If your firewall and antivirus are the locked doors of your IT, then a Security Operations Center is the alarm system and the police who respond to a break-in. It is a mix of tools, processes, and people looking for threats in order to quickly stop them and prevent damage. Essentially, it’s real-time threat detection and response.
How does it work?
A Security Operations Center or SOC (pronounced “sock”) sees everything that goes on in your systems. It looks for:
- Who is logging in?
- Where are they logging in from?
- What devices are being used?
- What data is being accessed?
The SOC starts by pulling data from tools like intrusion detection systems, system logs, and vulnerability scans. AI then scans the data to help find any potentially suspicious activity like:
- Repeated data deletion
- Changes to account permissions
- Email forwarding
- Many login failures
- Data exports
- New Admin accounts
All these activities may purposeful and legitimate, so the next step is more review. Since tools can only tell us so much, a SOC includes a security team (real humans) to assess the alerts and the possible risks to the business. Using their expertise, they dig through the noise to filter and prioritize the alerts. They then pass alerts to a response team who stops the threat! It’s certainly a 24-hours-a-day, 7-days-a-week job for both teams but knowing someone is always watching will certainly reduce your stress.
Generally, large enterprises build their own in-house SOCs. They can bear the costs of security experts and the many systems needed to see all activity. SMBs likely have smaller IT budgets. Hackers know this, and as a result, SMBs are often targets of attacks. The Verizon Data Breach Report noted that 58% of data breach victims were small businesses.