In today’s security teams, a security operations centre (SOC) analyst plays a crucial role. SOC analysts are at the forefront of cyber protection, identifying and responding to cyber threats as they occur.
To help you gain insight and a deeper understanding of what a SOC analyst does, we spoke to Sapphire’s Bobby Egan, Tier 1 Security Analyst.
In this blog Bobby will tell us:
- What the role of a SOC analyst entails.
- What the career path of a SOC analyst looks like.
- Distinct roles within a SOC team.
- The responsibilities of a SOC analyst team.
- The skills of a SOC analyst.
- The certifications and training needed to become a SOC analyst.
What is a SOC (Security Operations Centre)?
The members of a SOC team’s major aim are to monitor, select, and protect the firm from various cyberattacks.
An organisation’s SOC team safeguards important and secret company data, as well as the company’s brand integrity and business systems. The team is the key point of contact for monitoring and averting digital threats, and it combines and implements the organisation’s whole Cyber Security strategy.
What is a SOC Analyst?
SOC Analysts are among the first to respond to cyberattacks within an organisation.
They keep the organisation informed about cyber hazards and make changes to defend it from malicious attacks. A SOC analyst starts by evaluating incident notifications, then conduct vulnerability assessments and reports back to their superiors.
What Does a SOC Analyst’s Average Day Look Like?
An average day as a Security Operations Centre analyst starts with prep.
Handovers usually help give the ‘lay of the land’ for what is expected and tasks that need to be performed throughout the day. After the handover, the most significant tasks are monitoring the services, performing threat hunting, and running investigations on potentially suspicious activity.
The most considerable portion of our time as SOC analysts is dedicated to running investigations on alerts that trigger on LogRhythm and performing threat hunting.
When a security alert triggers, an investigation is conducted to understand the nature of the activity, identify if it is ongoing, and then consider the security impact. From this point, we raise a case and then communicate directly to the customer and investigate further if necessary.
This activity is also done across our other platforms like EDR (Endpoint Detection and Response) and TI (Threat Intelligence). Another aspect of being a SOC analyst is identifying new use cases for these platforms to enhance the services.
What is a SOC Analyst Career Path?
After studying Networking in College and Cyber Security at University, I became a SOC analyst.
I always had an affiliation with computing, so cyber security was a natural field for me to explore. Once I had graduated in 2019, I jumped at the chance to apply for a SOC analyst position at Sapphire.
I successfully got the job, and it was (and still is) my first job within the Cyber Security space!
What are the Different Tiers of SOC Analysts?
Typically, a SOC assigns its analysts to one of three or four tiers throughout its team.
TIER 1: Support Security Analyst
In this tier, the support security analyst receives and investigates daily alerts and reviews recent SIEM (Security Information and Event Management) alerts, checking for relevance and urgency.
A tier 1 support security analyst carries out triage, ensuring genuine cyber security incidents occur. This means that they also oversee and configure any security monitoring tools for the SOC team.
TIER 2: Support Security Analyst
In tier 2, the support security analyst addresses and evaluates any real concerns given by a tier 1 support security analyst. This tier of support security analysts uses threat intelligence to use updated rules and indicators of compromise (IOCs), which work to pinpoint affected systems and the size of an attack.
Another responsibility of a tier 2 support security analyst is running processes and configurations on affected systems. To find a perpetrator of an attack, they carry out detailed threat intelligence. Threat intelligence can show the type of attack, impacted data, designs, etc.
After this, the tier 2 support security analyst develops a strategy for containment and recovery from the attack.
TIER 3: Security Analyst
A tier 3 security analyst is more experienced than a tier 2 support security analyst. As a result, they focus their efforts on critical incidents and carry out vulnerability assessments and penetration tests to assess the resilience of organisations. After doing so, the security analyst can isolate areas of weakness within the organisation and review alerts, threat intelligence and security data.
The security analyst primarily identifies threats that have already entered a network and the security gas and vulnerabilities currently unknown in an organisation.
Senior Security Analyst
The role of a Senior Security Analyst is to manage and prioritise actions during the isolation, analysis, and containment of a security incident.
An additional function of their role is to communicate, and requirements needed because of high severity incidents to internal and external stakeholders.
