Day in Security Operations Center
What Really Happens in a 24/7 Monitoring Center During a Cyberattack
NetNordic SOC services provide round-the-clock monitoring for business environments every day of the year. But what does 24/7 SOC monitoring actually involve, and what kind of work does it entail? We interviewed NetNordic’s Security Analysts, Riku Ihalin and Vivi Karlsson, about their roles. They also shared a real-life example of an incident and how it was managed in NetNordic SOC.
Night
NetNordic SOC operates 24/7. When the Security Analysts on the day shift finish their work in the evening, the night shift team takes over, ensuring continuous monitoring of client environments through the night. Nights are usually quieter in both the clients’ environments and the SOC itself.
The primary responsibility of Security Analysts is to monitor cybersecurity events and alerts in client environments through NetNordic’s proprietary monitoring system. The job also involves customer support and documentation—meticulous documentation ensures transparency and enables seamless operations across shifts.
Morning
During the day, client companies are at their busiest, which means the number of events and alerts in the SOC monitoring system peaks during office hours. While most cybersecurity events are routine and require no action, analysts escalate and investigate anything unusual. Team collaboration is crucial, and colleagues are always ready to assist when needed.
The SOC team at NetNordic includes not only Security Analysts but also Threat Intel Analysts, who specialize in identifying threat trends, and professionals who focus on threat hunting, searching for vulnerabilities in client environments.
Daytime
During the day shift, analysts prepare various reports and maintain regular communication with clients through monthly meetings. Reporting is a vital part of NetNordic SOC service, which emphasizes partnership and collaborative improvement. Written communication is a particular focus for the analysts: instead of relying on automatically generated texts, they personally draft detailed insights for each ticket based on their analysis.
Evening
As the day shift ends, the SOC quiets down. Night shift workers take over, continuing to monitor cybersecurity events in the same way as the day team. While there are fewer events during the evening and night, those that do occur are often more unusual and may require closer investigation and deeper analysis.
In many cases, the SOC’s role is to monitor, but when a critical incident occurs, immediate action is taken. Analysts contact the client directly—usually by phone to ensure a swift response, avoiding delays that could occur if relying on email notifications. This proactive approach often helps contain situations quickly.
Cyberattack Case: Phishing Email
It’s a routine day in the SOC when the team notices something unusual: an alert indicates a login from an unusual location—someone has logged into the environment of a Finland-based company from across the globe. The login is so unusual that the SOC team notifies the client by creating a ticket. Soon after, more suspicious events appear in the client’s system. Just as the team is about to call the client, the client calls them—something is clearly wrong.
It turns out that one of the client’s employees has unknowingly entered their login credentials into a phishing email. Using these credentials, an attacker gains access to the client’s environment, where they review documents and send thousands of phishing emails from the employee’s account. Phishing emails sent from the company’s official address are naturally more convincing, increasing the risk of widespread damage.
The SOC team immediately takes action, changing the compromised account’s password to block the attacker. Meanwhile, other team members delete the sent phishing emails and monitor login activities in case anyone has already responded to the fraudulent messages. Thanks to the team’s swift response, the situation is quickly contained, and suspicious login activity decreases. Enhanced monitoring continues throughout the night and weekend.
Prevention and Proactive Response Are Key
It later emerges that this attack was part of a larger phishing campaign. Thanks to the SOC team’s vigilance, the attack was stopped in its early stages. Had it gone unnoticed, the damage could have been much greater. Credentials obtained through phishing are often sold to other cybercriminals, meaning an undetected attack could resurface much later.
NetNordic’s SOC operations prioritize prevention and strengthening security measures, which is why critical incidents like this are rare. With rapid response capabilities and comprehensive monitoring, NetNordic SOC clients can rest assured that their cybersecurity is in expert hands, 24/7/365.
Table of Contents
Content subjects category
Content type
Related content
Contact Us
Feel free to call us directly on our telephone number +47 67 247 365, send us an email salg@netnordic.no, or fill in the form and we will get back to you as soon as possible! Thanks!
