Get in Touch Close Menu

SOC Team Structure

7 December 2022

How is a SOC team Structured?

For many organisations, cybersecurity is a priority for their in-house IT team and security operations teams still function as part of IT, whereas others are separated into their organisation.

An effective security operations centre will only succeed if you sync your team and resources. This will allow for improved communications and increase your day-to-day efficiencies.

According to the NCSC:  

Security Operations Centres (SOCs) can vary widely in scope, but most are responsible for detecting and responding to cyber-attacks.

The role of a SOC is to limit the damage to an organisation by detecting and responding to cyber-attacks that successfully bypass your preventative security controls.

A SOC can include many security activities, such as vulnerability assessment, compliance activities and system configuration.

The critical function of a Security Operations Centre is to:  

  • Monitor: to monitor any potential cyber risks.  
  • Detect: to uncover malicious or suspicious activities—a SOC research for information about potential threats for more in-depth investigations.  
  • Investigate: The suspicious activities detected are analysed by SOC experts. This helps to determine the nature and extent of the threat and understand the threat vector, chain of events and, eventually, how to respond.  
  • Respond: SOC teams assist and advise in the remediation of any issues arising from any cyber threats.  
  • Prevent: A SOC team can provide organisations with actionable reporting customised to an organisation’s needs. The reports focus on valuable and relevant security information and can help improve the organisation’s security strategies. 

A SOC combines people, processes, and technology via 24-hour coverage.

A security operations (SOC) team must be multi-skilled and adaptable. To deliver a SOC service, a tiered team system (that takes experience and skill level into account) is put in place.

security operations center soc

Security Analyst and Threat Intelligence Team

A security operations centre (SOC) team is a group of security professionals responsible for monitoring, detecting, analysing, and responding to cybersecurity threats and incidents.

The team comprises security and threat intelligence analysts, incident responders, and threat hunters.

The Security Analyst and Threat Intelligence Team are responsible for identifying and responding to security incidents, analysing security alerts, and developing security controls to prevent future incidents.

The team also works to improve the organisation’s security posture by providing guidance on security best practices and recommending solutions. 

Tier 1 Analyst

The role of a Tier 1 Analyst fulfils a critical part of the SOC team by protecting customer environments with surveillance and mitigation. The Tier 1 Analyst is the first responder to security alerts and incidents.

Working in concert with a Tier 2 Analyst, their primary responsibility is:

  • triaging security alerts
  • implementing best practices and processes
  • leading preliminary investigations into any security incident that has occurred

As the first responder, the Tier 1 Analyst is in a pivotal position to compile and analyse data surrounding the incident and provide this to the appropriate escalation point.

This ensures that the most critical details of any security incident are immediately recorded and available, saving time in the initial stages. 

A Tier 1 Analyst will develop a comprehensive understanding of customer environments, using this to establish known baselines for behaviour, allowing the analyst to identify and react to unusual activity. 

The analyst must develop and maintain a strong relationship with customers’ IT and Information Security teams to achieve this. Communication is vital in successfully protecting the environment.

A Tier 1 Analyst will collaborate with their colleagues in an ever-shifting role. This includes building their experience while leveraging existing expertise to monitor and protect customer environments. 

Tier 2 Analyst

Supported by a Tier 1, the Tier 2 Analyst will use established technology to detect, analyse and limit the scope and impact of security incidents. 

Though often fulfilling a similar role as their Tier 1 counterparts, Tier 2 Analysts have a more comprehensive range of experience and knowledge. Their primary reactive responsibilities are analysing high-risk alerts escalated to them and investigating high-priority security incidents. 

Proactively the Tier 2 Analyst is responsible for engaging in threat hunting, which aims to identify previously unknown threats within an environment through real-time investigation.

Threat hunting requires a thorough understanding of the environment and best practices and procedures to identify points of concern. 

managed security service providers

The analyst will investigate threats thoroughly and gather information from multiple sources to qualify an event and raise this to a customer. 

