When is a SOC not a SOC – and how can you tell?

Threat monitoring and response services are critical in sectors where a history of under-investment, ageing infrastructure and varying security standards often leaves organisations at heightened risk of cyber attacks.

In a crowded and often confusing market, solutions claiming to be SOCs offer peace of mind – but many fall short on closer inspection. Adopting these solutions without a full understanding of their limitations can lead to a false sense of security and increased vulnerability.

Here, I’m going to highlight the key elements a true SOC needs to deliver better security and the ability to recover quickly from attacks. First, let’s take a look at some of the red flags that may indicate a “SOC” might not be worthy of the name.

Red flag one: It logs threats but doesn’t fully respond to them

Many cyber security providers position their offering as a fully managed SOC, when it is closer to a managed SIEM (security information and event management service). A SIEM is focused on log collection and alerting, with limited investigation or response capability. This can lead organisations to believe they are fully protected, especially when it comes to raising and responding to threats outside of working hours – which is often when threat actors operate.

If the service your vendor provides primarily delivers alert notifications, automated emails or tickets, log aggregation and dashboards, but alerts are not acted upon, you haven’t bought a SOC, but a managed SIEM. Your organisation will still be responsible for triage, investigation, containment and remediation. A true SOC has the ability to detect and respond to suspicious behaviours in a 24/7 capacity, and to respond within hours, if not minutes. A managed SIEM may mean the response comes too late to mitigate damage.

Red flag two: Your ‘SOC’ lacks identity threat detection and response (ITDR)

Modern cyber-attacks rarely begin and end on a single endpoint. Increasingly, attackers focus on identity compromise, particularly within Active Directory environments.

Active Directory remains the backbone of authentication for most organisations. Once attackers obtain privileged credentials or exploit weaknesses in identity infrastructure, they can move laterally, escalate privileges and establish long-term persistence.

Common attack techniques include credential dumping, where hackers extract authentication information such as usernames and passwords from a compromised system; pass-the-hash and pass-the-ticket attacks, which enable bad actors to impersonate a legitimate user; and kerberoasting attacks, which exploit authentication protocols.

It’s important to note that not all ITDR vendors support protection for Active Directory, and may only support cloud-based identity protection such as Entra ID.

Without the ability to detect and respond to identity attack techniques, a SOC may completely miss some of the most dangerous stages of an attack, and give threat actors the ability to bypass endpoint detection and response (EDR) tools.

Red flag three: When the worst happens, a major incident response costs more

Many commercial SOCs or SIEMs offer a major incident response – but it comes at an additional cost from a separate team.

Digital forensics and incident response (DFIR) and “major incident” response capability should ideally come as standard with a SOC with integrated teams that are ready to act when needed, providing reassurance and predictability for budgeting purposes.

How to spot when a SOC isn’t a SOC – questions you can ask

When evaluating a SOC service, there are some key questions to ask that should help you understand if you are being offered a true SOC. These include:

• Does the SOC investigate and validate alerts, or simply forward them?
• Can analysts contain threats directly (endpoint isolation, identity disablement, network controls)?
• Does the ITDR solution include Active Directory protection?
• Are incident response and forensic support included?
• Does the service perform security hardening and tuning as part of onboarding?
• Are detections actively improved over time?

Jisc's SOC – a one of-a-kind, true SOC

Our security operations centre (SOC) is designed specifically for universities, colleges, research organisations, and used in the public sector.

It combines technology, identity protection, human expertise and response without hidden costs. It acts as your institution’s security command centre, continuously monitoring your network, detecting threats and responding to incidents.

Digital forensics and incident response (DFIR) and “major incident” response capability are included in our SOC offering, at no extra cost. Our SOC provides a layered, defence-in-depth approach to response, with the ability to contain compromised endpoints and identities through an organisation’s existing EDR/XDR technology stack.

For major incident scenarios where a more aggressive response is required, our ability to control internet connections to the Janet Network adds an extra layer of protection.

For ITDR, we have chosen to work with both Microsoft Defender XDR and CrowdStrike, as both vendors support Active Directory as well as cloud-based identity protection.

Next steps

• Find out more in our security operations centre (SOC) brochure (pdf)
• Watch our Tech Takes podcast in which we answer your SOC questions (YouTube)