Choosing the right SOC software for your team can be challenging. In this blog, we hope to make this process a bit more painless.
- First: We review what SOC tools do, and the 5 key responsibilities they support.
- Second: We review what we consider the 6 most important tools for SOCs and how they map to the 5 key responsibilities.
- Last: We provide a comprehensive overview of the SOC tool landscape using the 5 key responsibilities as a framework.
Our goal with all of this is to provide a clear overview of the SOC tech stack so you can make the next-best investment for your team.
Let’s get started!
Jump to a section…
What is SOC Software?
The Big 6 Tools
The Full Map
Completed SOC Software Stack
What Is SOC Software?
SOC software are tools used by SOC analysts, engineers, and other team members to find and stop cyber threats. These tools can be mapped to the key responsibilities of security operations teams: prepare, detect, investigate, contain, eradicate, and recover. Some tools, like endpoint detection and response (EDRs) software, span multiple key responsibilities. Other security operations center tools, like vulnerability scanners, address one capability that supports a key responsibility.
The key responsibilities of the SOC:
| Prepare | Detect | Investigate | Contain | Eradicate + Recover |
|---|---|---|---|---|
| Build readiness and operational maturity. | Detect attacks on the network and confirm they’re real. | Understand the attack to support containment and eradication. | Stop the active threat. | Remove the root cause and return to a clean state. |
The Big 6: The Essential List of SOC Software
You’ll find a comprehensive list of security operation center tools below, but we’d like to start this guide by covering what we regard as the essentials. Of course, every SOC is different, so every SOC will have its own version of what’s essential. Even so, there are fundamental capabilities relevant to all security organizations, and for our money, those are: EDRs, investigation platforms, SIEMs, and SOARs.
With these 6 tools, SOCs can cover their bases across the 5 key responsibilities:
| Prepare | Detect | Investigate | Contain | Eradicate + Recover |
|---|---|---|---|---|
| EDR | Investigation Platform | EDR | EDR | |
| SIEM | Case Management | |||
| SOAR, Threat Intel/TIP | ||||
1. EDR
Responsibilities: Detect, contain, eradicate, and recover
Why: No SOC can function without detection, and EDRs monitor the most critical attack surfaces for most organizations: endpoints.
While EDRs aren’t as comprehensive as the other detection tools on our essential list (SIEMs), the data they provide is much richer and is the starting point for most investigations (which are then expanded using investigation platforms). EDRs also support the other end of the responsibility set, enabling teams to kill threats and bounce back after an incident.
NOTE ON XDR
XDR (Extended Detection and Response) is the natural extension of EDR. Where EDR focuses on endpoints, XDR pulls in telemetry from across your environment (network, cloud, email, and identity), aiming to provide that same depth of insight at a broader scale.
Bottom line: Checking 3 of the 5 key responsibilities, EDRs are almost the definition of essential.
| Key features | Example solutions |
|---|---|
|
|
2. Investigation Platforms
Responsibilities: Investigate
Why: How can you protect your organization if you can’t find the attackers or understand what they did? You can’t, which is why investigation platforms are another essential.
Traditionally, SOC teams had to use multiple tools to tackle each part of the investigation, but now there are platforms that cover the entire process. SOC analysts can use an investigation platform to investigate a valid alert and determine if it’s an incident worth escalating to IR (endpoint triage). IR teams can then use the same platform to investigate the escalated incident and to determine the root cause (full investigations).
Bottom line: Making investigations faster, more comprehensive, and more collaborative, investigation platforms are the modern way to address this critical phase.
| Key features | Example solutions |
|---|---|
|
|
Cyber Triage is an investigation platform that specializes in rapid incident response, enabling investigators to quickly identify compromised hosts and make their next decisions fast.
Try it for 7 days.
3. SIEM
Responsibilities: Detect
Why: If EDR detection is about depth, SIEMs are about breadth. SIEM detection coverage can span basically your entire IT infrastructure, ingesting logs from your operating systems, identity systems, network devices, cloud platforms, and applications. They also retain historical data far longer than EDRs, which typically roll over their data every week or month.
