This post discusses the Security Operations Center (SOC) career path. First, the SOC unit composition and technologies are discussed. Then the SOC team member roles and responsibilities, skills/qualifications, and certifications are discussed. Finally, training resources for SOC careers are suggested.
- What is a security operations center?
- SOC team role 1: Security analyst (SOC analyst)
- Tier 1 SOC analyst
- Tier 2 SOC analyst
- Tier 3 SOC analyst
- SOC team role 2: SOC manager
- SOC team role 3: CISO
- SOC team role 4: Security engineer
- SOC training resources
You may also be interested in IT career paths – everything you need to know.
What is a security operations center?
The SOC is the organizational unit that is expected to protect a business from security breaches by identifying, analyzing, and reacting to cybersecurity threats. A SOC team isolates unusual activity on servers, databases, networks, endpoints, and applications. It ensures an organization’s digital assets remain secure and protected from unauthorized access by monitoring and responding to massive amounts of data in a timely manner.
SOC teams are typically comprised of security analysts (Blue Team and Red Team), management, security engineers, and the CISO. The software they primarily rely on is the Security Information and Event Management (SIEM) system. SIEM technology,
supports threat detection, compliance and security incident management through the collection and analysis (both near real time and historical) of security events, as well as a wide variety of other event and contextual data sources. (The SOC, SIEM, and Other Essential SOC Tools)
A SIEM system functions as a “single pane of glass” which enables the SOC to monitor enterprise systems. SIEM technology,
aggregates device, application logs, and events from security tools from across the entire organization. The SIEM uses correlation and statistical models to identify events that might constitute a security incident, alert SOC staff about them, and provide contextual information to assist investigation. (The SOC, SIEM, and Other Essential SOC Tools)
A Basic Incident Response Model and How SIEM Helps
Next-generation SIEM combine traditional SIEM functionality with security orchestration and automation (SOAR) and user and entity behavioral analytics (UEBA). SOAR allows organizations to collect security threats data and alerts from multiple sources. “It can automatically identify and prioritize cybersecurity risks and respond to low-level security events” (What is SOAR). Next-gen SIEM technology can combine,
data lake technology, visibility into cloud infrastructure, behavioral analytics, an automated incident responder, and a threat hunting module with powerful data querying and visualization. (Ultimate SOC Quick Start Guide)
Next-gen SIEM will have a significant impact on the SOC ecosystem. It can:
*Reduce alert fatigue via user and entity behavior analytics (UEBA) that goes beyond correlation rules, help reduce false positives, and discover hidden threats;
*Improve MTTD by helping analysts discover incidents faster and gather all relevant data;
*Improve MTTR by integrating with security systems and leveraging Security Orchestration, Automation and Response (SOAR) technology; and
*Enable threat hunting by giving analysts fast and easy access and powerful exploration of unlimited volumes of security data.
A SOC is traditionally a physical facility which houses an information security team within large organizations. Increasingly, smaller organizations,
are setting up lightweight SOCs, such as a hybrid SOC, which combines part-time, in-house staff with outsourced experts, or a virtual SOC, which has no physical facility at all, and is a team of in-house staff who also serve other functions. (Ultimate SOC Quick Start Guide)
Key SOC focus areas within organizations are:
*Monitoring and Risk Management – capturing events from logs and security systems, identifying incidents, and responding.
*Network and System Administration – administering security systems and processes such as identity and access management, key management, endpoint management, and firewall administration.
*Control and Digital Forensics – enforcing compliance, and performing penetration testing and vulnerability testing.
SOC team role 1: Security analyst (SOC analyst)
A SOC analyst is a cybersecurity specialist who monitors an organization’s IT infrastructure for threats. Key skills for all SOC analysts include network defense, ethical hacking, incident response, computer forensics, and malware reverse engineering .
“Security analysts are cybersecurity first responders. They report on cyberthreats and implement any changes needed to protect the organization” (Security Operations Center Roles and Responsibilities). Security analysts also play a role in organizational security training activities and in ensuring that staff can implement policies and procedures.
Within a SOC team, Tier 1, Tier 2 and Tier 3 SOC analysts (CSIRT – Computer Security Incident Response Team) are responsible for incident response. The response typically occurs in three stages: threat detection, threat investigation, and timely response. SOC analysts work alongside security managers and cybersecurity engineers, and usually report to the CISO.
Tier 1 SOC analyst
Related job titles of Tier 1 SOC analysts include Tier 1 Analyst , Alert Investigator, Entry-Level SOC Analyst, and SOC Analyst.
Responsibilities: Tier 1 analysts monitor, prioritize, and investigate SIEM alerts (monitor the network). They manage and configure security monitoring tools. They prioritize and triage alerts to determine whether a real security incident is taking place (they escalate potential threats after analyzing and ranking them on a severity level).
Skills/qualifications: Network administration, system administration, web programming languages (e.g., Python, Ruby, and PHP), scripting languages (e.g., JavaScript), vulnerability assessment, ethical hacking, network security, network intrusion analysis, and firewall administration.
Relevant certifications: CompTIA Security+, GSEC (GIAC Security Essentials), GCIA (GIAC Certified Intrusion Analyst); EC-Council: CND (Certified Network Defender), CEH (Certified Ethical Hacker), and CSA (Certified SOC Analyst).
Tier 2 SOC analyst
Related job titles of Tier 2 SOC analysts include Tier 2 Analyst, Incident Responder, Mid-Level SOC Analyst, Forensic Investigator, and Cyber Forensics Expert.
