The SOC New Normal: Hybrid and Virtual SOCs in the COVID-19 Crisis by Gilad David Maayan


Times of social disruption are prime opportunities for criminals to carry out cyberattacks. Organizations are often distracted by other pressing matters and security teams may already be overwhelmed. For example, when work from home restrictions was put in place, many security teams had to scramble to secure hundreds or thousands of remote connections and devices.

This scramble and the general stress that people feel leads to gaps in security and rash actions. When already stressed, teams are more likely to make configuration errors, to overlook threats, or simply be too overwhelmed to respond to issues.

During COVID-19, in particular, attackers took the opportunity to target the US Department of Health and Human Services. This attack was meant to disrupt operations and the flow of information to the public. Hackers have also been posing as WHO and the CDC in an attempt to phish information from unsuspecting users. 

What Is a Security Operations Center? 

A security operations center (SOC) is a department created in an organization that houses your IT security team. This team is typically made up of security analysts, engineers, and managers. From the SOC, your team monitors and manages your systems and responds to threats as needed. 

SOCs enables you to centralize your security operations, increasing system visibility, and decreasing vulnerabilities through more consistent protections. A SOC can help your team ensure that responses to threats are fast, efficient, and effective. 

While it was once common for only large organizations to have SOCs, many smaller organizations now have one as well. In particular, smaller organizations tend to have virtual or hybrid SOCs, which are not as reliant on physical locations. These variations enable smaller organizations to benefit from the centralization of a SOC without the overhead of maintaining a traditional facility.

What Is A Virtual Security Operations Center?

A virtual SOC (V-SOC) can be either a SOC that is made of distributed teams connected through network resources or a SOC that is provided as a third-party service. Regardless of whether V-SOCs are outsourced or internal, they typically use cloud-based tooling to monitor and manage your systems for you. 

An internal V-SOC has all of the same responsibilities as a physical one. The difference is that team members may be distributed across an organization. This can enable them to better respond to incidents in multiple locations and can significantly reduce costs associated with creating a central office.

When a company uses a third-party V-SOC they are able to outsource system security to a team of experts, typically with a service level agreement. This can provide greater protection than what an organization might be able to accomplish in-house. These providers enable you to access 24/7 incident response without having to worry about staffing, overtime, or how to manage assets distributed over multiple time zones. 

Often, when organizations choose to use third-party V-SOCs they are able to gain access to skillsets and tools that they would not be able to afford on their own. For example, small organizations may gain access to enterprise-grade tooling because the cost is offset by the V-SOC service model. 

What Is A Hybrid SOC?

A hybrid SOC is a SOC that combines in-house operations with virtual, outsourced operations. Hybrid SOCs enables organizations to supplement their in-house teams to gain flexibility, scalability, and more robust coverage. 

In particular, hybrid SOCs can benefit organizations with the following types of duties: 

Out-of-hours coverage

Many organizations do not have or want to staff security teams around the clock. The costs and logistics of this constant coverage are more than a company may want to manage. 

By outsourcing after-hours coverage, however, an organization can ensure that their systems are continuously protected. This supplemental coverage can help prevent team burnout and enable companies to continue managing the bulk of their security operations.

Routine maintenance and monitoring

For some organizations, the basic tasks related to security are more than what their teams can handle. For example, due to team or organization size. Or, organizations may wish to focus internal resources on hiring and training high-level experts. 

Rather than wasting these team member’s skills on low-level tasks, organizations can outsource low-level work. This enables in-house experts to focus on higher-level tasks such as in-depth analysis, threat hunting, or incident response. 

Expertise and training

In contrast to teams that already have in-house experts, some teams may only have entry-level security staffing. For these organizations, supplementing in-house knowledge with external expertise can help ensure that teams aren’t overwhelmed by complex threats. 

For example, organizations may outsource security responsibilities to gain access to training or recommendations for improving internal teams. In-house members can work with provider experts to learn new skills, tooling, or best practices. Then, providers can help teams apply these new skills internally to improve security operations.

SOCs During Covid-19: Virtual and Hybrid SOCs are no Longer Optional

During COVID-19, many cybersecurity teams are responsible for distributed networks of devices and assets. Work from home may have completely changed how employees connect to networks and what demands are placed on infrastructure. This means that SOCs need to modify many of their processes and procedures to account for these changes and implement relevant network security measures. 

One of these modifications is the ability to work remotely. With restrictions in place, SOC teams are not exempt from work from home mandates. Unfortunately, for physically bound teams, this can create a significant challenge. However, for virtual and hybrid teams, adaptation may be significantly smoother. These teams were already used to working at least partially remotely and had measures in place that are not affected by the relocation of staff.

While suddenly switching to a virtual or hybrid model is not possible for some organizations, many can adapt their systems to accommodate these new demands. For these latter organizations, the benefits of virtual and hybrid SOCs may help them survive COVID-19 restrictions. For the former, current sacrifices in security and potential loss of operational time painfully highlight why purely physical SOCs are no longer practical.

About the Author

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.



December 2, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023