The definitive guide to SOC services

SOC services, delivered through a Security Operations Centre (SOC), play a critical role in enhancing organisational security.

In this blog post, we provide an in-depth insight into the role of SOC services, how they work, and their benefits and potential challenges.

What are SOC services?

A Security Operations Centre, or SOC, is a specialist facility that brings together the people, technology and threat intelligence that organisations need to monitor their environments for threats. In a SOC, a dedicated team of security analysts, engineers and responders leverage a range of security technologies in order to monitor cloud and on-premises infrastructure and the configuration and management of all deployed security technologies to detect and respond to potential security incidents on a 24/7 basis.

A SOC service is an outsourced solution dedicated to maintaining and advancing an organisation’s cyber security posture, in the same manner that an in-house SOC would. The advantages delivered by SOC services mean that developing or accessing this type of capability should be a priority for any organisation seeking to elevate its cyber maturity.

How a SOC works

A Security Operations Centre works by providing a centralised hub that combines specialist expertise, technology and insight to enable organisations to adapt more quickly and effectively to the changing threat landscape. A SOC brings together all the capabilities required to maintain and improve cyber security around the clock. SOC staff leverage a wide range of technologies to ensure that potential security incidents are identified as early as possible and response actions are put in place to remediate them quickly and effectively. A SOC’s core functions cover:

Prevention and detection – SOC services work proactively rather than simply reacting to threats, monitoring networks around the clock. This allows them to detect and address potentially harmful issues before they cause damage. Their role in this area also involves gathering information about any suspicious type of activity.
Investigation – At this stage, SOC analysts will assess suspicious activity to determine the specific nature of the potential threat and how far it has been able to attack an organisation’s infrastructure. They take an offensive approach to networks and operations, looking for key indicators and areas of exposure from the perspective of an attacker to ensure that they cannot be exploited. SOC analysts also triage security incidents, leveraging insights about the network, alongside threat intelligence about the attacker’s tools and techniques.
Response – Following the investigation stage, the SOC coordinates a response to remediate the issue effectively. This is when its role as first responder comes into its own, with key steps such as isolating endpoints, mitigating malicious activities and preventing the deletion of files. This stage also involves restoring systems and recovering lost or compromised data to return the network to the state it was in before the incident.

The sheer resource burden of building and staffing an in-house SOC can put it out of the reach of all but the largest enterprises. To reduce the strain on already stretched IT and security teams, many organisations are turning to SOC services as a virtual extension of their in-house teams to meet these security requirements.

What types of activities are SOC services responsible for?

SOCs typically take the lead on:

System deployment and management
Log management and monitoring
Incident investigation, triage and response
Vulnerability and patch management
Compliance reporting
SIEM, IDS, EDR and other system tuning
Triage and analysis of alarms
Root cause and kill chain analysis
Threat hunting

Security technologies managed by SOC services

Running SOC services involves managing a wide array of security technologies, including:

Endpoint detection and response (EDR)
Security information and event Management (SIEM)
Extended detection and response (XDR)
Security orchestration, automation and response (SOAR)
Network traffic analysis (NTA)
Next-generation antivirus (NGAV)
Next-generation firewalls (NGFW)
Vulnerability management and assessment

Types of SOC services

SOC services are available through a number of models. These may include:

In-house SOC

While not strictly a SOC service, in-house or internal SOCs are usually reserved for the largest enterprises only. In-house SOCs are operated by organisations themselves but may include some minor support from a security partner. While this option provides a high level of control, the costs and complexities involved mean that it is only suitable for the largest and best-resourced companies.

Ensuring the cyber resilience of an organisation demands a range of technologies to block common threats, gain visibility of malicious activity and enable an effective response to genuine incidents as and when they arise. However, these tools are often costly, resource-intensive and can quickly become obsolete. Many security systems generate a large volume of alerts. Without a specialist team dedicated to investigating and responding to them around the clock, it can be easy for them to become buried in the noise. With the ongoing recruitment issue in the tech industry, another challenge associated with in-house SOCS is recruiting, retaining and training the specialist staff required to maintain a high standard of service.

Hybrid SOC

A hybrid SOC or co-managed SOC is a security facility that is operated both by a company and its security partner, meaning that it is run partly in-house and part-outsourced. This option brings together the combined skills of both organisations. Although the hybrid model can help to reduce the costs of running SOC services, while also boosting efficiency, it can also add further complexity to the demands of operating a SOC.

