Introduction: Eyes on the Network
"A SOC is only as good as its people, processes, and technology—in that order."
The Security Operations Center is the centralized function for monitoring, detecting, analyzing, and responding to security incidents. This lesson covers how to build and operate an effective SOC.
🎯 Lesson Objectives
- Understand SOC models and organizational options
- Design SOC processes and workflows
- Implement effective SIEM strategies
- Measure SOC performance with metrics and KPIs
1. SOC Models
In-House SOC
Pros: Full control, deep organizational knowledge
Cons: High cost, 24/7 staffing challenges
Managed SOC (MSSP)
Pros: 24/7 coverage, expertise on demand
Cons: Less control, may lack context
Hybrid SOC
Pros: Balance of control and cost
Cons: Complex coordination
Virtual SOC
Pros: Cost-effective for small orgs
Cons: Limited response capability
2. SOC Team Structure
Tier 1: Alert Analyst
Initial triage, alert validation, escalation
Skills: Basic security knowledge, tool proficiency
Tier 2: Incident Responder
Deep analysis, incident investigation, containment
Skills: Forensics, malware analysis, network analysis
Tier 3: Threat Hunter/SME
Proactive hunting, advanced threats, tool development
Skills: Advanced analysis, threat intelligence, automation
SOC Manager
Operations oversight, metrics, stakeholder management
Skills: Leadership, communication, process optimization
3. SIEM Implementation
Security Information and Event Management (SIEM) is the SOC's primary tool:
3.1 Key SIEM Capabilities
- Log Collection: Aggregate logs from all sources (endpoints, network, cloud, applications)
- Normalization: Standard format for analysis
- Correlation: Connect related events to identify attacks
- Alerting: Generate alerts based on rules and anomalies
- Dashboards: Real-time visibility into security posture
- Reporting: Compliance and management reports
3.2 SIEM Best Practices
Start with use cases
Define what you need to detect before configuring rules
Tune aggressively
False positives cause alert fatigue—tune rules continuously
Ensure log completeness
Can't detect what you can't see—ensure critical sources are covered
Automate playbooks
SOAR integration for repetitive response tasks
4. SOC Metrics and KPIs
| Metric | Description | Target (Example) |
|---|---|---|
| MTTD | Mean Time to Detect | < 24 hours |
| MTTR | Mean Time to Respond | < 4 hours |
| MTTC | Mean Time to Contain | < 8 hours |
| False Positive Rate | % of alerts that are false positives | < 30% |
| Alert Volume | Total alerts per day/week | Trending down |
| Incidents per Analyst | Workload distribution | Balanced |
| Coverage | % of assets monitored | > 95% |
📝 Key Takeaways
SOC models range from in-house to fully managed—choose based on resources and requirements
Tiered SOC structure enables specialization and escalation
SIEM effectiveness depends on use cases, tuning, and log completeness
Metrics like MTTD, MTTR drive continuous improvement