This section discusses the Security Operations Center (SOC) career path - key SOC technologies and the various SOC roles and responsibilities, skills and qualifications, and industry certifications
Last updated
• Define the organizational function of the SOC • Describe the key SOC technologies • Describe the four main SOC roles • Understand the main responsibilities, skills, and industry certifications of the SOC analyst
This section discusses the . First, the SOC unit composition and technologies are discussed. Then the SOC team member roles and responsibilities, skills/qualifications, and certifications are discussed. Finally, training resources for SOC careers are suggested.
What is a security operations center?
SOC team role 1: Security analyst (SOC analyst)
Tier 1 SOC analyst
Tier 2 SOC analyst
Tier 3 SOC analyst
SOC team role 2: SOC manager
SOC team role 3: CISO
SOC team role 4: Security engineer
SOC training resources
The SOC is the organizational unit that is expected to protect a business from security breaches by identifying, analyzing, and reacting to cybersecurity threats. A SOC team isolates unusual activity on servers, databases, networks, endpoints, and applications. It ensures an organization’s digital assets remain secure and protected from unauthorized access by monitoring and responding to massive amounts of data in a timely manner.
SOC teams are typically comprised of security analysts (Blue Team and Red Team), management, security engineers, and the CISO. The software they primarily rely on is the Security Information and Event Management (SIEM) system. SIEM technology,
supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. (The SOC, SIEM, and Other Essential SOC Tools)
A SIEM system functions as a “single pane of glass” which enables the SOC to monitor enterprise systems. SIEM technology,
aggregates device, application logs, and events from security tools from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about them, and provide contextual information to assist investigation. (The SOC, SIEM, and Other Essential SOC Tools)
data lake technology, visibility into cloud infrastructure, behavioral analytics, an automated incident responder, and a threat hunting module with powerful data querying and visualization. (Ultimate SOC Quick Start Guide)
Next-gen SIEM will have a significant impact on the SOC ecosystem. It can: *Reduce alert fatigue via user and entity behavior analytics (UEBA) that goes beyond correlation rules, help reduce false positives, and discover hidden threats; *Improve MTTD by helping analysts discover incidents faster and gather all relevant data; *Improve MTTR by integrating with security systems and leveraging Security Orchestration, Automation and Response (SOAR) technology; and *Enable threat hunting by giving analysts fast and easy access and powerful exploration of unlimited volumes of security data.
A SOC is traditionally a physical facility which houses an information security team within large organizations. Increasingly, smaller organizations,
are setting up lightweight SOCs, such as a hybrid SOC, which combines part-time, in-house staff with outsourced experts, or a virtual SOC, which has no physical facility at all, and is a team of in-house staff who also serve other functions. (Ultimate SOC Quick Start Guide)
Key SOC focus areas within organizations are: *Monitoring and Risk Management – capturing events from logs and security systems, identifying incidents, and responding. *Network and System Administration – administering security systems and processes such as identity and access management, key management, endpoint management, and firewall administration. *Control and Digital Forensics – enforcing compliance, and performing penetration testing and vulnerability testing.
A SOC analyst is a cybersecurity specialist who monitors an organization’s IT infrastructure for threats. Key skills for all SOC analysts include network defense, ethical hacking, incident response, computer forensics, and malware reverse engineering .
“Security analysts are cybersecurity first responders. They report on cyberthreats and implement any changes needed to protect the organization” (Security Operations Center Roles and Responsibilities). Security analysts also play a role in organizational security training activities and in ensuring that staff can implement policies and procedures.
Within a SOC team, Tier 1, Tier 2 and Tier 3 SOC analysts (CSIRT – Computer Security Incident Response Team) are responsible for incident response. The response typically occurs in three stages: threat detection, threat investigation, and timely response. SOC analysts work alongside security managers and cybersecurity engineers, and usually report to the CISO.
Related job titles of Tier 1 SOC analysts include Tier 1 Analyst , Alert Investigator, Entry-Level SOC Analyst, and SOC Analyst.
Responsibilities: Tier 1 analysts monitor, prioritize, and investigate SIEM alerts (monitor the network). They manage and configure security monitoring tools. They prioritize and triage alerts to determine whether a real security incident is taking place (they escalate potential threats after analyzing and ranking them on a severity level).
Skills/qualifications: Network administration, system administration, web programming languages (e.g., Python, Ruby, and PHP), scripting languages (e.g., JavaScript), vulnerability assessment, ethical hacking, network security, network intrusion analysis, and firewall administration.
Relevant certifications: CompTIA Security+, GSEC (GIAC Security Essentials), GCIA (GIAC Certified Intrusion Analyst); EC-Council: CND (Certified Network Defender), CEH (Certified Ethical Hacker), and CSA (Certified SOC Analyst).
Related job titles of Tier 2 SOC analysts include Tier 2 Analyst, Incident Responder, Mid-Level SOC Analyst, Forensic Investigator, and Cyber Forensics Expert.
