As cyber threats become more advanced, enterprise security operations centers (SOCs) are finding themselves inundated with challenges. Amid that landscape, organizations are also having to deal with a lack of security talent, professional burnout and tight budgets to help with their primary goal of protection, with 40% of organizations reporting that they struggle with staff shortages, and less effective SOCs reporting a lack of investment in technology, training and staffing to do their jobs well.

A typical SOC consists of analysts who take the brunt of the alert triage and incident analysis, as well as experts who analyze the most advanced threats, threat intelligence specialists and a management team. While massive routine tasks are assigned to the analysts, there needs to be a way for them to organize their work as effectively as possible. 

In order to do so, there are several different approaches to the structuring and alert processing of a security operations center. An Enterprise Strategy Group (ESG) report suggests three options which are all used almost equally. More than a quarter (28%) of organizations say analysts in their SOC are tiered based on their skills and level of responsibility, while in 36% of firms, employees are assigned to individual threat vectors. Another 36% say that their analysts all work together on a common alert queue regardless of skills or threat vectors. 

1. Classical approach

The option chosen by 28% of organizations represents the more classical approach to structuring a SOC. Analysts are separated into lines, with the first line processing all incoming alerts. They triage them and handle the ones they can deal with. If the incident is too complicated and the first line doesn’t have instructions on how to respond to it, or if it is a human-driven attack, then the incident goes to the second, which includes staff who are more experienced. They either work through incidents according to a common queue or share them according to individual specializations. There is sometimes a third line which can be further divided into areas of specialization.

2. Assignment on vectors, threat types or areas of competency 

Another model used by 36% of respondents involves assigning analysts to different threat vectors such as network attacks, attacks on servers or web applications, insider threats or Distributed Denial of Service (DDoS). Other parameters for division could be the type of system (such as endpoints, cloud or data centers) or its criticality. If it is not critical, the incident is processed on the first line, and for critical systems the task would go to the second line.

In practice, the first and second approaches are often used together as a hybrid model. For example, the first line deals with all incoming alerts and if there are any cases of a specific type, they send these to specialists on the second or the third line that have been assigned to this specialization.

3. Single queue 

In this approach, used by 36% of organizations, analysts all share a common incident queue. This means all experts work on the same line with the same level of expertise, and can handle the majority of incidents within the queue. However, there still can be some division, with the most sophisticated incidents often still going to a dedicated group of highly skilled professionals.

In some cases, threat analysis software takes the role of the first line, filtering out a part of false positive alerts and highlighting specific details in alerts.

On the second line, experts examine any incident according to a common queue. If a member of staff cannot handle the incident, they can escalate it to a so-called “virtual line.” It is virtual because it isn’t always there, only being created when the incident is escalated from the current line. Unlike the second line, its composition is not fixed, so it can include other experts from the second or third lines.

SOC models differ from business to business depending on their maturity, budgets and relevant cybersecurity risks, but global trends are reshaping the SOC structure. While we are yet to see how these models will change under SOC staff shortages and automation trends, it is a good time for SOCs to analyze the current state of the people and processes in their organization and discuss what improvements are needed to stay protected from cyber threats.