Security Operations and the SOC

What is security operations?

Security operations (SecOps) is a combination of the information security and IT departments in a business working together to reduce risk.

What is a SOC?

A security operations center (SOC, pronounced “sock”) often refers to both the security operations team and the actual facility that’s dedicated to detecting and resolving security incidents. A properly run SOC can mean the difference between being safe and becoming a headline.

A security operations center acts as the central security hub for an organization – incorporating telemetry from across the ecosystem and making the final decision regarding how to respond to threats. The term initially referred to a room full of analysts who proactively secured an organization's digital assets that were primarily on-premises. The "room" has now expanded to include a team of experts, working anywhere, who secure an expanded ecosystem.

woman in a security operations center at a computer

What does a SOC do?

The security operations workflow

The security operations workflow is the lifecycle of a security event and the order of operations the SOC must take to address that event. There are typically five steps:


A key step to maintaining organizational security is ensuring your systems are prepared before an attack occurs. This step includes ensuring your tools are patched and up to date, collecting threat intelligence, and running attack simulations.


When an incident does occur, it’s critical to detect it as quickly as possible to prevent it from reaching its full damage potential. Some activities in the detect phase might include making sure your detection content is up to date and performing manual or automated threat hunting.


When, where, and how did an incident occur? That’s what a SOC attempts to find out during the “investigate” step of the security operations workflow. A SOC analyst might look for vulnerabilities that may have been exploited in an attack or look through logs to pinpoint the origin of suspicious activity.


Once a SOC team has the full picture of what’s happening with an incident, it’s time to respond. Response methods may include banning a problematic user, removing malware, or repairing any uncovered vulnerabilities. Response time is key to minimizing potential harm.


Once an entire cycle is complete, it’s important to look back and measure performance. What was your team’s mean time to respond (MTTR)? What was the dwell time between initial penetration and detection? A business can also measure the health of its ecosystem before an attack occurs. How prepared is its environment for certain types of attack? Are all of its tools fully updated and functional?

diagram of a security operations workflow from detect to measure

Security operations center challenges

Here are five common challenges inherent in building an efficient security operations center:

  1. Changing business landscape. A remote work environment introduces many BYOD devices. That, coupled with the explosion of new apps, services, and employees online, creates myriad opportunities for phishing and credential stuffing attacks. Monitoring for user behavior that is outside the norm will help catch this.

  2. Lack of singular visibility. Organizations combat this modern network sprawl by investing in more tools – that don’t integrate well with each other. And they can be so time-consuming to operate that analysts can spend more time learning, managing, and troubleshooting them than responding to security alerts.

  3. Inability to continuously optimize tools. We’re in the middle of a cyber talent shortage, and as companies are moving to new architectures and cloud-based modules, the need for more training (and more hands on deck) has increased beyond the capacity of many to keep up.

  4. Too many manual tasks and processes. What can really exacerbate this problem is organizations still doing so many tasks by hand, many repetitive. With an increasingly complex environment, it is impossible for analysts to keep up, leading to inconsistencies, errors, and headlines.

  5. Lack of actionable metrics. A business may have invested in the tools they need, but have difficulty measuring their effectiveness. As security teams rush to put out fires and implement solutions, tracking the measurements of success can get lost in the shuffle, leading to tool-sprawl, shelf-ware, and directionless security strategy. Typical metrics include things like number of alerts, while more useful, actionable metrics like total ecosystem coverage are left out.
guide to modernization of the security operations center

How CISOs are modernizing their security operations

The life of a SOC analyst

One type of individual contributor who works in the SOC is called a SOC analyst. A SOC analyst is part of a team of like-minded experts that monitor, discover, respond to and mitigate cybersecurity threats within an organization. The role has a watchdog element, and they're often the first boots on the ground when a cyber incident occurs – day or night. It may get busy, but it’s never boring.

SOC analysts can be divided further into ranks based on experience, and tasks range from entry-level threat analysis to higher-level escalated events like breach control and mitigation. Some basic skills an analyst needs to have are:

Network Defense Icon
Network defense

This includes monitoring alerts and analyzing trends.

Ethical Hacking
Ethical hacking

Penetration testing your network to ensure the security of your defenses.

Incident Response
Incident response

Dealing with the fallout of a cyberattack – reporting it, investigating it, and mitigating the damage caused.

Computer Forensics
Computer forensics

Backtracking what happened in an attack by recreating it with data pulled from the event.

Reverse Engineering

“Acting out” the breach to find what the attacker did to compromise the system.

On a typical day, an analyst may be scanning for endpoint security alerts, troubleshooting, and clearing out tickets. A slow day may involve staying ahead of recent threats on the news. A big day (such as Black Friday or Election Day) may require higher vigilance for topical scams, such as “sale” emails from bogus domains.

How to improve your security operations

With the onslaught of targeted malware attacks in every sector, it’s important to modernize your SOC to stay abreast of the most sophisticated threats. That requires continuous evaluation and improvement.

