SOC and SIEM | What are they, and do you need one?


A close up photograph of a woman's hands as she types on a laptop. As cyberattacks grow more frequent and costly, IT security importance increases. In recent security discussions, you may have heard the phrases "SOC and SIEM," two more IT acronyms. But what do they mean, and why do they matter to you?

The SOC and SIEM work to identify threats on your network, protecting you from cyberattacks. But how do you know if you need them for your business?

For over 25 years, WEBIT Services has helped hundreds of clients build effective, framework-driven security and reduce risk.

By reading this article, you will learn how SOCs and SIEMs work together, if these services are a good fit for your company, and answers to some common FAQs about SOCs and SIEMS.

Defining a SIEM and a SOC

Security information and event management - SIEM

"SIEM" stands for "security information and event management." A SIEM is a program that analyzes computer logs, looking for odd or dangerous behavior. It is also the foundational tool of a security operations center (SOC).

A SIEM is specially programmed for your company's IT setup, permissions, and activity. Therefore, it must be updated whenever new devices are added or removed from your network or if any changes are made to your network.

Security operations center - SOC

A SOC uses human cybersecurity experts to examine the SIEM reports around the clock and bring attention to security threats. A SOC makes sense of the SIEM. Without a SOC, you're simply receiving numerous, constant log reports that your IT team may or may not be able to translate.

If a SOC uncovers a security breach or dangerous activity through the SIEM reports, it will alert your IT team or provider, who will then take steps to protect your system from cyberattacks.

It's also important to note that a SOC is not a network operations center (also known as a NOC). A NOC looks for hardware or software failure. It pays attention to events like application crashes, blue screens, etc. NOCs are technology-focused, not security-focused.

On the other hand, a SOC is solely focused on security and SIEM reports. So, for example, SOC will not alert you if an application is glitchy, but a NOC will. Instead, a SOC will alert you if an application shows signs of a security breach based on the SIEM's analysis of a computer's log activity.

How do I know if I need a SOC and SIEM?

Your business might benefit from a SOC and SIEM if you meet one or more of these four qualifications:

  1. Your business is part of a regulated industry.
  2. Your business has 100 or more employees.
  3. Your business follows an approved security framework (i.e., group 1 of CIS), wants an additional security layer
  4. Your business has the available IT budget to cover a SOC provider and SIEM application.

1. Your business is part of a regulated industry

Regulated industries like healthcare or finance have particular security compliance standards. These standards call for the additional security layer that a SOC and SIEM bring.

2. Your business has 100 or more employees.

The more your business grows, the more human risk is introduced. Therefore, larger corporations often benefit from the additional security a SOC and SIEM provide.

3. Your business follows an approved security framework and wants an additional security layer.

Following an approved security framework like NIST and CIS significantly reduces risk. In fact, CIS doesn't recommend introducing a SOC or SIEM to your security until you have completed the foundational security recommendations.

Following the first layer of security framework practices minimizes preventable risk without SOC or SIEM involvement. Until these processes are implemented, a SOC and SIEM will not be as effective as they could be.

However, if you are following a framework and decide you need an additional security layer, then a SOC and SIEM might fit your business.

4. Your business has the available IT budget to cover a SOC provider and SIEM application.

Because SOC providers offer such specialized but valuable services, they are not inexpensive investments. It may be the financial equivalent of hiring a second IT provider in many cases. With this in mind, you will need to ensure that you have available funds for this service.

How do I know if I don't need a SOC or SIEM?

If you are a small, unregulated business with fewer than 100 employees and follow a security framework, you likely do not need a SOC or SIEM yet.

If you do not have the budget to accommodate a SOC or SIEM, focus on building your security practices using a framework.


1. Can I use a SIEM without a SOC? Or vice versa?

SOCs and SIEMs are essentially always found together.

A SOC will always use a SIEM because it is their most important tool. Their foundation is translating computer log events, which the SIEM provides. Without a SIEM, the SOC cannot do its job.