Responsibilities: Tier 2 analysts receive security incidents (real threats) from Tier 1 analysts and perform deep analysis. They correlate with threat intelligence to identify the threat actor, nature of the attack, and systems or data affected. They decide on a strategy for containment, remediation, and recovery. Forensic Investigators analyze attacks by gathering and preserving pieces of digital evidence.
Skills/qualifications: Similar to Tier 1 analysts, but with more skill/experience in the incident response process. They are more skilled than Tier 1 analysts in conducting vulnerability assessments and ethical hacking. They have skills in digital forensics, malware assessment, and threat intelligence.
Relevant certifications: CompTIA CySA+, ECIH (EC-Council Certified Incident Handler), GCIH (GIAC Certified Incident Handler), and CHFI (EC-Council Computer Hacking Forensic Investigator).
Related job titles of Tier 3 SOC analysts include Tier 3 Analyst, Subject Matter Expert, Threat Hunter, Threat Intelligence Analyst, Cyber Threat Intelligence Analyst, Senior SOC Analyst, and Tier 3 SOC Manager.
Responsibilities: Tier 3 analysts monitor and analyze cyber threat data to provide actionable intelligence. They conduct day-to-day vulnerability assessments and penetration tests, and review alerts, industry news, threat intelligence, and security data. They may team up with Tier 2 analysts to respond to major incidents. They are responsible for actively hunting for threats that have made their way into the network, as well as unknown vulnerabilities and security gaps.
Skills/qualifications: Similar to Tier 2 analysts but with more SOC experience, including experience with penetration testing tools, cross-organization data visualization, malware reverse engineering, and identifying and developing responses to new threats and attack patterns. They have skills/experience using MITRE ATT&CK (a knowledge base of adversary behavior) to combat cyberthreats.
Relevant certifications: CTIA (EC-Council Certified Threat Intelligence Analyst).
Related job titles of SOC managers include Tier 4 Analyst, Tier 4 SOC Analyst, and Tier 4 SOC Manager Commander.
Responsibilities: SOC managers/Tier 4 SOC analysts manage the security operations team, resources, priorities, and projects, and report to the CISO. They supervise the security team, provide technical guidance, and manage financial activities. They direct SOC operations and are responsible for syncing between analysts and engineers. They are responsible for recruitment and training of SOC staff. They develop defensive and offensive cybersecurity strategies. They also direct and orchestrate the company’s response to major security threats.
Additional responsibilities include creating processes, assessing incident reports, and developing and implementing crisis communication plans. They write compliance reports, support the audit process, measure SOC performance metrics, and report on security operations to business leaders. (Ultimate SOC Quick Start Guide)
Skills/qualifications: Similar to Tier 3 analyst, including project management skills, incident response management training, and strong communication skills.
Relevant certifications: CISSP (Certified Information Systems Security Professional) and Cisco Certified CyberOps Professional.
The chief information security officer (CISO) is a leadership position responsible for establishing security-related strategies, policies, and operations. CISOs work closely with the CEO, and inform and report to management on security issues. They also have a central role in compliance and risk management and in implementing policies to meet specific security demands.
Skills/qualifications: Typically a degree (e.g., a master’s) in computer science, computer engineering, information assurance, or information systems.
Relevant certifications: CISM (Certified Information Security Manager) and CCISO (EC-Council Certified Chief Information Security Officer).
A security engineer is a software or hardware specialist who focuses on security aspects in the design of information systems. Security engineers are sometimes employed within the SOC, and sometimes support the SOC as part of development or operations teams.
Security engineers maintain and suggest monitoring and analysis tools. They create a security architecture and work with developers to ensure that this architecture is part of the development cycle. They develop tools and solutions that allow organizations to prevent and respond effectively to attacks. They document procedures, requirements, and protocols.
Skills/qualifications: Typically a degree in computer science, computer engineering, information assurance, or information systems.
Relevant certifications: CCNA, CCNP Security, AWS Security, and CISSP.
SOC 1 analyst training resources
SOC 2 analyst training resources
SOC 3 analyst training resources
• The SOC ensures digital assets remain secure and protected from unauthorized access • The Security Information and Event Management (SIEM) system is the keystone SOC technology • The four main SOC roles are SOC Analyst, SOC Manager, CISO, and Security Engineer • Key skills for all SOC analysts include IT networking, ethical hacking, and incident response
Next-generation SIEM combine traditional SIEM functionality with security orchestration and automation (SOAR) and user and entity behavioral analytics (UEBA). SOAR allows organizations to collect security threats data and alerts from multiple sources. “It can automatically identify and prioritize cybersecurity risks and respond to low-level security events” (). Next-gen SIEM technology can combine,
A walk-through of an incident response scenario steps: identify, protect, detect, respond, and recover.
(Cybrary)
(Security Blue Team)
(Coursera)
(TryHackMe)
(Cybrary)
(EC-Council)
(MITRE ATT&CK)
(Cybrary)
(Coursera)
(EC-Council)
(Exabeam)
(Exabeam)
(Exabeam)