Here are some quick-hit guidelines for achieving best-in-class security operations, plus more details below:

Taxonomy Icon
Follow a standard taxonomy to improve your workflows
Alert Icon
Reduce alert fatigue and accelerate threat response
Growth Icon
Establish benchmarks against which to mature your security operations

Employ automation

Automation is critical to achieving the aims listed above and improving your security operations posture. You can’t make crucial security decisions when your experts are tied up in mundane (and overwhelming) security tasks. Automating resource-intensive but repetitive areas of the security lifecycle can free up time and help with retention. Employees are overworked, and analysts have their pick of more exciting: 60% of cyber positions are lost to recruitment by other companies.

Secure your remote workforce

Improving your security operations today means securing your remote workforce. Given the current shift to remote work, does your security operations center need improvement? How would you know? Be sure to ask the right questions to see if your SOC is ready to protect a remote workforce. If your SOC could still use improvement, consider these three tips from our experts:

  1. Watch for anomalies. A remote work environment introduces many BYOD devices. That, coupled with the explosion of new apps, services, and employees online, creates myriad opportunities for phishing and credential stuffing attacks. Monitoring for user behavior that is outside the norm will help catch this.

  2. Secure endpoints and access. Invest in endpoint management tools like Endpoint Protection Platforms (EPPs) and Endpoint Detection Response (EDRs). Consider split-tunnel VPNs to gain visibility without over-straining the VPN.

  3. Re-test new controls. See if what you implemented suits your remote workforce and its needs – not just those of corporate users.

What is SOC-as-a-Service?

Managed SOC, or SOC-as-a-Service (SOCaaS), is a type of managed security service where you outsource your security operations center to a third party on a subscription basis. This can be an entire takeover or a partial addition to your team to force-multiply your current capabilities. The benefits of using SOC-as-a-Service include:

  • A group of experts to amplify your existing security team

  • Anytime, anywhere access and protection

  • Access to enterprise-grade security software – now affordable on a subscription basis

  • Curated detection and response to fit your needs

  • Quickly get up-and-running

  • Ability to mature your security program at your pace

There are plenty of ways to leverage managed SOC services. A SOCaaS is great for any business with growing teams or any company that wants to avoid the lengthy process of purchasing and configuring its own hardware and software. A managed SOC service can help make sure a business's security program is among the best in the industry by drawing up policies and mapping to known frameworks.

Not all managed SOCs are the same. Most offer a black-boxed, turnkey approach meant to be a one-size-fits-all solution. Be sure to find one that offers complete transparency so you know what you are getting, can integrate with your existing tools, provides the flexibility to invest further as your needs grow, and will take your current security maturity level into account.

Key attributes of a best-in-class SOC

There are plenty of models and best practices for running a SOC, but how do you know if you’re doing it right? Your SOC should go beyond the basic capabilities and utilize today’s technology to its fullest, taking strain off your team. Here are some key attributes of a best-in-class SOC:

Singular, actionable visibility

Successful incident response requires complete visibility across the ecosystem – on-premises and cloud – so there are no blind spots. Furthermore, it is vital to have visibility into cyber risk coverage so analysts can plan how to close any gaps.

Track metrics that matter

Communicate the measurements that matter to improve security posture and close any communication gap with the business.


A major failing of security operations today is ad-hoc or inconsistent processes. A well-managed security operations org should codify best practices. That way, work gets done more efficiently, with fewer errors, and with less unnecessary human involvement.

Automation, AI, and machine learning

Ponemon research reveals that only 13% of incidents are contained within a month. Given the high volume of alerts security experts are faced with daily, it’s no wonder. Leveraging automation and AI across the security lifecycle helps sift through mundane security tasks, prioritize events, enrich investigations to reduce noise, and drive faster actions.

Unified workbench

Find a platform that integrates your existing tools and unifies detection, investigation, and response capabilities to show the full picture on a single screen – driving faster and easier decision making.

Proactive operations that drive resilience

Prevention is better than the cure. A best-in-class solution includes threat hunting, breach simulations, health monitoring, and a continuous feedback loop so your posture is constantly being evaluated and improved.

GreyMatter: A security operations platform from ReliaQuest

ReliaQuest delivers successful security outcomes by force-multiplying an organization’s security operations team. It uniquely combines the power of technology and security expertise to make security possible for organizations by increasing visibility, reducing complexity, and managing risk.

ReliaQuest GreyMatter is a cloud-native security operations platform that is delivered as a service any time of the day, any place in the world. Built on an Open XDR architecture, it offers bi-directional integration across any vendor solution, whether on-premises or in one or multiple clouds, to ingest data and automate actions. It brings together telemetry from any security and business solution to deliver singular visibility across the enterprise ecosystem and unifies detection, investigation, and response to drive security effectiveness and cyber resilience.