What is a Security Operations Centre (SOC)? 

A Security Operations Centre (SOC) uses a combination of people and technology to proactively manage the cyber security of your business on a day-to-day basis. This is managed by security event management software, such as SIEM solutions, and a team of cyber security experts called the SOC team. The SOC team monitors the output of the SIEM to effectively prevent, detect, analyse, and respond to security incidents. 

What is SIEM? Check out our article on this topic first to find out more. 

The SOC team is made of dedicated experts who provide proactive 24-by-7 monitoring of your network and systems. This includes training and monitoring the SIEM to spot attacks and attempted breaches as they occur. The SOC team can then respond in real time to contain the intruders or malware. In order to be effective a SOC team must be able to stay one-step-ahead of the attackers. This can be difficult to manage in-house due to a shortage of cybersecurity skills in existing employees within the business.  

Your SOC team need to be able to analyse suspicious activity to determine the scale of any given threat. This is managed by looking at the network and operations from the perspective of an attacker, such as looking for exposed areas of the network that can be exploited. To better understand the threats that could be faced by your business, the SOC team will perform a triage on various types of security incident to understand how potential attacks could unfold, and how to respond effectively to them. Up-to-date information about the global threat intelligence landscape, information about the organisation’s network, and specifics on attacker tools, techniques, and trends are all used by the SOC team to perform this triage.  

In the event of a security incident the SOC team act as the first responder. If ransomware manages to get into your network and activates at 3 am on a Sunday, the team will spot it and step in to contain and remediate the problem while you sleep. The goal of the SOC team is to return the network to the state it was in before the incident or attack took place. The SOC team do this by isolating endpoints, which might mean removing computers from the network, terminating harmful processes such as stopping a piece of malware from running on a device, and preventing malicious files from executing in the first place. After an incident the SOC team works to restore and recover data including wiping and restarting endpoints, reconfiguring systems, and deploying backups in the case of ransomware attacks. 

An assortment of security tools are used by most organisations, which are often hosted and controlled by different departments. This can present a challenge to SOC teams who have to translate and coordinate security policies and alerts between these tools and environments which can be costly, complex, and inefficient. Security is a holistic exercise, which is why we prefer to use SIEM systems, which correlate event logs from multiple systems so that you can see what is going on across the entire network at the same time. Our SIEM service, backed up by our SOC, is a cost-effective way to meet the needs of PCI-DSS for daily log monitoring and investigations – including log retention for 12 months.  

When tools are used to aid the threat detection process, they must be properly configured, otherwise they are going to produce too many alerts. Going through pages and pages of alerts adds to the workload of the security monitoring team without effectively identifying incidents, meaning the important event logs showing potential breaches are still often missed. An expert SOC team can properly configure the tools used so that the critical events are not missed and are addressed immediately to properly investigate suspicious activity, contain any intruders or malware, and isolate compromised machines. This includes training and monitoring the SIEM to spot attacks and attempted breaches as they occur and then to respond in real time to contain the intruders or malware. 

Cool Waters Managed Cyber Team provides industry leading SentinelOne endpoint protection for PC and Servers combined with a SIEM service which captures the logs from all your computers, firewalls, and network devices. The SOC team actively monitors your whole network to immediately detect and remediate incidents. Our SOC service is only available to Managed Cyber Team clients and is a cost-effective way to meet the log capture and active monitoring requirements of PCI-DSS. 

Our Emergency Response Team (ERT) is available to assist with significant attacks on your network, drawing the expertise of the SOC team to deploy at short notice experts skilled in handling the most complicated and aggressive ransomware and cyber attacks. ERT is only available to customers who use our SOC services. 

Book a free discovery call to find out how quickly and easily we can get started.