In addition, a SIEM is useless without someone to translate it. This is where a SOC comes in.

SOCs also offer 24-hour monitoring to combat prime cyberattack hours.

Cybercriminals (also known as "bad actors") are most active outside regular working hours. Cyberattacks are most numerous after 5:00 PM, on weekends, and before or during major holidays. To battle these after-hour attacks, a SOC will analyze and report on SIEM reports 24/7.

2. Is my IT provider a SOC?

This answer will vary across IT providers, but generally, a SOC is not included in your IT provider service package.

Some IT providers might have a "light" SIEM offering to add another security layer, but this would be an additional service package. The provider may also partner with a SOC to cover after-hours security. However, an IT provider typically cannot provide the same depth of SIEM understanding as an actual SOC.

While not a SOC themselves, an IT provider can help answer any questions you have about SOCs and SIEMs. They can also make recommendations both for SIEM programs and SOC providers.

3. How do I choose a SIEM?

If you're looking for a SIEM, you can ask your IT or SOC provider for a recommendation.

If you already have a quality SIEM in place, most SOC providers will work with your existing SIEM. If you do not have a SIEM, the SOC provider will make recommendations.

4. What should I look for in a SOC?

When researching SOC providers, ask yourself the following questions:

1. How long has this SOC been in business?

When searching for a quality SOC, longevity can indicate their level of expertise and success. SOC operations take millions to build, operate, and staff in a complicated field. As such, successful SOCs have been around for a while.

2. How will this SOC partner with my IT provider?

Your IT provider and SOC provider will be in frequent contact, so it's important that they feel they can partner together.

Some IT providers have existing relationships with SOC providers. As such, they work together well and have an understanding. Of course, in this situation, your IT provider will recommend a SOC provider that it knows well and believes will fit your business security needs.

However, that doesn't mean you can't use a SOC provider who is new to your IT provider. Before signing on the dotted line, ensure that your IT and SOC providers clearly understand their assigned roles.

If the potential SOC provider shows resistance to communicating or partnering with your IT provider, then it may not be a good match.

3. Does this SOC have faithful clients?

A quality SOC will have plenty of clients happy to utilize it for years. However, if a SOC's clients seem to change providers quickly, it may indicate a lack of quality service.

4. Have you heard of this SOC?

If you haven't heard of this particular SOC provider, that's likely a good thing.

Believe it or not, SOC providers don't want to be in the news or heavily advertised. They also don't promote their notable clients. Good security companies are careful not to put a bullseye on their backs or their clients' backs, so they tend to fly under the radar.

Often, when you hear about a SOC provider in the news, it's about a major security breach. Therefore, a quality SOC won't be in news reports.

Next steps for selecting a SOC and SIEM

A SOC uses a SIEM to look for abnormal or dangerous activity on your devices. If suspicious activity is detected, the SOC reports it to your IT provider for additional investigation and resolution.

You may be a fit for a SOC and SIEM if your business meets one or more of these situations:

  1. If your business is regulated.
  2. If you have 100 or more employees.
  3. If you follow a security framework but want additional security.
  4. If you have the available IT budget.

A SOC and SIEM are likely not a fit for your company if you are a small business outside a regulated industry. However, you can reduce your risk significantly by following a security framework.

Your IT provider can not only help match you with a SOC and SIEM, but it can answer all of your questions to help you understand these services and their benefits.

If you feel that your business could benefit from a SOC and SIEM, reach out to your IT provider or internal IT team. They can help you evaluate your current security risks and see if a SOC and SIEM can enhance your security.

WEBIT Services has helped hundreds of clients in the greater-Chicago area create effective cybersecurity procedures.

If you are looking for a new IT provider, schedule a free 30-minute consultation to see how WEBIT can help.

If you aren't ready to make a commitment but would like to learn more about cybersecurity and IT services, we recommend the following articles: