Connect with us
Apply Now


What are the best ways to start learning SOC?

purple and blue light digital wallpaper

Building your own SOC (center for monitoring and prompt response to information security incidents) is a large-scale project for any organization. Today, soc as a service is quite popular. The initial planning stage is the foundation on which the mechanism for identifying and responding to information security incidents will work.  

Based on the general experience of building commercial SOC, we will talk about the first critical steps that need to be taken at the beginning of the SOC building process.

What are SOC on-premise and SOC outsource?

The first, albeit obvious, but important step is to determine which SOC will be in your organization: the so-called on-premise (built inside the organization), outsource (essentially cloud, located outside the organization), or hybrid (when depending on the needs, the company forms its own, unique SOC model, in which part of the roles and part of the functionality is assumed by the integrator partner – according to the MDRS subscription model, and part is implemented by its forces and means).

As a rule, organizations that have large IT and IS resources, strong competencies, and for several reasons are not ready to give this type of work to external providers, like UnderDefense. 

Outsourcing of SOC services is chosen by companies that need results here and now and who do not need to leave this layer of work within their perimeter. The hybrid model allows you to combine outsourcing services with the functions of your departments in the most profitable way.

The model structure of SOC on-premise

There are various methodologies for assessing the required SOC option, and their results will greatly depend on the specifics and goals of each particular organization. In this article, SOC on-premises will be considered, since it is this model that is the most difficult to implement and traditionally raises many questions from our customers.

The next step is to define the organizational model of the monitoring center. Concerning internal SOCs, four types of models are usually distinguished, although in practice we often encounter a fifth, one might say “hybrid”.

Security team

There is no separate structural unit for detecting or responding to information security incidents. In the event of an information security incident, predetermined resources are gathered (often from various departments, including IT) to solve the problem, and restore systems to working order, after which the team stops its work.

Internal distributed SOC

The permanent SOC exists as a separate functional unit but mainly consists of employees organizationally located outside the SOC, whose main work is related to IT or information security, but not necessarily related directly to the protection of computer networks.

Internal centralized SOC

A dedicated structural unit is a permanent team of specialists in the field of IT and information security. Provides continuous protection of computer networks, performing tasks on an ongoing basis as the main type of its activity. The resources and authority necessary for the day-to-day functioning of the unit are allocated to a separate, officially approved structural unit, usually with its budget.

Coordinating SOC

SOC acts as an intermediary and controls the interaction between several subordinate SOCs, as a rule, operates in large companies with geographically distributed networks and branches. The coordinating SOC most often does not have the whole picture up to the end device, and the powers to service consumers are limited. However, the coordinating SOC may offer incident analysis and investigation services at the request of subordinate SOCs.

The hybrid model

The hybrid model is always in one of the logical gaps between these four models. Regardless of the size and characteristics of the organization, our team is ready to help with the definition and complex formation of the SOC organizational model: from the joint creation and development of RASCI functional matrices, job descriptions, or role and authority cards, to the creation of relevant regulations and provisions.

Main tasks of the SOC  

Once an organizational model has been chosen, the main objectives of the SOC must be defined. Again, depending on the size and characteristics of the organization, the goals of creating a monitoring center, and the tasks that it must solve will differ greatly, especially taking into account the different stages of maturity of organizations.  

Sometimes the reason for creating a SOC is regulatory requirements, in which case the objectives of the SOC may simply cover a specific set of measures required by the regulator. For someone, taking into account the specifics of the business or organization as a whole, this will be enough, and this is normal.

Other companies (usually this applies to representatives of IT-dependent industries), having successfully passed the stages of goal-setting and determining the prerequisites for creating their own SOC, do not want to be limited to meeting regulatory requirements and developing SOC, increasing the maturity of both the team and all the processes and technologies used in the SOC.

Determining authority  

The fourth step is to develop credentials. They determine the degree of freedom in the actions of the SOC about the protected objects of the information infrastructure. It means the need to coordinate the proposed decisions and actions with other departments. 

Without going into details, there are three main levels of SOC authority, each of which speaks for itself:

1 . No authority (for example, any decisions of the SOC, or information security in general, are pre-approved by IT as the dominant organizational unit).  

2. Shared powers (in terms of predetermined and agreed operations and procedures for a certain list of information infrastructure objects, SOC has the right to perform actions to respond or make changes without any approvals).

3. Full authority (any operation or procedure concerning any information infrastructure object that needs to be performed based on the results of the work of the SOC is performed without delay and approval).

In practice, as UnderDefense explains, we often observe hybrid types of SOC powers, which, even within the same monitoring center, differ depending on specific business processes, information systems, or territorial divisions.


Before making a final strategic decision on SOC, it is necessary to answer the question: is the organization ready to do something based on the signals from the SOC? SOC demonstrates the return on investment in the case of synchronous work with the organization. If, as a result of SOC messages and reports, other departments of the organization are not ready to respond to problems and incidents that have emerged, SOC may still be a premature story for a particular organization.

Continue Reading

Copyright © 2022 Disrupt ™ Magazine is a Minority Owned Privately Held Company - Disrupt ™ was founder by Puerto Rican serial entrepreneur and philanthropist Tony Delgado who is on a mission to transform Latin America using the power of education and entrepreneurship.

Disrupt ™ Magazine
151 Calle San Francisco
Suite 200
San Juan, Puerto Rico, 00901

Opinions expressed by Disrupt Contributors are their own. Disrupt Magazine invites voices from many diverse walks of life to share their perspectives on our contributor platform. We are big believers in freedom of speech and while we do enforce our community guidelines, we do not actively censor stories on our platform because we want to give our contributors the freedom to express their opinions. Articles are not commissioned by our editorial team, and opinions expressed by our community contributors do not reflect the opinions of Disrupt or its employees.
We are committed to fighting the spread of misinformation online so if you feel an article on our platform goes against our community guidelines or contains false information, we do encourage you to report it. We need your help to fight the spread of misinformation. For more information please visit our Contributor Guidelines available here.

Disrupt ™ is the voice of latino entrepreneurs around the world. We are part of a movement to increase diversity in the technology industry and we are focused on using entrepreneurship to grow new economies in underserved communities both here in Puerto Rico and throughout Latin America. We enable millennials to become what they want to become in life by learning new skills and leveraging the power of the digital economy. We are living proof that all you need to succeed in this new economy is a landing page and a dream. Disrupt tells the stories of the world top entrepreneurs, developers, creators, and digital marketers and help empower them to teach others the skills they used to grow their careers, chase their passions and create financial freedom for themselves, their families, and their lives, all while living out their true purpose. We recognize the fact that most young people are opting to skip college in exchange for entrepreneurship and real-life experience. Disrupt Magazine was designed to give the world a taste of that.