What are the Responsibilities of the SOC Analyst Team?
The responsibilities of the SOC Engineering Team vary depending on their tiers. However, there are some primary areas that all SOC analysts have responsibility for:
1. Implementing and Managing Security Tools
Although SOC Analysts are responsible for this, implementing and managing security tools is primarily the responsibility of the SOC engineering team rather than the security analyst team. They are trained and certified on relevant security tools to operate them, such as:
- Vulnerability Management tools
- Threat Intelligence tools
- Intrusion detection and prevention technology
- Next-Generation Firewalls and Traffic inspection solutions
- Reporting technology
- Data analytics platforms
- Incident response tools
Sapphire’s SOC analysts are proficient with our SIEM solution, which correlates, logs, and security events to generate alerts for analysts to investigate. Our SIEM is our ‘single pane of glass’ and core technology working to provide visibility to most technologies listed above.
Sapphire’s team of seasoned cybersecurity analysts has over 25 years of experience. We provide a Managed SIEM Service that lets organisations cut through large datasets and focus on activities that reduce threats. This cuts down on dwell time and enhances security incident response times.
2. Investigating, Containing and Preventing Suspicious Activities
Typically, the investigation of suspicious activities starts with receiving and analysing alerts from the SIEM.
SIEM alerts cover the length and breadth of the Mitre ATT&CK framework and trigger indicators of compromise. Threat Intelligence is used to power a vast range of security use cases and enable breach qualification, cutting down on false positives and allowing our analysts to make better decisions quicker.
This shows the extent of the threat and allows analysts to respond if necessary or escalate to higher-tier analysts.
Additionally, the analyst’s role is to correlate and validate alerts to ensure they represent relevant security incidents. Analysts do this by contextualising events within the network environment and understanding their impact to coordinate real-time response activities with crucial staff.
3. Reducing Downtime
When a breach occurs, a SOC analyst is responsible for the proactive notification of a threat. The team reduces downtime by reacting and quickly assisting in containing a threat. The quicker a threat is contained, the quicker an organisation can recover.
4. Security Services for the Rest of the Organisation
SOCs are cross-functional, which helps centralise operations carried out by different departments within an organisation. This means that they provide value to organisation stakeholders and help meet agendas.
SOC analysts play a critical role in taking responsibility for security incidents and assisting in communications on security incidents.
What Skills does a SOC Analyst Need?
Alongside a passion for cyber security, a SOC analyst must need the following skills.
SOC analysts require skills such as monitoring, discovering, and analysing threats to defend the network.
A SOC analyst must know how to perform penetration testing, detect threats, and report vulnerabilities.
A SOC analyst must be able to manage several security breaches to reduce impact. Additionally, a SOC analyst must be able to provide recommendations for future security breaches.
Forensics includes SOC analysts who have skills in collecting, analysing, and reporting security data.
Understanding software programs’ operation and performance parameters are essential.
SOC Analyst Skills
- Administrative experience with various operating systems, including Windows, OS X, and Linux.
- Depending on analyst rank, exposure to or skill in various programming languages, including Python, C, C#, Java, Ruby on Rails, Perl, and PHP.
What SOC Certifications/Training do you have, or would you Recommend?
Any basic training within the relevant SIEM/EDR/TI/VM platform.
I personally have a BSc (Hons) In Cybersecurity & Networking – which obviously helps.
- Tryhackme.com has free courses online that can bolster your knowledge of cyber security already.
- CompTIA Security+ the course is called is one that I believe is highly recommended.
- Not certification/training that comes with a piece of paper, but many of the platforms associated with cybersecurity usually have YouTube channels that cover training. Perfect material to understand what the pane of the glass looks like from an analyst’s point of view.
- If you can get registered on platforms such as LogRhythm or Tenable, they usually offer free courses as well as provide a “certificate of attendance”.
Finally, what advice would give someone who wants to become a SOC analyst?
- Your personal choice for caffeine – expect long days and even longer shifts.
- Be open-minded. There’s a lot to do as a SOC Analyst and many different types of organisations to work with.
- Take in the experience. A SOC is a great environment to get exposure to several pieces of Cyber Security applications and kits.
Many thanks to Bobby for his time and insights.