What are the components of a security operations center?

blog + SOC Z. Oualid today 2

share close

If you are thinking about building a SOC then the first question you may get into your head is this, what are the components of a security operation center?

A security operation center has three main components:

  • People
  • Process
  • Technology

If you are interested in knowing more about this component and how combined make a successful or unsuccessful SOC then just keep reading.

Building a SOC is not a one-day project or even one month project, it is really one of the hardest projects that a company may start working on it. This is due to the nature of the project that requires investing money, investing time, and dedicated people.

SOCs are built on three main components as I have already said and each one of them is very important and cannot be separated from the other. Even more, having a problem in just of the three-component will make the soc unsuccessful.

Component 1: People

I guess one of the most difficult parts of the SOC is finding the right people and make them work in harmony. I mean you can get the best world-class security solutions to operate the security operation center, but if those solutions are not tuned or used by experimented or skilled people, then they will become useless. Moreover, creating a sophisticated and high-quality process to manage your SOC will never replace a well-experienced SOC manager or leader.

Therefore, the first component that I will talk about here is people.

What kind of people do you need in a SOC?

To run your Security operation center you will need different people for different roles, therefore I will give you here a list of some profiles that are essential for the SOC:

  • SOC manager

Of course, a leader is always needed, I think the title of the role is already explaining himself. It the person that will lead and manage the whole security operation center.

  • Analyst

Basically, this is the heart of the SOC, he is the one responsible for performing all the analysis, investigation, and reporting. In addition, this role could be divided into two or more categories depending on the structure and the budget of the SOC.

For example, you can create a SOC with two levels. When an incident occurs, the first-level analysts (which is in general junior analysts with very small experience in SOCs) perform the first basic analysis and investigation. However, when a rare or new incident happens and requires deeper analysis and investigations a level two analyst is needed (in general he can be a senior Analyst or even just someone with deep knowledge of the supervised network).

  • SOC engineer

A SOC engineer is responsible for installing the tools used in the SOC. He is always working on new projects to enhance the capability of the SOC in terms of new technologies and tools.

  • SOC operator

SOC operator is a complementary job to the engineer. The SOC operator focuses on maintaining the SOC tools installed by the SOC engineer and nothing else. The difference between this role and the SOC engineer is that the last one works on new tools and tries to enhance the capabilities which is not the case of the operator.

To reduce the cost of the SOC project and the number of employees, most of the time, SOC engineers and operators are employed by the vendors.

Some of those roles, especially the ones that need a lot of experience are difficult to find. Therefore, a training plan needs to be put in place to grow your team’s capabilities and knowledge. Unfortunately, experience is not the only challenge you may find while building your team. Your team members may have experience working in other companies but never together. Therefore, creating harmony between the members of your team will take time and effort.

What skills are needed for SOC analyst?

To find the right people to work with you, you need to first know what are the skills that you are looking for. In this part of the post, I am going to discuss the skills that a SOC analyst needs to have to be able to do the right job.

I will not talk about the SOC engineer or the SOC operator as those are mainly network security engineers that need to have a deep understanding of the tools they are installing and maintaining and in general that’s all. In addition, those profiles are more product-focused, so depending on the tools you are going to install for your SOC you will need people experts on those tools.

A SOC Analyst needs to have a good base of knowledge in the following 3 skills:

  • Ethical hacking
  • Incident response
  • Computer forensics

A more experienced and skilled analyst may have also good knowledge of the Reverse engineering concept and tools. To be honest this skill is very rare and not many people master it. However, in most cases, a junior SOC analyst will not need this skill anyway to do a good job.

Component 2: Processes

When talking about processes and what should be done in which situation and how in the SOC environment, there is a lot of things that need to have a written process. Unfortunately, I won’t be able to talk about all of them in this blog post. However, I will discuss some of the most common ones that you need to have in your SOC.

Incident triage process

Incident triage is the first step in the incident response plan. In this process, the responsible can be a simple network admin or anyone with the right privileges to see the incidents of the network, try to categories the incident, and set a risk level to it. After deciding if he needs to perform further investigation or not, the responsible assigns this incident to the right person (analyst level 1 or 2) depending on the criticality for further analysis.

Incident reporting process

Closing a computer security incident refers to the eradication phase in which the vulnerabilities that caused the event have been closed and all traces of the incident have been cleaned up.

Incident analysis process

The incident analysis process is the main work of the SOC team. This process defines the way to detect the root cause of the incident and how to contain it at the earliest stages.

Incident closure process

The incident closure process is started when the vulnerability that was the reason behind the incident was fixed. In addition, this process includes testing and verifying that the vulnerability has been successfully fixed.

Post incident activities process

This process concerns the whole SOC team, it is a sort of lessons learned process where you try to gather as much information as to teach the rest of the team about this new case.

Vulnerability discovery process

This process defines the way vulnerabilities are discovered in the IT network and how to evaluate their impact. In addition, this process may also describe the way to consume external vulnerabilities data sources, and how to verify them with the internally used solutions.

Vulnerability remediation and tracking

This process describes the way to communicate vulnerabilities to system owners and how to remediate and track them.

Component 3: Technology

For this part of the SOC components, I really don’t want to go deeper into it, as this will make this blog post so big. Therefore, I am going to give you just an idea about the main tools and technologies you will need in your SOC:

  • SIEM
  • Cyber threat intelligence feeds and databases
  • Vulnerability scanners

Written by: Z. Oualid

Rate it

About the author

Z. Oualid

I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).

Previous post

Post comments (2)

  1. Andy B on

    Thank you for posting such a nice and well written document. I am new to the Information Security field. I am currently working as PAM Analyst for a Gas & Pipeline company and would like to get into the Cyber Security field, but I am facing a big hurdle of not having a direct work experience in working with security products. I come from IT/Administration background, and recently, I have passed CompTIA Security+ certification. I am interested in getting into SOC field so I can learn many of these technologies. What advice would you give me to help me get into the Cyber Security/SOC field, or a training that you would recommend me to take. Thank you.

  2. Z. Oualid on

    Hi Andy, sorry for the late response.
    to start a career in SOC I encourage you to start learning more about, forensics, malware analysis, and reverse engineering. they are some of the most important skills for this job. In addition, if you can afford a certification in one of the most popular SIEM solutions like QRadad or so … it would be a big plus for you.
    Good luck, and don’t hesitate to ask me anything … sorry I get so many spam messages which makes it difficult to differentiate the good comment from spam that’s why it took me too much time to see yours.

Leave a reply

Your email address will not be published. Required fields are marked *