Why Does a Company Need a Security Operation Center (SOC)?

The structure of modern companies is quite extensive. Depending on the direction of the activity and size, it can consist of dozens of different areas and sections, which are combined into a common structure. One such department is the Information Security Monitoring Center (SOC). The task of such a center is to ensure the protection of the company’s network infrastructure from various kinds of cyber threats, whether it be a hacker, an insider, or an inexperienced developer. In this article, we will tell you about the benefits of a security operations center as a service, as well as the difference between domestic and commercial centers, what are the performance markers, and SOC selection criteria.

What Is SOC?

If we draw an analogy, then SOC is a security department, only for the digital space. Security tools act as locks, and authentication systems replace keys and passes. The alarm functions are performed by monitoring and warning systems, and the role of “security” is performed by the information security specialists themselves.

In a commercial SOC, the same principle applies – it is a conditional private cybersecurity company that works with several companies at once, monitors their infrastructure, and responds to incidents.

Like any structure, the SOC has its own performance criteria, by which the company’s management can understand the effectiveness of the information security monitoring center.

Technical Components of SOC

The specific list of technical solutions and tools may differ depending on the scope of the company and the characteristics of its network infrastructure. But in general, it contains the following elements:

  • end-point and network-level security;
  • detection, detection, and scanning systems;
  • means of processing, analysis, and notification.

The ecosystem approach at this stage in the development of information security tools is considered the most effective since it can significantly increase the likelihood of detecting incidents and the speed of response.

However, this does not eliminate the need for human resources in the context of analyzing real incidents from false positives and making decisions in cases where the machine does not have a suitable incident response algorithm.

SOC Staff

In the case of an internal SOC, the variations can be very different. Much depends on factors such as the equipment of the monitoring center and the budget for cybersecurity. In this case, the budget is directly regulated by the number and qualifications of specialists.

In the case of commercial SOCs, the situation may also be different. The main factors here are the presence of the company’s own software products and the development of the company’s services. Based on them, the list of SOC employees may include a DevOps specialist, a legal consultant, and a number of other specialists.

As a rule, the list of employees of the information security monitoring center includes:

  1. Network administrator. An engineer who sets up information security systems and is responsible for the continuity of data exchange between them, as well as the output from them.
  2. Rule Setting Specialist. This person is responsible for formulating rules for SIEM and other similar systems.
  3. Level 1 analyst. His task is to process the incident first, separating false positives from real threats. He takes the first response actions in accordance with the regulations established by the company.
  4. Level 2 analyst. If the first-level specialist does not know what to do, the second-level analyst steps in. This is an experienced information security specialist who can understand a difficult situation and make a creative decision, without relying on the rules of response.
  5. Reverse engineering specialist. This is an expert with high competencies in development, who has the knowledge and skills and can understand malware that is unfamiliar to either the level two analyst or auxiliary systems.
  6. Forensics expert. Regardless of how the incident ended, it needs to be investigated, in particular, to assess the damage caused, describe the behavior of the malware, and track the path of hackers to the point of entry into the infrastructure. All this is done by a forensic expert or a specialist in computer forensics.
  7. Cyber Intelligence Specialist. The task of this expert is to check information systems for hidden hacker activity. For example, APT attacks. It includes both monitoring systems and studying data from hacker forums.

Despite such an impressive list, in practice, it is not uncommon for a SOC company to consist of 1-3 specialists. They can be responsible for everything at the same time themselves, or use the services of outsourcing companies if necessary.

SOC Selection Criteria

Conventionally, all criteria can be divided into two large groups. The first is subjective factors. For example, the focus of an information security company on a particular sector or industry. A commercial SOC as a service may have customers in predominantly manufacturing industries, or a large number of IT-focused companies. Such a specification may indicate that the service provider has extensive experience in protecting infrastructures adjacent to the client and a comprehensive understanding of their issues.

The second factor is the objective characteristics of the SOC, which include the level and relevance of technical equipment, the number and level of specialists, and other specifics.

If we talk about purely business criteria, then this is the cost of providing services and their completeness. It is important to say that the current level of development of the information security services market allows customers to receive the entire range of information security services from one company, according to the Sec-as-a-service model. If we talk about the tops of the industry, then they can offer almost the entire arsenal that is available in cybersecurity, up to connecting to the bug bounty platform and consulting at the CISO level.


If you are interested in the idea of ​​supporting cybersecurity with the help of SOC, then you have several ways – creating your own center and outsourcing. If you are looking for a security operations center as a service, take a look at Under Defense. This is a reliable managed SOC service provider with many years of experience protecting businesses from various kinds of cyber threats.