Tier 2 Analysts engage in the identification and initial development of new use cases within the SOC. These expand the monitoring and alerting capabilities available, providing additional environmental scrutiny and security. 

Communication and data management are critical skills for the Tier 2 Analyst to develop as they will be responsible for escalating serious security incidents to the Tier 3 Analyst. These incidents will typically be a high priority (Priority 1, Priority 2) or of a complex or sensitive nature for which time is vital. 

Tier 3 Analyst

With experience in mitigating threats and researching a threat actor’s actions, Tier 3 Analysts are the most experienced members of a SOC team.

Tier 3 analysts are proactive in preventing, identifying, and mitigating threats. They evaluate the effectiveness of the current cybersecurity tools and make best practice recommendations in using the SOC. When necessary, a Tier 3 analyst may also work on responding to serious incidents.

Tier 3 security analysts are constantly developing and building new security use cases. By overseeing and reviewing cybersecurity, their work impacts how a SOC team researches and accesses Threat Intelligence, how it fits into EDR and how to build new SIEM rules.

Senior Security Analyst

A Senior Security Analyst is responsible for monitoring and evaluating the ongoing readiness and maturity of the SOC with the SOC manager. The analyst will ensure reporting, data processing, and tool integration are functioning correctly within the SOC.

They are responsible for identifying potential security risks and developing mitigation strategies. They review security policies and procedures and recommend changes to ensure compliance with industry standards and best practices. 

Senior Security Analysts also provide guidance and support to other security team members, such as system administrators and network engineers.

Engineering Team

The overall security architecture is the responsibility of security engineers. They assess and test the monitoring and analytical capabilities of the SOC.

They are responsible for analysing security requirements, developing security architectures, and implementing and monitoring security measures. SOC Engineers must stay up-to-date on security threats and trends and be able to identify and respond to security incidents. They must also be able to develop and maintain security policies, procedures, and standards and distribute these amongst team members.

SOC Manager

  • A SOC Manager is responsible for the day-to-day operations of the SOC. Their role includes:
  • Developing and implementing security policies and procedures
  • Monitoring and responding to security incidents
  • Coordinating with other departments to ensure the security of the organisation’s systems and networks
  • Providing training and guidance to SOC team member

The SOC Manager is also responsible for developing and maintaining relationships with external vendors and partners.

Our SOC team is ready to support you today

Sapphire has over 25 years of experience
mitigating cyber risk for organisations across
the UK.

For our clients, this means access to the best
possible people, processes and technology,
to match a highly fluid threat landscape.

For all additional information or enquiries
contact a member of our team today.

Name
I agree to the terms & conditions

Related Articles

Amid CHAOS, There is Also Crypto Mining
30 January 2023

Sapphire’s SOC Team have been tracking a recent Crypto Mining campaign targeting Linux systems, utilising a proof-of-concept (PoC) hack tool hosted on GitHub known as ‘CHAOS’.

Find Out More
CASE STUDY: SAPPHIRE UTILITY SOLUTIONS
9 January 2023

Like all organisations, Sapphire Utility Solutions (SUS) is a target for cybercriminals. This is only exasperated by its rapid growth.

Whilst having extensive security experience within the team, SUS wanted to enhance its cybersecurity capabilities and provide the best resources for its team to take advantage of, so it decided to outsource its cybersecurity via Sapphire’s Managed Security service.

Find Out More
What Does SIEM Stand for?
6 January 2023

SIEM (Security Information and Event Management) is one of many approaches to security management. It combines SIM (Security Information Management) and SEM (Security Event Management) to aggregate data from a variety of sources as well as identify any deviations and act against them.  