Managed SOC

A managed SOC service is provided by a specialist external provider to ensure a hassle-free and cost-effective option for organisations that lack the necessary resources to build their own in-house SOC. By deploying, configuring and maintaining security products and providing the experts, threat intelligence and automated actions needed to hunt for threats 24/7, an outsourced SOC reduces the complexity of managing disparate security technologies and provides the threat notification and remediation advice needed to respond effectively to attacks.

Who works in a SOC?

Maintaining an effective SOC demands the right mix of specialist skills. A SOC team typically includes:

SOC Managers – Oversees regional SOC teams, ensuring that they are staffed effectively and have the resources to meet the many requirements of defending a company’s security posture.
Security Analysts – Work in the frontline conducting 24/7 security event monitoring, incident analysis and triage, as well as performing essential response. Their role also involves searching for vulnerabilities and taking steps to help enhance security. This profile of a Kroll junior SOC analyst provides a more detailed insight into the job. Larger SOCs may require senior security analysts to work with a dedicated focus on a specific area such as threat intelligence, proactive threat hunting or forensics.
Security Engineers – Liaise closely with cyber security analysts to deploy and configure an organisation’s security technologies, such as firewalls and network monitoring tools like SIEM, intrusion detection, and endpoint detection and response platforms. Security engineers are also responsible for tuning all technologies to ensure that they are as effective as possible and generate fewer false positives. They achieve this by baselining technologies to more easily identify deviations from typical activity, as well as setting up threat detection rules, or use cases, to detect specific types of suspicious activity and trigger automated responses.
Incident Responders – Help to address and manage security incidents when they occur, by building an understanding of the incident, taking control and coordinating quick and effective response. Their role also involves conducting forensics to identify the root cause of a problem and help to prevent similar incidents from happening again.

The benefits of SOC services

The advantages of using SOC services include:

24/7 monitoring

Security threats can occur at any time of the day or night. Companies that rely only on security solutions that monitor only during office hours are at significant risk of attack. SOC services deliver continuous monitoring of a company’s IT infrastructure and data, ensuring that threats can be managed and mitigated in real-time.

Enhanced threat intelligence

Access to the latest threat intelligence and the capacity to incorporate it into the threat detection process is critical to the success of a SOC. However, achieving this internally can be complex and time-consuming. An effective managed SOC service has the capacity to gather the latest intelligence, such as indicators of compromise, and harness this information to enhance the effectiveness of detection systems and processes. This insight can be gained through sources such as intelligence-sharing partnerships, internal cyber research and red team insight.

Compliance reporting

Increasing regulatory and legislative demands mean that compliance reporting is a significant burden. The insights gained by SOCs can help businesses to comply with industry regulations, such as those for financial services and healthcare.

Advanced incident response planning

Incident response planning is a critical aspect of an effective cyber defense strategy. The in-depth insight gained through SOCs’ threat detection and monitoring can support businesses to develop and implement incident response plans, ensuring that they are prepared to respond to a cyberattack quickly and effectively.

Greater return on investment

Facing the burden of addressing so many types of threats, means that, without the support of a SOC, organisations may risk failing to maximise their security investment while also weakening their security posture. However, even companies aiming to run a SOC in-house can experience these types of issues due to challenges with recruiting and the costs of continually updating technology. The support of a managed SOC provides a more consistent option and a better return on investment.

Free up in-house security teams

The fast-moving security landscape is already putting internal teams under great pressure. This is only added to by the demands of dealing with and analysing a large volume of alerts without the support of specialists, potentially leading to cyber security alert fatigue. SOC services enable organisations to reduce the risks of missing a potential incident and also reduce employee burnout.

Better tracking of mean time to detect (MTTD)

MTTD is the average time it takes to identify that a breach has taken place and is a key measure in cyber security. It is possible to use data from multiple breaches affecting an organisation to calculate an average figure for the amount of time each discovery takes. However, it can be challenging to accurately assess how long detection actually takes: a major issue for businesses aiming to improve their ability to respond to and detect issues. In managed SOC services, this type of key detection management and measurement is done for organisations, delivering better insight and enhanced cyber security.

