The function of a Security Operations Center (SOC), is to monitor, detect, investigate, and respond to cyberthreats around the clock.
Essentially, the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.
Security operations teams are charged with monitoring and protecting many assets, such as intellectual property, personnel data, business systems, and brand integrity.
As the implementation component of an organization’s overall cybersecurity framework, security operations teams act as the central point of collaboration in coordinated efforts to monitor, assess, and defend against cyberattacks.
SOCs have been typically built around a hub-and-spoke architecture, where a security information and event management (SIEM) system aggregates and correlates data from security feeds.
This model can incorporate a variety of systems, such as vulnerability assessment solutions, governance, risk and compliance (GRC) systems, application and database scanners, intrusion prevention systems (IPS), user and entity behavior analytics (UEBA), endpoint detection and remediation (EDR), and threat intelligence platforms (TIP).
Security Orchestration, Automation and Response (SOAR) systems are solutions that combine incident response, orchestration, automation and threat intelligence (TI) management capabilities in a single platform.
SOAR tools are mostly used within a Security Operations Center (SOC) for incident response and the workflow, automation and orchestration of workflows, or the combination of the two.
A clear advantage of SOAR solutions lies in their ability to automatically investigate many low-level alerts.
In environments that deal with a high volume of events, analysts often spend a significant amount of time resolving these security alerts.
Low-level alerts are frequently false positives, and those that are not may require only a trivial response.
By automating the handling of these alerts, analysts can devote more of their time and attention to situations where human intervention really is required while the software handles the rest.