NOTE
SIEMs perform best when supported by several tools that create detections that flow into it. (This is true of other monitoring platforms, too.) These include: firewall, network detection and response (NDR), user and entity behavior analytics (UEBA), and cloud security. These are also sometimes included as features within SIEMs.
Bottom line: If you want to have a 30,000-foot view of your territory, you need a SIEM.
| Key features | Example solutions |
|---|---|
|
|
4. Case Management/Ticketing
Responsibilities: Eradicate and recover
Why: For anything beyond automated functions, eradication requires working with IT. Case management/ticketing supports that collaboration. It’s how teams work together, keep track of incidents, and facilitate handoffs.
Case management software is built for security investigations. They consolidate incident-related data into a single platform, support lots of tool integrations, and use automated workflows to speed up response and maintain audit trails. Although case management supports the whole operation, it’s particularly important for working with IT admins to eradicate attack-related items. IT ticketing software is built for general-purpose task management, but can still be useful for incident tracking and prioritization.
Bottom line: If you need to work with IT on eradication, case management is necessary.
| Key features | Example solutions |
|---|---|
|
|
5. SOAR
Responsibilities: Full lifecycle
Why: The bare essentials still require multiple security operations tools; SOAR is how they all work together.
A SOAR’s purpose is to centralize control over the security measures of a SOC team to streamline processes and aid in threat detection. It provides SOC teams with a solution for integrating their tools, automating routine tasks, and additional threat monitoring. With the help of a SOAR, SOC teams can reduce reaction time and support collaboration.
Bottom line: By centralizing your tools and automating workflows, SOAR completes the SOC essentials.
| Key features | Example solutions |
|---|---|
|
|
6. Threat Intel/TIP
Responsibilities: Full lifecycle
Why: Threat actors are continuously trying new methods. How do you keep track and know every indicator of compromise for old and new? Threat Intelligence.
Threat intelligence can be feeds integrated into basically all your tools, or it can be part of a threat intelligence platform (TIP) where this data is consolidated and maintained. It includes gathering/collecting, analyzing, and using IOCs and attacker tactics and techniques.
Bottom line: Essential for comprehensive detection.
| Key features | Example solutions |
|---|---|
|
|
The Full Map: The Complete SOC Tools List
Okay, now that we’ve covered the essentials, let’s review the full set of tools according to key responsibility.
Prepare
Primary goal: Build readiness and operational maturity.
SOC responsibilities begin before any alert or even system review. SOC teams must first establish their scope, define roles for each member with training for those roles, create processes, set clear goals for each stage of the process, understand the tools available, and evaluate and adjust their processes to address strengths and weaknesses.
Although this may sound like an extensive list, these tasks can be completed simultaneously through different capabilities.
After establishing goals and roles for the team, the SOC team should evaluate the systems it is responsible for for vulnerabilities. Vulnerabilities are then noted and considered when creating detections alongside the usual industry standards.
Using attack simulation allows teams to test readiness, roles, and processes and identify where adjustments are needed. This also allows hands-on training for team members and practical analysis of the overall process to continuously adjust as threats arise.
| Capability | Description | Tools |
|---|---|---|
| Attack Simulation | Simulate real-world attacks to assess teams’ defenses and identify effectiveness and gaps. |
|
| Detection Engineering | Building detections for detection systems. |
|
| Vulnerability Assessment | Identify, analyze, and prioritize security weaknesses for addressing. |
|
Supporting infrastructure:
- SOAR: Security orchestration, automation, and response
Detect
Primary Goal: Detect attacks on the network and confirm they’re real (alert triage).
This is a 2-step process: alert detection and alert triage.
Alert detection often comes from systems in place, such as EDRs, NDrs, SIEMs, etc. But alerts also come from threat hunting, such as searching for IOCs and other anomalies, and human complaints, such as phishing and unusual behavior.
Alert triage is the process of validating alerts to weed out false positives.
SOCs must answer 3 questions:
- Is the alert real or a false positive?
- What is the potential impact of the alert?
- How critical are the hosts associated with the alert?
| Capability | Description | Tools |
|---|---|---|
| Automated Detection | Analyze data with automated algorithms, AI, and machine learning to identify anomalies and detect potential incidents. |
|
| Manual Detection | Proactive search for undetected threats. |
|
| Alert Triage | Confirm the alert is real and not a false positive. |
|
Supporting infrastructure:
- SOAR
- Ticketing/case management
- Threat intelligence platform (TIP)
Investigate
Primary goal: Understand the attack to support containment and eradication.
After an alert is validated, the next step is investigation. This process includes determining the investigation scope, collecting and preserving data, and performing a technical analysis to identify compromised endpoints for containment.
This step begins with available data (EDR telemetry, SIEM logs, etc) and often involves deploying a collection tool to collect DFIR artifacts. To quickly determine the scope, investigators must perform endpoint triage, a brief investigation that helps teams understand what to do next with the device.
Endpoint triage focuses on 3 big questions:
- Was there malware?
- Was data exfiltrated?
- Was there lateral movement?
To perform endpoint triage, the collected data must be analyzed using Automated Analysis, automations, and manual efforts to correlate items and identify anomalous activity, TTPs, and IOCs. The analysis allows investigators to effectively prioritize compromised hosts and make the next decisions.
After the initial investigation has identified host prioritization for escalation, a full investigation can commence. The investigation consists of a deep-dive analysis of the compromised hosts to pinpoint all signs of compromise, particularly finding the root cause and building timelines to understand the attacker’s actions.
| Capability | Description | Tools |
|---|---|---|
| Endpoint triage | Analyzing the endpoint to determine the scope and impact of the incident and the prioritization of compromised hosts. |
|
| Forensic collection | Collect forensic data from live systems across the network (e.g., memory, disk, logs). |
|
| Full investigation | Deep dive analysis of endpoint, network, cloud, mobile, and malware data for signs of compromise. |
|
Supporting infrastructure:
- SOAR
- Ticketing/case management
- Threat intelligence platform (TIP)
Contain
Primary goal: Stop the active threat.
Once compromised endpoints have been identified, they must be contained to stop the attack from spreading and causing further compromise/damage.
This process includes 3 core components:
- Isolation of compromised endpoints and networks.
- Addressing compromised accounts.
- Blocking malicious items and updating Firewall rules.
Isolation consists of using tools to disconnect compromised endpoints (without shutting them down) and implementing network segmentation to isolate the infected from the rest of the system and prevent the spread of attacks.
Addressing compromised accounts involves disabling them, resetting credentials, and terminating any active sessions.
Blocking malicious items and updating firewall rules includes IPs, URLs, domains, scheduled tasks, and services.
The extent of containment depends on the extent and type of the attack.
| Capability | Description | Tools |
|---|---|---|
| Isolate + kill | Disconnect compromised devices from the network, terminate malicious processes, and ban malicious files. |
|
| Block IP | Prevent unauthorized access from specific IP addresses, ranges, or malicious sources. |
|
Supporting infrastructure:
- SOAR
- Ticketing/case management
Eradicate and Recover
Primary goal: Remove root cause and return to a clean state.
In the now contained environments, SOCs must try to remove all traces of the attack/attacker.
Starting with malware remediation, all malicious elements should be removed or resolved, such as malicious files, backdoors, and the root cause. After the threats have been neutralized, the system should be analyzed for any signs of persistence. The last stage of cleaning loops back to the prepare stage, as vulnerabilities should be identified and patched.
Once all eradication has been completed, the system should be backed up in its updated, clean state and then restored and put back into normal operations, where it’s monitored and tested for reinfection.
| Capability | Description | Tools |
|---|---|---|
| Remediation | Automatically or semi-automatically resolve security threats such as malware. |
|
| Confirm no persistence | Analyze the system, looking in common locations, memory, and at behavior. |
|
| Vulnerability management | Identify exploitable vulnerabilities and patch. |
|
| Backup + restore | Ensure data integrity, system availability, and rapid recovery to maintain business continuity. |
|
Supporting infrastructure:
- SOAR
- Ticketing/case management
Completed SOC Software Stack
Over the years, the security operations center software stack evolved.
With this evolution has come the introduction of the investigation platform, which provides a single interface for the entire team (SOC and IR) to complete investigations more efficiently. Cyber Triage is the first of this emerging category, supporting fast, comprehensive, and collaborative investigations from assessing valid alerts to finding the root cause.
You can try it for free for 7 days here.