What a SOC does
A SOC’s core function is to provide 24x7 monitoring of an organisation’s systems and networks. This involves triaging alerts, investigating potential security incidents, and coordinating incident response activities. Beyond reactive responses, SOCs often incorporate proactive threat hunting, vulnerability management, and security engineering to strengthen defences. The technology stack typically includes a Security Information and Event Management (SIEM) system for log aggregation and correlation, a Security Orchestration, Automation and Response (SOAR) platform for automating tasks, Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions for endpoint visibility, and Threat Intelligence (TI) feeds for context.
SOCs in Australian tenants today
Many AU mid-market organisations are facing increasing cyber risk and limited in-house resources, leading to a common ‘build vs buy’ decision for SOC capabilities. While building an in-house SOC offers greater control, it requires significant investment in personnel and technology. Increasingly, organisations are opting for Managed Security Services Providers (MSSPs) or Managed Detection and Response (MDR) services. Microsoft Sentinel and Microsoft Defender XDR are frequently foundational components of Australian SOCs, providing cloud-native SIEM and XDR capabilities. Microsoft Defender Experts offers access to Microsoft’s security expertise for incident response and threat hunting, a useful augmentation for organisations lacking specialised skills, particularly relevant given APRA CPS 234’s focus on cyber resilience.