SOC Analysts
7
Sep

SOC Analysts: What they are, what they do, and why they matter 


‘SOC Analyst’ is a frequently used jargon in the cybersecurity industry. Some may know the roles and responsibilities of a SOC analyst, yet many are uncertain about what the term stands for.   

Starting with the abbreviation itself, “SOC” stands for Security Operations Center, a centralized unit that handles the security operations of an organization. A SOC is a critical unit for any organization regardless of its size. The prime objective is to “provide a situational awareness using a combination of technologies to properly identify, analyze, investigate, communicate, respond, and report cybersecurity incidents.” Also, SOC analysts will scan applications to identify potential cyber threats or ongoing cyber attacks (e.g., intrusion, compromise), determine if the event is a genuine incident, and assess the immediate impact on the business.  

With new cyberattacks making headlines almost every day, the significance of cybersecurity cannot be overstated. If a SOC is not already part of an organization, the focus should be on building and managing a SOC team. Cybersecurity enthusiasts will recognize this as a lucrative opportunity to help the organization and build a career simultaneously.  

Staffing SOC Team  

A SOC team continuously monitors and analyzes the security infrastructure of an organization for any potential cyber threats lurking upon, or that might’ve already penetrated the existing security layer. It consists of a wide range of cybersecurity professionals, from analysts to managers and even, engineers. They also coordinate with the Computer Security Incident Response Team (CSIRT) in organizations that are large enough to have both. Usually, organizations prefer an internal SOC team, but they can be outsourced, too.   

What’s the difference between a CSIRT and a SOC team? The SOC team primarily works in the Identify, Protect, and Detect functions, and a CSIRT works mostly in the Respond and Recover functions.  

Security team composition can vary, and staffing such a team entirely depends upon the requirements of the organization.   

 

Role (Tier Level)  Description  Skills  Responsibilities 
Security Analyst (Tier 1)  Triage Specialist  Sysadmin skills: Linux/Windows/Mac 

Programming Skills: Python, Ruby, PHP, C, C#, Java, Perl, and more 

Security Skills 

* Reviews the incident alerts and evaluate its urgency and relevancy 

* Create trouble ticket for alerting Tier 2 

* Runs vulnerability scan and review the assessment report 

* Manages and configures security monitoring tools 

Security Analyst (Tier 2)  Incident Responder  All Tier 1 skills + Experience with the ability to remain calm under pressure  * Reviews trouble ticket generated by Tier 1 analysts 

* Uses Threat Intelligence to identify infected/affected systems and scope of the attack 

* Collects data for further investigation 

* Remediation and determines recovery efforts 

Expert Security Analyst (Tier 3)  Threat Hunter  All Tier 1 and 2 skills + knowledge of data visualization and penetration testing tools  * Reviews asset discovery and vulnerability assessment report 

* Uses advanced threat intelligence techniques to identify cyber threats which might’ve found their way into the network 

* Conducts pen testing to gauge resilience and finding vulnerable entry-points 

* Recommends ways to optimize security monitoring tools – uses threat hunting findings 

 

SOC Manager  

(Tier 4) 

Operations & Management  All Tier 1, 2 and 3 skills + strong leadership quality and communication skills  * Supervises the SOC team 

* Maintains and manages the entire team (recruitment and training) 

* Reviews incident reports and manages escalation process 

* Develops and executes crisis communication plan to all the stakeholders 

* Deals with compliance reports and supports the audit process 

* Evaluates SOC performance metrics and communicates with business leaders 

[1]  

How Does SOC Work?   

A SOC team is not only responsible for developing security strategies and implementing defensive measures, but also to detect, analyze, and respond to security incidents. Sometimes, the team deals with additional responsibilities, such as forensic analysis, cryptanalysis, and reverse engineering.  

The work of a SOC team starts with defining a strategy to gain executive support and integrate business-specific goals from different departments. Once the plan is drafted, the SOC team ensures that the infrastructure supports the implementation. A standard SOC infrastructure includes firewalls, intrusion detection and prevention systems (IDS/IPS), Security Event and Incident Management (SIEM) system, and other breach cybersecurity solutions and tools. The infrastructure uses various technologies to collect data through data flows, data packet capturing, Syslog, telemetry, and other methods, which is then analyzed by the SOC team. While continuous network monitoring to discover vulnerabilities is critical to data protection, regulatory compliance is essential to maintain the business.  

What Is a SOC Analyst?  

SOC analysts are usually the first responders to security incidents – the front-line defenders for analyzing cyberattacks. They start by reviewing incident alerts, then run a vulnerability assessment, followed by reporting it to Tier 2 professionals. The Tier 1 professionals ensure that the team gets the functional security monitoring tools (with right configuration). SOC analysts work alongside expert security analysts and managers.   

These front-line professionals identify and analyze the cyber attacks, and then coordinate-response with Tier 2 professionals to complete required assessment reports. Based on the need of organizations, SOC analysts may be provided with additional responsibilities such as disaster recovery.   

Summary: 

  • SOC Analyst Salary – $47K to $79K (average base pay is $62,400/yr) [2]  
  • Job Titles Associated with the responsibilities of a SOC Analyst -  
    • Threat Intelligence Analyst  
    • Vulnerability Analyst  
    • Cybersecurity Analyst  
    • Information Security Analyst/Administrator  
    • Security Administrator  

Responsibilities  

  • Monitoring and analyzing network traffic for any malicious/unusual activities  
  • Intrusion detection and prevention system monitoring and analysis  
  • Log analysis  
  • Report the occurrence of security incidents and potential threats  
  • Completing vulnerability assessments and coordinating reports with the team  
  • Collaborates with CSIRT and threat intelligence team   

Why Do We Need SOC Analysts?  

Even when automation and security orchestration is fully implemented, SOC analysts are still necessary for critical thinking and human analysis. Organizations need SOC analysts with revised responsibilities, which include -  

  • Conducting proactive research on emerging trends and alarming cyber threats  
  • Performing holistic incident analysis  
  • Assessing risks and providing innovative solutions to improve security  
  • Assisting the IR team in deploying a concrete IR plan  

How to Become a SOC Analyst?  

Certified SOC Analyst (CSA) is a training and credentialing program that helps the candidate acquire trending and in-demand technical skills through instruction by some of the most experienced trainers in the industry.  

The CSA program is the first step to joining a security operations center (SOC). It is engineered for current and aspiring Tier I and Tier II SOC analysts to achieve proficiency in performing entry-level and intermediate-level operations. 

Sources:  

[1] https://www.alienvault.com/resource-center/ebook/building-a-soc/soc-team 

[2] https://www.glassdoor.com 

Editor's Note:
Reviewed by David Kosorok, Director, Application Security at Align Technology and Kris Thomas, Cybersecurity Risk Advisor at Deloitte.
get certified from ec-council
Write for Us