Security Operations Center

3S SOC – Monitoring, analysis and reporting

Security Operations Center (SOC) is the name of the team responsible for ongoing monitoring and analysis of the security status of the organization.
The aim of the SOC team is to detect, analyze and respond to cyber security incidents using a combination of technological solutions and a set of processes. By aggregating the available information in one place and correlating it properly, they are able to find a number of security problems that have been unnoticed until now. The Security Operations Center consists of security analysts and engineers supervising key security processes. SOC employees help to ensure that organizations can quickly detect and respond to a security incident without having to hire specialists and bearing the cost of maintaining additional SIEM (System Information and Event Management) systems.

The SOC center monitors and analyzes activity in networks, servers, endpoints, databases, applications, websites and other systems, looking for anomalies that could indicate security incidents or attempts. SOC is responsible for ensuring that potential security incidents are correctly identified, analyzed and, as a result, reported to clients for further action.


The SOC team is responsible for the operational supervision and analysis of the level of information security in a given organization within the agreed scope.


Line 1 operators – the Network Operations Center (NOC) team – monitor data from the connected systems and inform about anomalies and security incidents detected in the client’s infrastructure.

  • Request reception and logging
  • Verification of systems operation (EPS),
  • Response to the incident.


Second line operators – the Security Operations Center (SOC) team – observe the client’s logs, processes and systems and, using advanced technologies, hardware and software, analyzes, correlate and interpret data from multiple sources in order to detect unusual activities in the infrastructure.

  • Monitoring and analysis of network traffic and system logs,
  • Incident analysis,
  • Network mapping,
  • Coordination of actions and reactions to the incident,
  • Vulnerability management,
  • Archiving of system events and connections.


The 3S Security Operations Center service supports the client’s resources through team of engineers as well as an infrastructure monitoring system. Data is collected from many sources:

  • Network and edge devices,
  • Servers and virtualization systems,
  • Databases,
  • Applications,
  • Vulnerability scanners,
  • User identity and information databases,
  • Terminal devices.

3S SOC handles security incidents based on the correlation of many sources of information, including:

events and logs from security systems (Firewall, Intrusion Prevention System VPN, Anti-Virus, etc.), operating systems (Linux, Solaris, Windows, etc.) and applications and databases,
information on the status of protected systems (type of operating system, available applications) and their security vulnerabilities read by the IBM IDP Profiler and security scanners such as QRadar Vulnerability Manager, NMAP, Nessus, nCircle, Qualys, Foundstone, etc. statistics and description of network traffic received from devices using NetFlow, J-Flow, S-Flow and Packeteer and read directly from the network (switch span port or QRadar VFlow for virtual environments).

I. Developing strategies for the detection, analysis, response, reporting and prevention of cyber security incidents.

Tools and services used in 3S SOC:

  • Security information and event management (SIEM)
  • Vulnerability scanner
  • Penetration tests
  • Intrusion detection systems (IDS), Intrusion prevention systems (IPS),
  • Firewall and NGFW,
  • Channels and databases on cyber threats
  • Tools for network traffic analysis and application performance monitoring (EPS)
  1. Types of the SOC service:
  • Basic version: „8/5” support mode – support for the specified infrastructure on workdays between 8-16
  • Extended version: „24/7” support mode – support for the specified infrastructure 24/7/365

III. Monitoring
Monitoring is a key function in SOC. The service is responsible for monitoring IT systems and user accounts throughout the enterprise, as well as monitoring the security tools themselves. The main monitoring coordination tool is SIEM. Organizations use many dedicated monitoring tools, such as network monitoring and application performance monitoring (EPS). However, for security reasons only SIEM, with its inter-organizational view of IT and security data, can provide a complete monitoring solution.

IV. Reporting

One of the basic functions of SIEM creation of reports and analysis of the results of events and incidents. Everything takes place in real time, as well as after an incident or a security breach specified in procedures. The reports and their summaries are done according to the client’s requirements. The reports are fully customized and optimized for the client’s needs.



  • Provision of the necessary competencies and operational tools of the Security Operation Center,
  • Audit of company processes,
  • Scanning systems for vulnerability,
  • Data security:

– protection of terminal equipment,

– protection of network devices,

– Protection of servers and virtual machines,

– motion analysis.

  • Continuous analysis of events occurring within in the structures of the company,
  • Full supervision and transparency of events and system logs,
  • A complete solution that provides a complete security service for your company.


Parameters affecting the costs related to the service and its operation:

  • EPS (Events per second)
    A term used to define the number of events or processes that take place at a given time on any IT device, related and connected to the SIEM software.
  • Event Flows
    they represent network activity by normalizing IP addresses, ports, number of bytes and packets and other data in flow records, which are actually session records between two hosts.
  • Data retention period
    the period of time during data will be archived and stored for the needs of event analysis.
  • Availability
    the level of service availability can be chosen at two different models: 8/5 on workdays or 24/7.
Do you have questions? Contact us

This site uses cookies to improve your customer experience with us.

Find out more