How is a SOC team Structured?
For many organisations, cybersecurity is a priority for their in-house IT team and security operations teams still function as part of IT, whereas others are separated into their organisation.
An effective security operations centre will only succeed if you sync your team and resources. This will allow for improved communications and increase your day-to-day efficiencies.
According to the NCSC:
Security Operations Centres (SOCs) can vary widely in scope, but most are responsible for detecting and responding to cyber-attacks.
The role of a SOC is to limit the damage to an organisation by detecting and responding to cyber-attacks that successfully bypass your preventative security controls.
A SOC can include many security activities, such as vulnerability assessment, compliance activities and system configuration.
The critical function of a Security Operations Centre is to:
- Monitor: to monitor any potential cyber risks.
- Detect: to uncover malicious or suspicious activities—a SOC research for information about potential threats for more in-depth investigations.
- Investigate: The suspicious activities detected are analysed by SOC experts. This helps to determine the nature and extent of the threat and understand the threat vector, chain of events and, eventually, how to respond.
- Respond: SOC teams assist and advise in the remediation of any issues arising from any cyber threats.
- Prevent: A SOC team can provide organisations with actionable reporting customised to an organisation’s needs. The reports focus on valuable and relevant security information and can help improve the organisation’s security strategies.
A SOC combines people, processes, and technology via 24-hour coverage.
A security operations (SOC) team must be multi-skilled and adaptable. To deliver a SOC service, a tiered team system (that takes experience and skill level into account) is put in place.
Security Analyst and Threat Intelligence Team
A security operations centre (SOC) team is a group of security professionals responsible for monitoring, detecting, analysing, and responding to cybersecurity threats and incidents.
The team comprises security and threat intelligence analysts, incident responders, and threat hunters.
The Security Analyst and Threat Intelligence Team are responsible for identifying and responding to security incidents, analysing security alerts, and developing security controls to prevent future incidents.
The team also works to improve the organisation’s security posture by providing guidance on security best practices and recommending solutions.
Tier 1 Analyst
The role of a Tier 1 Analyst fulfils a critical part of the SOC team by protecting customer environments with surveillance and mitigation. The Tier 1 Analyst is the first responder to security alerts and incidents.
Working in concert with a Tier 2 Analyst, their primary responsibility is:
- triaging security alerts
- implementing best practices and processes
- leading preliminary investigations into any security incident that has occurred
As the first responder, the Tier 1 Analyst is in a pivotal position to compile and analyse data surrounding the incident and provide this to the appropriate escalation point.
This ensures that the most critical details of any security incident are immediately recorded and available, saving time in the initial stages.
A Tier 1 Analyst will develop a comprehensive understanding of customer environments, using this to establish known baselines for behaviour, allowing the analyst to identify and react to unusual activity.
The analyst must develop and maintain a strong relationship with customers’ IT and Information Security teams to achieve this. Communication is vital in successfully protecting the environment.
A Tier 1 Analyst will collaborate with their colleagues in an ever-shifting role. This includes building their experience while leveraging existing expertise to monitor and protect customer environments.
Tier 2 Analyst
Supported by a Tier 1, the Tier 2 Analyst will use established technology to detect, analyse and limit the scope and impact of security incidents.
Though often fulfilling a similar role as their Tier 1 counterparts, Tier 2 Analysts have a more comprehensive range of experience and knowledge. Their primary reactive responsibilities are analysing high-risk alerts escalated to them and investigating high-priority security incidents.
Proactively the Tier 2 Analyst is responsible for engaging in threat hunting, which aims to identify previously unknown threats within an environment through real-time investigation.
Threat hunting requires a thorough understanding of the environment and best practices and procedures to identify points of concern.
The analyst will investigate threats thoroughly and gather information from multiple sources to qualify an event and raise this to a customer.
Tier 2 Analysts engage in the identification and initial development of new use cases within the SOC. These expand the monitoring and alerting capabilities available, providing additional environmental scrutiny and security.
Communication and data management are critical skills for the Tier 2 Analyst to develop as they will be responsible for escalating serious security incidents to the Tier 3 Analyst. These incidents will typically be a high priority (Priority 1, Priority 2) or of a complex or sensitive nature for which time is vital.
Tier 3 Analyst
With experience in mitigating threats and researching a threat actor’s actions, Tier 3 Analysts are the most experienced members of a SOC team.
Tier 3 analysts are proactive in preventing, identifying, and mitigating threats. They evaluate the effectiveness of the current cybersecurity tools and make best practice recommendations in using the SOC. When necessary, a Tier 3 analyst may also work on responding to serious incidents.
Tier 3 security analysts are constantly developing and building new security use cases. By overseeing and reviewing cybersecurity, their work impacts how a SOC team researches and accesses Threat Intelligence, how it fits into EDR and how to build new SIEM rules.
Senior Security Analyst
A Senior Security Analyst is responsible for monitoring and evaluating the ongoing readiness and maturity of the SOC with the SOC manager. The analyst will ensure reporting, data processing, and tool integration are functioning correctly within the SOC.
They are responsible for identifying potential security risks and developing mitigation strategies. They review security policies and procedures and recommend changes to ensure compliance with industry standards and best practices.
Senior Security Analysts also provide guidance and support to other security team members, such as system administrators and network engineers.
The overall security architecture is the responsibility of security engineers. They assess and test the monitoring and analytical capabilities of the SOC.
They are responsible for analysing security requirements, developing security architectures, and implementing and monitoring security measures. SOC Engineers must stay up-to-date on security threats and trends and be able to identify and respond to security incidents. They must also be able to develop and maintain security policies, procedures, and standards and distribute these amongst team members.
- A SOC Manager is responsible for the day-to-day operations of the SOC. Their role includes:
- Developing and implementing security policies and procedures
- Monitoring and responding to security incidents
- Coordinating with other departments to ensure the security of the organisation’s systems and networks
- Providing training and guidance to SOC team member
The SOC Manager is also responsible for developing and maintaining relationships with external vendors and partners.