The Lifecycle of a Threat: The Inner Workings of the Security Operations Center

See how SonicWall’s SOC handles a threat from discovery all the way to resolution in this detailed blog.


In a world where cyber criminals target businesses both large and small with ever-changing tactics and techniques, heroes emerge: Managed Service Providers (MSPs). They may not wear capes, but every day, MSPs provide crucial security and IT support to their customers. However, with new threats appearing almost daily, it can be impossible for the average MSP to keep up, especially as threat actors tend to take action well outside of normal working hours, including weekends, holidays and the middle of the night.

Having a Security Operations Center (SOC) is a crucial step for MSPs to defend their clients at all hours of the day and night, but building a SOC yourself can cost upwards of $1 million and come with many staffing and compliance headaches. For many MSPs, partnering to get a SOC is the way to go, such as partnering with SonicWall and our Managed Security Services team.

SonicWall’s SOC is defending our MSP partners and their clients day and night from shadowy cybercriminals. Here’s how they do it.

The Trifecta of the SOC: People, Process, Technology

Any effective SOC is a combination of three things: people, process and technology. While it’s easy to focus only on security tools like endpoint detection or antivirus software, it’s crucial that those tools are configured properly and that effective processes are in place to ensure the SOC is running efficiently.

That’s why the people are the most important element of the SOC: they are cyber experts who stay on top of the latest cyber threats and new techniques being used by threat actors. They also apply that knowledge and experience to the configuration of security tools. They can quickly determine which alerts are relevant and recognize patterns in the alerts that security tools throw, allowing them to spot and stop attacks at very early stages, minimizing damage for your clients. While security tools and software are important, it’s the people who bring the true value to a SOC.

Preparation is Everything

Arguably the most important part of the incident response cycle is the preparation before a cyber event takes place. Taking the time to ensure that all security tools have the latest updates, all endpoints have the correct tools installed, and that tools are using the latest security rules can make the difference between an annoying minor alert and a full security incident.

SonicWall’s SOC works with our partners to ensure that their environments are as prepared and protected as possible before a threat actor ever takes action. When new partners start out with SonicWall Managed Security Services, the SOC team conducts a white-glove onboarding process to ensure security tools are installed and configured properly. After that, the team performs configuration audits twice monthly and provides a report card to partners that includes any necessary actions needed to be optimally secure.

Minor, Major and Critical Alerts

The SonicWall Security Operations Center monitors for alerts and abnormal behavior 24 hours a day to protect our MSP partners and their clients from cyber threats. When alerts come in from security tools, a SOC analyst conducts an investigation. The SOC’s rules and technology configurations automatically classify alerts as minor, major or critical, and the SOC analyst can then upgrade or downgrade the alert as needed based on what they find in their investigation.

  • Minor Alerts are used for situations where abnormal activities have been identified in the environment, such as files being quarantined in unusual folders. There’s no evidence of anything else happening; something’s just weird. These alerts can be false positives. If further investigation or action is recommended, the SOC analyst will email you.
    If we were to think of the SOC as firefighters, in a Minor Alert, the SOC smells smoke but finds no evidence of a fire.
  • Major Alerts are used when there is confidence of malicious or suspicious activity in the environment. Often, this is activity that was stopped by security tools, such as quarantined malware, but further investigation is warranted to ensure the full threat has been addressed. In the event of a Major Alert, the SonicWall SOC will contact you by email with recommended next steps.
    To use our firefighter analogy, in Major Alerts the SOC smells smoke and the smoke detector is going off, but there is no evidence of an active fire.
  • Critical Alerts are used when there is high confidence of an active compromise happening. These alerts are when the SOC takes immediate action to mitigate the threat to keep any damage as minimal as possible, such as isolating an endpoint, pulling a server offline or deactivating a potentially compromised user account. Taking these immediate actions in response to a critical threat helps reduce attacker dwell time and keeps the attack from spreading across the network.
    In our firefighter comparison, this is the time the SOC sees active flames and works quickly to put them out to keep them from spreading and causing more damage.

When a Critical Alert happens, the SonicWall SOC team will call you on the phone every fifteen minutes for the first hour, and then every hour after that. Don’t worry – if you don’t answer, the SOC team won’t wait. The threat will still be addressed and we’ll fill you in once we’re able to connect.

Once the threat is contained, the SOC analyst will create a report that documents the incident, including what specifically happened, the scope of the incident, the actions they took to mitigate the threat, and any other areas of impact you may need to be aware of. They will also make recommendations for your next steps toward full remediation.

SonicWall’s Security Operations Center stands ready to defend all our MSP partners and their end clients, and we’ve made getting the around-the-clock protection of a SOC easier than ever. Our Managed Security Services are available with no annual contracts or long-term commitments and with no minimums. We partner with you and scale with you as your business scales – whether up or down.

Ready to get started? Contact us today to learn how you can get started with Managed Detection and Response (MDR) with a free 30-day proof of concept!


Sarah Wilkinson
Senior Product Marketing Manager | SonicWall
Sarah Wilkinson is a Senior Product Marketing Manager at SonicWall, primarily responsible for SonicWall’s MXDR services and enabling MSP partners. She is a seasoned cybersecurity marketer, with many years of experience marketing enterprise cybersecurity solutions, primarily in the cyber threat intelligence and threat-informed defense spaces. She’s passionate about making cyber threat intelligence and other proactive cybersecurity tools accessible to small businesses and the MSPs defending them. Sarah is a graduate of West Virginia Wesleyan College.