In the previous part, we have discussed the components, structure, operation, and benefits of the SOC – internal Security Operation Center. However, in order to build and maneuver an efficient SOC, we need to harmoniously integrate the key elements of “Human – Technology – Procedure” – which are severely lacking in SMEs.

SIEM – A mutual challenge for various businesses

Many businesses often mistake their information security direct, leading to scattered investment with little focus, while some others pay too much attention to SIEM (Security Information and Event Management), overestimate their lacking human resources, thus not attaining efficiency. Without regular staff to adjust the SIEM system and reduce the rate of false positives from alerts, the analysis and problem-solving team will easily get overloaded.

On the other hand, some only care about gathering and analyzing data from SIEM (output), without investing in malware information detection and prevention of data exploitation like EDR, Advanced Threat Detection, Secure Gateway… (input). More importantly, when the supervision system is not yet optimized, and output data is still disjointed, it will be extremely difficult to gather tickets (cases), costing time to sequence alarms and find root causes as well as relevant assets to the mishap. Furthermore, should the staff be inexperienced in analysis and processing, the alarms and prevention solution may also become erroneous.

Traditional SOC model. Source:

In order to solve the security problem and reduce the cost of infrastructure requirements, training and deploying employees, as well as improve response procedure to cyberattacks, VSOC – Virtual Security Operation Center may be a solution for SMEs.

VSOC model. Source:

VSOC – Information security tool for businesses

In simple terms, VSOC is a web-based information security tool, which helps users to easily track their internal cybersecurity in real time. Via the use of centralized commands and constantly updated features, VSOC will paint a comprehensive picture of existing vulnerabilities and security holes of the internal system, as well as provide prevention methods in case of incidents. Behind VSOC is a team of experienced security experts, who, while not directly available at the organization, keep track of the system 24/7, never missing any irregularities. All operations will be recorded in details, on a single monitor, with suggestions on appropriate responses.

VSOC often comes from a third-party provider, which, after listening to the situation, requirements, and security demands of the organization, will start to design, deploy, and personalize its pre-existing VSOC service to match the organization’s budget, infrastructure, and target. This will free organizations from spending multiple investments and resources to build their own SOCs, as well as allow them to split demands for outsourcing of SIEM, SIEM operation and supervision, level 2 alarm analysis, threat hunting, problem-solving, malware analysis, digital investigation… most are integrated in VSOC.

According to a report by BlackStratus, 60% of small businesses close in 6 months after cyberattack, while 80,2% of SMEs (businesses with under 1,000 employees) are targeted, had their data stolen and image wrecked, 35% higher than that of big enterprises. This is understandable, seeing that SMEs often pay little attention and investment to building a safe information security system from the very start, leaving heavy consequences after attacks – which, in monetary value, may be many times larger that required budget for security. In fact, it is only after getting attacked that most businesses realize the importance of data and system protection.

VSOC model and operation

In general, VSOC is SOC-as-a-Service, equivalent to an actual SOC, but with much lower operation costs. If your business has strict regulating on risk management and privacy requirements, then VSOC, with its advanced structure that support various levels of account delegation, will keep you extremely safe. The structure of VSOC often depends on its provider, however, in basic, often includes: SIEM, Security Data Mining, Threat Intelligent System, Forensis, Log/Backup, hardware devices, and so on. Every online activity of the organization will be recorded, analyzed, and processed by the above technologies and experts, who will then issue a report of qualifications like ISO, PCI, HIPAA, SOX… intuitively, and clearly.

SOC-as-a-Service provides various features on cloud platform. Source:

Now, VSOC models are no longer unfamiliar with worldwide businesses and organizations. Security firms like IBM, Raytheon, Blackstratus, Redscan, LightEdge, Sirisk, Rapid7, Stellar Cyber… are all providing cloud-based SOC-as-a-Service in wide distribution.

The development of SOC in an entity can be divided into 6 levels: level 1 – have IT staff or supervision/information security software; level 2 – partial integration to Network Operations Centers (NOC); level 3 – have SOC, technology, and maneuvering of reports separated from the IT department; level 4 – solved the problem of resources in development, analysis, and problem-solving; level 5 – can control detected threats; and level 6 – integrate prevention, supervision, detection, fast response, and constant improvements.


Cybersecurity plays a crucial path in the race of digital technologies, where winners are those master big databases, and a data leak may cost you tremendously in a single night. The suggestion for businesses, especially those on small and medium scales, no matter what their choices are, is to carefully consider their organization’s demands, conditions, and targets, make centralized investments, sync technologies and procedures, at the same time continue to further the knowledge and sense of self-protection of employees.

Thien Ly – FPT HO

Related posts: