S

15 years, a significant increase in academic

Security Operations Center (SOC) attention can be observed over the last 3–5 years.
Additionally, SOCs have emerged to a central
Manfred Vielberth
pivotal point for security operations in many
Chair of Information Systems, University of
organizations, as industrial surveys have
Regensburg, Regensburg, Germany
shown (Crowley and Pescatore 2019). It is
worth mentioning that the SOC topic is very
practice-oriented, and from there, most progress
Definition
and innovations are contributed. Although
SOCs comprise the three aspects, processes,
The Security Operations Center represents an
technologies, and people, most research was done
organizational aspect of a security strategy in an
in the areas of technologies and people. Hardly
enterprise by joining processes, technologies, and
any publications were seen which address SOC-
people (Madani et al. 2011; Schinagl et al. 2015).
specific processes. Additionally, most literature
It is usually not seen as a single entity or system
about SOC only addresses a particular part, such
but rather as a complex structure to manage
as incident detection. However, there is hardly
and enhance an organization’s overall security
any academic literature that addresses SOC as a
posture. Therefore, it creates situational aware-
whole.
ness, mitigates the exposed risks, and helps to
fulfill regulatory requirements (Kelley and Moritz
2006). It integrates, monitors, and analyzes all
Theory and Applications
security-relevant systems and events in an orga-
nizational unit. Additionally, it provides gover-
Most literature that addresses SOC in general
nance and compliance as a framework in which
describes possible architecture settings. The gen-
people operate and to which processes and tech-
eral SOC architecture can either be implemented
nologies are tailored. To realize the technical side
in a centralized (Bidou et al. 2004), a distributed
of security operations, SOCs commonly employ,
(Miloslavskaya 2017), or a decentralized (Syed
among others, SIEM systems as central tools.
et al. 2013) way. A centralized architecture
collects all relevant data from different locations
in one single entity. The distributed SOC is spread
Background
across multiple locations but operates as one
interconnected unit. A decentralized SOC, in
Although the term Security Operations Center
contrast, is comprised of multiple autonomous
has been known in research for more than
SOCs, which can operate without any interaction
© Springer Science+Business Media LLC 2021
S. Jajodia et al. (eds.), Encyclopedia of Cryptography, Security and Privacy,
https://doi.org/10.1007/978-3-642-27739-9_1680-1
2 Security Operations Center (SOC)
with each other. In general, the SOC activities can
be classified as reactive and proactive, although
these cannot always be clearly separated.
In the following, the three main building
blocks of an SOC are described briefly:
People: Since people play an essential role in
companies’ security, this is also an important part
of an SOC. From the SOC manager to the analyst,
a variety of roles can be defined within an SOC.
The analyst roles within an SOC are commonly
classified according to their expertise in tier 1 to
tier 3. Thereby, tier 1 analysts, often referred to
as triage specialists, are mainly responsible for
raw data collection and forward most problems
or incidents to higher tier analysts. In contrast,
tier 3 analysts are the most experienced staff in
an SOC and handle the most complex incidents.
Usually, only the SOC managers are superior
to those. Furthermore, the security awareness of
employees can also be attributed to an SOC.
Processes: Processes in an SOC are usually
aligned with the incident lifecycle consisting
of incident detection, incident analytics, and
response. In this context, forensics and threat
intelligence are often mentioned as particularly
important and, therefore, are highlighted as
stand-alone process steps.
Technologies: A central technology utilized
within an SOC usually is a Security Informa-
tion and Event Management tool. This supports
employees by centrally collecting all security-
relevant information needed to detect incidents.
It also offers visualization options and the ability
to detect incidents automatically.
SOCs are quite common in today’s IT secu-
rity landscape, especially in medium to large
size companies. It usually comprises about 2–25
analysts, and most SOCs use SIEM technology
to correlate and analyze event data for threat
detection (Crowley and Pescatore 2019).
Open Problems and Future Directions
An upcoming challenge is the future lack of
well-trained IT security staff, as on the one
hand, the need for staff is raising, and on the
other hand, the training of new staff cannot keep
up with the need. Therefore, it is necessary to
make the work within an SOC more efficient
and less demanding in terms of security expert
knowledge. This can be achieved by providing
employees with advanced tools, such as applying
visualization software or simulation techniques
such as in Dietz et al. (2020). Additionally,
more effort should be put into the effective
training of SOC analysts. Another solution to the
problem mentioned can be offered by security
orchestration, automation, and response (SOAR),
currently receiving much attention in the research
community. Here, research is still necessary in
order to lower the dependence on human analysts.
As mentioned before, the area of processes
within an SOC is largely neglected in academic
research. This leads to a lack of general guide-
lines on establishing an SOC within an organiza-
tion. In future research, frameworks or guidelines
should be developed to facilitate an SOC setup in
close cooperation with the practice. Since SOCs
are already quite popular in bigger enterprises,
research should focus on deriving the gained best-
practice knowledge.
Cross-References
 Security Information and Event Management
References
Bidou R, Bourgeois J, Spies F (2004) Towards a
global security architecture for intrusion detection
and reaction management. In: Information security
applications, vol 2908. Springer Berlin Heidelberg,
Berlin/Heidelberg, pp 111–123
Crowley C, Pescatore J (2019) Common and best
practices for security operations centers: results of
the 2019 SOC survey, SANS Institute. Available
online at https://www.sans.org/media/analyst-program/
common-practices-security-operations-centers-results-
2019-soc-survey-39060.pdf
Dietz M, Vielberth M, Pernul G (2020) Integrating digital
twin security simulations in the security operations
center. In: Proceedings of the 15th international confer-
ence on Availability, Reliability and Security (ARES).
ACM, pp 1–9
Kelley D, Moritz R (2006) Best practices for building a
security operations center. Inf Syst Secur 14(6):27–32
Security Operations Center (SOC)
Madani A, Rezayi, S, Gharaee, H (2011) Log manage-
ment comprehensive architecture in Security Opera-
tion Center (SOC), 2011 International Conference on
Computational Aspects of Social Networks (CASoN),
Salamanca, pp 284–289
Miloslavskaya N (2017) Security intelligence centers for
big data processing. In: 5th international conference
on Future Internet of Things and Cloud Workshops
(FiCloudW), Prague. IEEE, pp 7–13
3
Schinagl S, Schoon K, Paans R (2015) A framework for
designing a Security Operations Centre (SOC). In: 48th
Hawaii International Conference on System Sciences
(HICSS), Kauai, pp 2253–2262
Syed R, Syrame M, Bourgeois J (2013) Protecting grids
from cross-domain attacks using security alert sharing
mechanisms. Futur Gener Comput Syst 29(2):536–547