SOC's is a new term for me. When I was doing active monitoring, we call it NOSC (Network Operations Security Center). Of course, this was back in 2002 timeframe. Much of the monitoring has gone the automated route, but there needs to be human intervention when there is an alert. Additionally there needs to be a qualified human to audit the automated gatekeepers to insure rule sets are properly configured. Being qualified to audit requires the ability to script and to understand TCP and UDP handshakes.
