By Tom Gorup, Vice President, Security Operations, Alert Logic
Given the importance of a SOC analyst's job, it's surprising how many people
don't know what these security professionals do. Their largely
behind-the-scenes role is essential to providing valuable protection and effective
MDR (managed detection and response).
SOC analysts are the first responders to cyber threats. They
work in teams that collectively make up the SOC (Security Operations Center).
Their focus is to monitor for risks, suspicious activities, and/or active
intrusions into an organization's IT environment; defend against the attacks;
and secure sensitive information. Analysts in the SOC have differing skill
levels, each tasked with a unique set of responsibilities but who work in
concert, ideally in a follow-the-sun model protecting organization's 24/7 since
attacks occur day and night.
As organizations continue to struggle to fill security analyst roles with qualified
professionals, it's worth looking at what a SOC analyst does day to day and
how an MDR solution can help fill out and strengthen an organization's security
posture.
Daily Tasks and Responsibilities of a SOC Analyst
The primary responsibility of all SOC analysts is to monitor and
protect an organization's IT infrastructure. As the front-line defenders,
they're the first to observe an attack-either from the monitoring tools or hunting
activities- performing the initial triage, investigation, and response. Their
activities are focused on understanding the breadth and validity of the threat
to clearly communicate next steps to the business.
Though specific daily tasks for a SOC analyst can vary by
organization, they commonly include several broad responsibilities:
- Monitor
and analyze network traffic for malicious activity.
- Investigate,
document, and report suspicious activity.
- Differentiate
between actual intrusion attempts and false alarms.
- Analyze
breaches to identify the root cause and make recommendations to prevent
the attack from occurring again.
- Conduct
vulnerability assessments and risk analysis to make recommendations for
hardening the overall security posture of the organization.
- Configure,
manage, and tune security monitoring tools.
While all SOC analysts have an underlying focus on identifying
and preventing incidents, they may specialize in certain areas like web
applications or compliance.
SOC Levels
The composition of security teams can vary across organizations,
but generally, SOC analysts fall into progressive tiers and gradually shift
from an escalation source to an escalation point as they progress up the
ladder:
- Tier
1 analysts are triage specialists. These analysts primarily monitor the
output of an organization's security systems. They review and prioritize
day-to-day incident alerts, determine their relevance and urgency, and
escalate as necessary, always leveraging documentation and pre-defined
workflows and escalation procedures.
- Tier
2 analysts are incident responders. They review incidents escalated by
Tier 1 analysts, correlating them with threat intelligence to determine
the threat actor, the scope of the attack, and the affected systems. They
collect data for further investigation and determine and execute a
response.
- Tier
3 analysts are threat hunters. These highly specialized and experienced
analysts use their deep knowledge of the threat landscape and the individual
organization's environment, in conjunction with threat intelligence, to
proactively hunt for unknown threats or risks that are already in the
network but not yet detected, or that elude traditional prevention and
detection technologies altogether. They may work with Tier 2 analysts to
respond to and contain the threats they find.
- Tier
4 analysts typically have a technical leadership role driving new processes
in given areas of expertise. These analysts are the subject matter experts
in their given domain of security operations. They ensure the team is
constantly evolving the processes and approaches in the varying areas of
expertise and that training meets the needs of business in the given
domain.
MDR SOC Analysts
Because of the shortage of skilled cybersecurity professionals,
most SOCs have had to take a security generalist approach to stretch their
limited resources. Security team members are expected to know how to secure
applications and services in all kinds of scenarios and environments - cloud,
on-premises, hybrid, containers, and IoT and mobile - without much knowledge
depth in any particular area. That's become untenable as the attack surface
expands, threat techniques become more sophisticated, and environments grow unmanageably
complex.
MDR provides the security experts required to successfully
respond to today's attacks. In addition to foundational security abilities,
security analysts at each tier of the SOC in an MDR solution provide deeper
levels of knowledge based around the individual customer's unique business
needs. By design, SOC analysts work on more advanced security incidents as their
knowledge and skills expand, gaining expertise as they respond to more complex
attacks.
MDR complements the SOC's tactical responsibilities with
strategic and platform-specific expertise and recommendations. Managed
detection and response services collect and analyze data from across the
organization's network, endpoints, servers, and cloud to detect advanced
threats. Contextualizing this data against threat intelligence allows MDR
providers to measurably improve the organization's security posture to reduce
risk while ensuring it gets the most out of its technology investment.
Shore Up the SOC with MDR
SOCs are finding themselves under resourced at the precise
moment organizations are facing their biggest security challenges. Responding
to the continuous evolution of today's sophisticated threat landscape requires
expertise and skills most businesses don't have, and often can't afford to
maintain, even in larger enterprises. MDR provides team members that can handle
the day-to-day tasks while providing higher-level guidance to drive to a
hardened security posture.
--
Previous
Articles in the Series:
1. Defining MDR and MSS
2. Defining Detection Left
of Boom and Right of Boom
3. Defining Visibility and
Threat Management
4. Defining Active Threat Hunting and Threat Intelligence
5. Defining Success for a SOC
##
About the Author
Tom Gorup is Vice President of Security and Support Operations
at Alert Logic and leads Alert Logic's global Security Operations Centers.
Prior to joining Alert Logic, Tom served as co-founder and Director of Security
Operations for Rook Security where he oversaw its Managed Detection and
Response services and developed proprietary security operations management
technologies for organizations ranging from fast-growing startups to Fortune
100 companies. Tom has been quoted in numerous industry journals and media
outlets including The New York Times, Forbes, CNBC, Bloomberg, and Dark
Reading. He has also been a featured speaker at (ISC)².