Find Out More
[wpforms id="5549" title="false"]
<div class="wpforms-container " id="wpforms-5549"><form id="wpforms-form-5549" class="wpforms-validate wpforms-form wpforms-ajax-form" data-formid="5549" method="post" enctype="multipart/form-data" action="/managed-security-services/soc-team-structure/" data-token="0d7a83921a3382fbf4ac4ad379d56aad"><noscript class="wpforms-error-noscript">Please enable JavaScript in your browser to complete this form.</noscript><div class="wpforms-field-container"><div id="wpforms-5549-field_0-container" class="wpforms-field wpforms-field-name" data-field-id="0"><label class="wpforms-field-label" for="wpforms-5549-field_0">Name <span class="wpforms-required-label">*</span></label><input type="text" id="wpforms-5549-field_0" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][0]" required></div><div id="wpforms-5549-field_7-container" class="wpforms-field wpforms-field-text" data-field-id="7"><label class="wpforms-field-label" for="wpforms-5549-field_7">Company name <span class="wpforms-required-label">*</span></label><input type="text" id="wpforms-5549-field_7" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][7]" required></div><div id="wpforms-5549-field_1-container" class="wpforms-field wpforms-field-email" data-field-id="1"><label class="wpforms-field-label" for="wpforms-5549-field_1">Company Email <span class="wpforms-required-label">*</span></label><input type="email" id="wpforms-5549-field_1" class="wpforms-field-medium wpforms-field-required" name="wpforms[fields][1]" required></div><div id="wpforms-5549-field_6-container" class="wpforms-field wpforms-field-select wpforms-field-select-style-classic" data-field-id="6"><label class="wpforms-field-label" for="wpforms-5549-field_6">Does your in-house security team have resourcing challenges?</label><select id="wpforms-5549-field_6" class="wpforms-field-medium" name="wpforms[fields][6]"><option value="Yes" >Yes</option><option value="No" >No</option></select></div><div id="wpforms-5549-field_4-container" class="wpforms-field wpforms-field-select wpforms-field-select-style-classic" data-field-id="4"><label class="wpforms-field-label" for="wpforms-5549-field_4">Are you able to react to security issues 24x7/365?</label><select id="wpforms-5549-field_4" class="wpforms-field-medium" name="wpforms[fields][4]"><option value="Yes" >Yes</option><option value="No" >No</option><option value="I would like to know more" >I would like to know more</option></select></div><div id="wpforms-5549-field_5-container" class="wpforms-field wpforms-field-select wpforms-field-select-style-modern" data-field-id="5"><label class="wpforms-field-label" for="wpforms-5549-field_5">Are you overwhelmed by the volume of intelligence data that requires managing?</label><select id="wpforms-5549-field_5" class="wpforms-field-small choicesjs-select" data-size-class="wpforms-field-row wpforms-field-small" data-search-enabled="" name="wpforms[fields][5]"><option value="" class="placeholder" disabled selected='selected'>Yes</option><option value="Yes" >Yes</option><option value="No" >No</option><option value="Would like to know more" >Would like to know more</option></select></div></div><div class="wpforms-recaptcha-container wpforms-is-recaptcha" ><div class="g-recaptcha" data-sitekey="6LfO758aAAAAAGglMpOikqgKzonFO7dwbtVEFaca"></div><input type="text" name="g-recaptcha-hidden" class="wpforms-recaptcha-hidden" style="position:absolute!important;clip:rect(0,0,0,0)!important;height:1px!important;width:1px!important;border:0!important;overflow:hidden!important;padding:0!important;margin:0!important;" required></div><div class="wpforms-submit-container" ><input type="hidden" name="wpforms[id]" value="5549"><input type="hidden" name="wpforms[author]" value="7"><input type="hidden" name="wpforms[post_id]" value="3695"><button type="submit" name="wpforms[submit]" class="wpforms-submit om-trigger-conversion" id="wpforms-submit-5549" value="wpforms-submit" aria-live="assertive" >Submit</button><img src="https://www.sapphire.net/wp-content/plugins/wpforms/assets/images/submit-spin.svg" class="wpforms-submit-spinner" style="display: none;" width="26" height="26" alt=""></div></form></div> <!-- .wpforms-container -->