Building a Security Operations Center: From First Alert to Mature Program

A SOC is an operating model with four core functions: monitoring (continuously watching for security events), detection (identifying events that represent potential threats), investigation (analyzing detected events to determine scope, impact, and root cause), and response (containing, eradicating, and recovering from confirmed incidents). These functions operate in a continuous cycle — every investigation produces lessons that improve detection, every response produces indicators that improve monitoring.

The SOC operating model defines roles and escalation paths. In a mature SOC, Tier 1 analysts perform initial alert triage — reviewing alerts, enriching them with context, and determining whether they represent true positives requiring investigation or false positives requiring tuning. Tier 2 analysts perform deep investigation — analyzing confirmed incidents, determining scope, identifying indicators of compromise, and coordinating containment. Tier 3 analysts and threat hunters perform proactive analysis — searching for threats that existing detections do not cover and developing new detection rules based on findings. In a mid-market SOC, one person may cover all three tiers — what matters is that the functions are defined, even if they are not separated by role.

The build-vs-buy decision is fundamental. In-house SOC provides maximum control and institutional knowledge but requires staffing, tooling, and 24x7 coverage (which typically means 8-12 analysts for round-the-clock operations). MSSP (Managed Security Service Provider) provides 24x7 monitoring and alerting at lower cost but with less environmental context and customization. The hybrid model — in-house team for investigation and response, MSSP for 24x7 monitoring and initial triage — is the most common and practical choice for mid-market organizations. It provides continuous coverage without the staffing cost of a fully in-house 24x7 operation.

SIEM platform selection is one of the most consequential security operations decisions, because it is difficult and expensive to reverse. The major platforms — Splunk, Microsoft Sentinel, CrowdStrike LogScale (formerly Humio), Google SecOps (formerly Chronicle), and Elastic Security — each have distinct strengths. Splunk has the deepest ecosystem and the most mature search language but the highest cost. Sentinel integrates natively with Microsoft environments and offers consumption-based pricing. LogScale provides high-performance log analytics with efficient data compression. Google SecOps offers a fixed-cost model with Google-scale infrastructure. The right choice depends on your existing technology stack, data volume, budget model, and team expertise.

Log source prioritization determines detection capability more than platform choice. You cannot detect threats in data you do not collect. The minimum viable log sources for a functional SOC are: identity provider logs (Entra ID, Okta — authentication events, privilege changes, MFA events), cloud control plane logs (CloudTrail, Azure Activity Log, GCP Audit — API calls, resource modifications, IAM changes), endpoint detection logs (CrowdStrike, Defender for Endpoint, SentinelOne — process execution, file modification, network connections), email security logs (phishing attempts, malicious attachments, suspicious links), and network flow logs or DNS logs (lateral movement indicators, C2 communication patterns).

Data pipeline design determines long-term SIEM sustainability. Raw log ingestion at full volume is expensive and produces search performance problems. An effective data pipeline includes: collection (agents, API integrations, syslog forwarding), normalization (parsing logs into a consistent schema), enrichment (adding context — asset criticality, geolocation, threat intelligence indicators), filtering (removing known-irrelevant events before they reach the SIEM — debug logs, health checks, automated scanning noise), and tiering (hot storage for recent high-value data, warm/cold storage for compliance retention). Organizations that do not design their data pipeline pay 3-5x more for SIEM infrastructure than they need to.

Threat hunting is the proactive search for threats that existing detection rules do not cover. It is not scrolling through dashboards or reviewing alerts — that is monitoring. Threat hunting starts with a hypothesis: 'Based on threat intelligence about adversary group X, we believe they may have established persistence in our environment using technique Y, which our current detection rules do not cover.' The hunt tests this hypothesis against available data — searching for evidence that the technique has been used, regardless of whether an alert was generated.

Hypothesis-driven hunting requires two prerequisites: data sources that contain evidence of the hypothesized technique, and an analyst with the expertise to formulate relevant hypotheses and interpret results. The data source requirement is often the binding constraint — an organization cannot hunt for DNS tunneling without DNS query logs, cannot hunt for lateral movement without authentication logs from all systems, and cannot hunt for living-off-the-land techniques without process execution telemetry. Threat hunting maturity is directly correlated with data source coverage.

The most valuable output of a threat hunt is not the threats found — it is the detection rules created. Every hunt that confirms a technique is present (or possible) should produce a detection rule that alerts on that technique going forward. Every hunt that reveals a data source gap should produce a log source onboarding request. This findings-to-detection conversion cycle is what makes threat hunting a sustainable practice rather than an ad-hoc exercise. A mature threat hunting program runs a hunt cadence (weekly or biweekly), maintains a hypothesis backlog informed by threat intelligence, and measures conversion rate — the percentage of hunts that produce new detection rules or data source improvements.