Responsibilities: Tier 2 analysts receive security incidents (real threats) from Tier 1 analysts and perform deep analysis. They correlate with threat intelligence to identify the threat actor, nature of the attack, and systems or data affected. They decide on a strategy for containment, remediation, and recovery. Forensic Investigators analyze attacks by gathering and preserving pieces of digital evidence.
Skills/qualifications: Similar to Tier 1 analysts, but with more skill/experience in the incident response process. They are more skilled than Tier 1 analysts in conducting vulnerability assessments and ethical hacking. They have skills in digital forensics, malware assessment, and threat intelligence.
OpenSOC Scenario Debrief – “Urgent IT Update!!!”
A walk-through of an incident response scenario steps: identify, protect, detect, respond, and recover.
Relevant certifications: CompTIA CySA+, ECIH (EC-Council Certified Incident Handler), GCIH (GIAC Certified Incident Handler), and CHFI (EC-Council Computer Hacking Forensic Investigator).
Tier 3 SOC analyst
Related job titles of Tier 3 SOC analysts include Tier 3 Analyst, Subject Matter Expert, Threat Hunter, Threat Intelligence Analyst, Cyber Threat Intelligence Analyst, Senior SOC Analyst, and Tier 3 SOC Manager.
Responsibilities: Tier 3 analysts monitor and analyze cyber threat data to provide actionable intelligence. They conduct day-to-day vulnerability assessments and penetration tests, and review alerts, industry news, threat intelligence, and security data. They may team up with Tier 2 analysts to respond to major incidents. They are responsible for actively hunting for threats that have made their way into the network, as well as unknown vulnerabilities and security gaps.
Skills/qualifications: Similar to Tier 2 analysts but with more SOC experience, including experience with penetration testing tools, cross-organization data visualization, malware reverse engineering, and identifying and developing responses to new threats and attack patterns. They have skills/experience using MITRE ATT&CK (a knowledge base of adversary behavior) to combat cyberthreats.
What is MITRE ATT&CK: An Explainer
How Does MITRE ATT&CK Compare to Lockheed Martin’s Cyber Kill Chain?
Cybersecurity & Infrastructure Security Agency – current state threat awareness
Relevant certifications: CTIA (EC-Council Certified Threat Intelligence Analyst).
SOC team role 2: SOC manager
Related job titles of SOC managers include Tier 4 Analyst, Tier 4 SOC Analyst, and Tier 4 SOC Manager Commander.
Responsibilities: SOC managers/Tier 4 SOC analysts manage the security operations team, resources, priorities, and projects, and report to the CISO. They supervise the security team, provide technical guidance, and manage financial activities. They direct SOC operations and are responsible for syncing between analysts and engineers. They are responsible for recruitment and training of SOC staff. They develop defensive and offensive cybersecurity strategies. They also direct and orchestrate the company’s response to major security threats.
Additional responsibilities include creating processes, assessing incident reports, and developing and implementing crisis communication plans. They write compliance reports, support the audit process, measure SOC performance metrics, and report on security operations to business leaders. (Ultimate SOC Quick Start Guide)
Skills/qualifications: Similar to Tier 3 analyst, including project management skills, incident response management training, and strong communication skills.
Relevant certifications: CISSP (Certified Information Systems Security Professional) and Cisco Certified CyberOps Professional.
SOC team role 3: CISO
The chief information security officer (CISO) is a leadership position responsible for establishing security-related strategies, policies, and operations. CISOs work closely with the CEO, and inform and report to management on security issues. They also have a central role in compliance and risk management and in implementing policies to meet specific security demands.
Skills/qualifications: Typically a degree (e.g., a master’s) in computer science, computer engineering, information assurance, or information systems.
Relevant certifications: CISM (Certified Information Security Manager) and CCISO (EC-Council Certified Chief Information Security Officer).
SOC team role 4: Security engineer
A security engineer is a software or hardware specialist who focuses on security aspects in the design of information systems. Security engineers are sometimes employed within the SOC, and sometimes support the SOC as part of development or operations teams.
Security engineers maintain and suggest monitoring and analysis tools. They create a security architecture and work with developers to ensure that this architecture is part of the development cycle. They develop tools and solutions that allow organizations to prevent and respond effectively to attacks. They document procedures, requirements, and protocols.
Skills/qualifications: Typically a degree in computer science, computer engineering, information assurance, or information systems.
Relevant certifications: CCNA, CCNP Security, AWS Security, and CISSP.
SOC training resources
SOC 1 analyst training resources
Become a SOC Analyst – Level 1 (Cybrary)
Blue Team Level 1 – BTL1 (Security Blue Team)
CyberOps Associate (Cisco)
IT Fundamentals for Cybersecurity Specialization (Coursera)
SOC Level 1 Training (TryHackMe)
SOC 2 analyst training resources
Become a SOC Analyst – Level 2 (Cybrary)
CyberOps Professional (Cisco)
CSA – Certified SOC Analyst (EC-Council)
SOC 3 analyst training resources
ATT&CK for Cyber Threat Intelligence Training (MITRE ATT&CK)
Become a SOC Analyst – Level 3 (Cybrary)
Real-Time Cyber Threat Detection and Mitigation (Coursera)
Key references
Build a Rewarding Career in a Security Operations Center (EC-Council)
Security Operations Center Roles and Responsibilities (Exabeam)
The SOC, SIEM, and Other Essential SOC Tools (Exabeam)
Ultimate SOC Quick Start Guide (Exabeam)
Related content
Compliance frameworks and industry standards
How to break into information security
IT career paths – everything you need to know
Job roles in IT and cybersecurity
Network security risk mitigation best practices
Professional ethical hacking body of knowledge
The GRC approach to managing cybersecurity
The penetration testing process
Back to DTI Courses
