Introduction to the SOC

A Security Operations Center is a centralized function — people, process, technology — that continuously monitors, detects, analyzes, and responds to cyber threats across an organization.

SOCs operate 24/7/365 and are the operational arm of the security program. They turn raw logs into decisions and actions.

Models: in-house, MSSP (managed), MDR (managed detection & response), hybrid, virtual SOC.

Regulatory pressure: PCI-DSS, HIPAA, SOX, GDPR, NIS2, ISO 27001 all require monitoring & incident response.

Risk reduction: average breach cost is USD 4.88M (IBM 2024); a mature SOC reduces dwell time from months to hours.

Brand & customer trust: a fast, transparent breach response preserves reputation.

NOC watches availability and performance (uptime, latency, capacity).

IT Support fixes user-reported issues (password resets, hardware).

SOC watches security signals — adversary activity, policy violations, indicators of compromise.

All three sit in operations; only the SOC has an adversary on the other side.

Top categories: ransomware-as-a-service, identity-driven attacks, supply chain, cloud misconfigurations, AI-augmented phishing.

Adversaries: nation-state APTs, financially motivated crime groups, hacktivists, insiders.

Identity-driven breaches take 292 days to identify and contain on average.