Table of Contents
What is a SOC? SOC Team Structure Core SOC Processes Essential SOC Tools Threat Detection Strategies SOC Metrics & KPIsWhat is a SOC?
A Security Operations Center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. It houses the security team responsible for continuously monitoring and analyzing an organization's security posture.
SOC Models
- In-house SOC: Built and operated internally
- Virtual SOC: Remote team, no physical facility
- Hybrid SOC: Internal team + MSSP partnership
- MSSP/MDR: Fully outsourced to provider
SOC Team Structure
Tier 1: Security Analyst (Alert Triage)
Front-line analysts who monitor alerts, perform initial triage, and escalate confirmed incidents.
- Monitor SIEM dashboards and alerts
- Initial investigation and false positive filtering
- Ticket creation and documentation
- Escalation to Tier 2
Tier 2: Security Analyst (Incident Response)
Experienced analysts who perform deep-dive investigations and coordinate incident response.
- In-depth threat analysis
- Correlation of related events
- Containment recommendations
- Playbook development
Tier 3: Threat Hunter / Senior Analyst
Proactive hunting, advanced forensics, and threat intelligence integration.
- Proactive threat hunting
- Malware analysis
- Detection engineering
- Red team collaboration
Core SOC Processes
Alert Triage Workflow
1. Alert Generation
└─> SIEM, EDR, IDS, Firewall, etc.
2. Initial Triage (Tier 1)
├─> False Positive → Close with reason
├─> Known Good → Document and close
└─> Suspicious → Escalate to Tier 2
3. Investigation (Tier 2)
├─> Collect additional context
├─> Correlate with other events
└─> Determine scope and impact
4. Response & Containment
├─> Execute playbook
├─> Contain affected systems
└─> Eradicate threat
5. Recovery & Lessons Learned
└─> Update detections, close ticketEssential SOC Tools
| Category | Tools |
|---|---|
| SIEM | Splunk, Microsoft Sentinel, Elastic SIEM |
| EDR | CrowdStrike, Microsoft Defender, SentinelOne |
| SOAR | Splunk SOAR, Palo Alto XSOAR, Tines |
| Threat Intel | MISP, ThreatConnect, Recorded Future |
| Ticketing | ServiceNow, Jira, TheHive |
Threat Detection Strategies
- Signature-based: Known bad indicators (IOCs)
- Behavioral: Anomaly detection, UEBA
- Threat Hunting: Hypothesis-driven proactive search
- Threat Intelligence: External feed integration
SOC Metrics & KPIs
| Metric | Target | Description |
|---|---|---|
| MTTD | < 1 hour | Mean Time to Detect |
| MTTR | < 4 hours | Mean Time to Respond |
| MTTC | < 24 hours | Mean Time to Contain |
| False Positive Rate | < 50% | Percentage of non-threats |
| Escalation Rate | ~20% | Tier 1 to Tier 2 |
Last updated: December 2024