What's the difference between SIEM, Managed SIEM and SOC?

In the world of cybersecurity, understanding the difference between a SOC (security operations centre) and a managed SIEM (security information and event management) is crucial. Both play vital roles in keeping your organisation secure, but they do so in different ways. Let's dive into what sets them apart.

What is a security information and event management (SIEM)?

A SIEM is like the detective of your cybersecurity team. It collects, analyses, and correlates security events from various systems and data sources within your organisation. Think of it as a central hub that gathers logs from network appliances, servers, and cloud services, then uses rules and algorithms to spot potentially malicious activity.

However, operating a SIEM can be resource-intensive. That's where a managed SIEM service comes in. It lightens the load by employing a team of security analysts who triage, investigate, and notify you of any alerts and threats identified by the SIEM platform. This managed approach ensures that your organisation can focus on its core activities while staying protected from cyber threats.

What is a security operations centre (SOC)?

A SOC takes things a step further. It's not just about identifying potential threats; it's about actively defending and responding to them. A SOC combines the capabilities of a managed SIEM with additional tools and intelligence sources to detect and respond to malicious activity and incidents.

In essence, a SOC is your cybersecurity command centre. It includes Managed Detection and Response (MDR) capabilities, where security analysts manage your environment day-to-day, using Endpoint Detection and Response (EDR) solutions to contain and isolate any suspicious activity. A SOC also provides round-the-clock monitoring, incident response, forensics, and threat intelligence to spot and hunt for emerging threats. Automation and orchestration (SOAR) are employed to improve detection and response times, minimising potential impact on your organisation.

Not all SOCs are the same

SOC offerings can vary between providers. While most SOCs include SIEM, MDR, and 24/7 detection and response as standard, additional services often come at a price. Many SOCs offer an incident response retainer option, which supports your organisation in recovering from major incidents, but this usually incurs extra costs.

At Jisc, our SOC provides incident response as standard. We work with you after an incident to get your organisation back on its feet. As part of onboarding, we offer workshops and guidance to harden your infrastructure and apply best practices, reducing the likelihood of security incidents. We also conduct annual assessments of your security controls to help you strengthen your security posture.

Our SOC is built on services already available in your membership, including our protective network resolver service (JNRS) and Distributed Denial of Service protection service (Foundation DDoS). As the manager and provider of the Janet network for education and research, we can contain traffic at a network level during an incident, going a step further than most SOCs.

Additionally, our SOC leverages threat intelligence gathered across the sector, allowing us to respond swiftly to emerging threats. This proactive approach ensures that your organisation is not only protected but also prepared for future challenges.

Finally, as your vital sector partner, we offer sector-specific advice and expertise developed over many years of protecting the UK’s education and research organisations just like yours.

Further information

• Find out more about our security operations centre (SOC) which launches on 31 March.