. The SOC ensures the secure status of the systems by monitoring for proper business operations.

2. Handling. The SOC focuses on identifying and analyzing loss events and any relevant responses (incident response).

3. Operations (in rare cases). The SOC ensures secure system administration (including, e.g., identity and access management).

Since the SOC is often linked with a CERT (computer emergency response team), especially if it is run by a service provider (MSSP), the focus is mainly on monitoring and handling security-relevant events (i.e., resolving cyber attacks). System administration is usually an in-house task.

Its technical scope covers the protection of networks, websites, databases, servers, and applications. Analysis incorporates log data from all systems and the data should ideally be checked for anomalies in real time. Both statistical methods and predefined use cases (What is ‘normal’? What indicators suggest an attack? For example, an unexpected device login on a different continent) can be used to guarantee a rapid response when an incident occurs. This task is usually handled by a SIEM solution (security information and event management), such as Splunk, QRadar, or LogRhythm, and so represents a core component of the SOC.


Running a SOC efficiently is becoming more of a challenge. One key driver here is the expansion of system landscapes and the associated data volume in the SOC.

Increased automation is one way to counter this: some administrators have even suggested that in a complex SOC, nothing works anymore without SOAR (security orchestration, automation and response). 92% of security experts see the need for automation in the SOC. SOAR is not a standalone solution but rather a combination of various programs that facilitate an automated response without human intervention. To achieve this, SOAR solutions need to have three core functions.

Core functions of SOAR solutions

1. Threat and vulnerability management

2. Functions to support the response to security incidents

3. Automated orchestration of process flows for security operations (e.g., implementation of guidelines, reporting, response).

SOAR solutions and SIEM products aggregate data from a range of sources. In practice, that means SOAR functions are often deployed as an add-on to SIEM solutions. Industry experts assume that in the future, SIEM and SOAR solutions will continue to coalesce.

In real life, an automated response to security-relevant events is very useful. However, when it comes to automated processes, it is vital to ensure that the SOC’s response cannot be predicted by outside parties. As such, operators need to be aware of their blind spots and run random manual analyses to potentially trigger a manual response. This might include honey pots (setting up an attractive but fake target for attackers as a decoy from the real system), which can help find out more about the attackers and simultaneously validate a company’s in-house response capability.

One option to manufacture a certain level of unpredictability is through machine learning (ML) and artificial intelligence (AI). The use of AI and ML is increasingly relevant in effective SOC operations.

Key reasons to use AI and ML in a SOC:

1. The frequency – and thus speed – of attacks is increasing. So rapid detection of security incidents is becoming more difficult, but is as important as ever. In its 2020 Data Breach Report, Verizon calculated that a data leak discovered within the first 200 days saves an average USD 1 million compared to discovery later on. In other words: efficient monitoring and log analysis in the SOC saves cash money.

2. The growing use of OT and IoT is enlarging the overall landscape and thus the volume of data traffic that a SOC has to monitor. Meaning that 93% of all SOCs are not capable of adequately investigating every single anomaly. For administrators to maintain an overview, ML algorithms needs to automatically learn what is ‘normal’ so they can identify anomalies (e.g., during bot attacks).

At an organizational level, one of the most significant challenges for companies is recruiting suitable expert IT security personnel, i.e., for the SOC. Companies opt for various approaches to be able to run a SOC despite the shortage of talent: many have already had success with creative solutions, such as internal staff training or rotations from related areas. Other companies have decided, especially in view of the pandemic, to run their SOC externally through a managed security service provider (MSSP), as this eliminates the need to recruit their own specialists.

At CyberCompare, we regularly offer our customers recommendations for suitable SOC providers. Ours is a 6-step approach:

Since SOCs are often very expensive, it is worthwhile to reinforce other aspects of IT security beforehand as a way to smooth the path to a permanent SOC. CyberCompare helps prioritize these actions with its cybersecurity diagnosis, based on which we identify your most urgent needs and derive recommended actions.

Email us directly (email us) or give us a call (+49 711 811-91494) and we’ll be happy to provide additional information about our diagnostic process tailored to your individual requirements. Alternatively, use our diagnostic tool to test your cyber risk profile online.