Continually updated security insight and technology

Having the capacity to adapt to the highly variable threat landscape demands a wide range of continually updated technology. Achieving this is not a realistic goal for most companies due to the costs and level of effort required. SOC services provide the ability to detect threats across an organisation’s networks and endpoints by harnessing a combination of prevention, detection and deception technologies. They reduce the complexity of managing disparate security solutions by deploying, configuring and managing security tools on a 24/7 basis.

Specialist knowledge and skills

Organisations seeking to recruit and retain the right people to help in the frontline against security threats can experience a multitude of challenges. From hiring an effective combination of SOC specialists to ensuring that their skills are kept up to date, for most companies, achieving a level of expertise to match that of a managed SOC service is not feasible. SOC services bring together a wide range of highly experienced security experts, providing both the capacity and capability to function consistently and continuously.

Accessing SOC services through MDR

Managed Detection & Response (MDR) is an advanced type of security service goes beyond the support offered by traditional SOC monitoring, adopting a proactive approach to threat prevention, detection and response. This type of service provides a complete turnkey approach – supplying the people, tools and intelligence needed to hunt for, disrupt and contain cyber threats 24/7/365 – as a virtual extension of your in-house team.

Why choose Kroll?

Kroll Responder, our MDR service, provides extended security monitoring around-the-clock, earlier insight into targeted threats, and complete response to contain and eradicate threats across your digital estate.

Learn how our Kroll Responder can exceed your SOC service expectations by combining seasoned security expertise, frontline intelligence and unrivaled response capabilities, for a fraction of the price of building the same resources in-house.

Discover Kroll Responder

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_ok	session	The cookie is set by Olark live chat software and is used to store most recent Olark site for security purposes.
_okdetect	session	This cookie is set by Olark live chat software. The cookie is used for detecting when storage contexts have changed due to things like ssl or host transitions.
_oklv	session	The cookie is set by Olark live chat software. According to Olark documentation, the cookie is the Olark Loader version used for improved caching.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
hblid	1 year 1 month 4 days	The cookie is set by Olark live chat software and is used as a visitor identifier to remember a visitor between visits.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
_okbk	session	The cookie is set by Olark live chat software and is used to store extra state information of the chat box.
olfsk	1 year 1 month 4 days	This cookie is set by Olark live chat software. This cookies is a storage identifier used to maintain chat state across pages.
SRM_B	1 year 24 days	Used by Microsoft Advertising as a unique ID for visitors.
wcsid	session	This cookie is set by Olark live chat software. The cookie is a session identifier that is used to keep track of a single at session.

Cookie	Duration	Description
_ce.gtld	session	Crazyegg sets this cookie to identify the top-level domain.
_clck	1 year	Microsoft Clarity sets this cookie to retain the browser's Clarity User ID and settings exclusive to that website. This guarantees that actions taken during subsequent visits to the same website will be linked to the same user ID.
_clsk	1 day	Microsoft Clarity sets this cookie to store and consolidate a user's pageviews into a single session recording.
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
cebs	session	Crazyegg sets this cookie to trace the current user session internally.
CLID	1 year	Microsoft Clarity set this cookie to store information about how visitors interact with the website. The cookie helps to provide an analysis report. The data collection includes the number of visitors, where they visit the website, and the pages visited.
MR	7 days	This cookie, set by Bing, is used to collect user information for analytics purposes.
SM	session	Microsoft Clarity cookie set this cookie for synchronizing the MUID across Microsoft domains.
vuid	1 year 1 month 4 days	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
ANONCHK	10 minutes	The ANONCHK cookie, set by Bing, is used to store a user's session ID and verify ads' clicks on the Bing search engine. The cookie helps in reporting and personalization as well.
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
li_sugr	3 months	LinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
MUID	1 year 24 days	Bing sets this cookie to recognise unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
NID	6 months	Google sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	doubleclick.net sets this cookie to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_ce.cch	session	Description is currently not available.
_ce.clock_data	1 day	Description is currently not available.
_ce.clock_event	1 day	Description is currently not available.
_ce.irv	session	Description is currently not available.
_ce.s	1 year	Description is currently not available.
_CEFT	1 year	No description available.
_cfuvid	session	Description is currently not available.
_okck	less than a minute	Description is currently not available.
_okcs	session	Description is currently not available.
cebsp_	session	Description is currently not available.