Virtualization Technology News and Information
Defining Daily Tasks and Skills of a SOC Analyst


By Tom Gorup, Vice President, Security Operations, Alert Logic

Given the importance of a SOC analyst's job, it's surprising how many people don't know what these security professionals do. Their largely behind-the-scenes role is essential to providing valuable protection and effective MDR (managed detection and response).

SOC analysts are the first responders to cyber threats. They work in teams that collectively make up the SOC (Security Operations Center). Their focus is to monitor for risks, suspicious activities, and/or active intrusions into an organization's IT environment; defend against the attacks; and secure sensitive information. Analysts in the SOC have differing skill levels, each tasked with a unique set of responsibilities but who work in concert, ideally in a follow-the-sun model protecting organization's 24/7 since attacks occur day and night.

As organizations continue to struggle to fill security analyst roles with qualified professionals, it's worth looking at what a SOC analyst does day to day and how an MDR solution can help fill out and strengthen an organization's security posture.

Daily Tasks and Responsibilities of a SOC Analyst

The primary responsibility of all SOC analysts is to monitor and protect an organization's IT infrastructure. As the front-line defenders, they're the first to observe an attack-either from the monitoring tools or hunting activities- performing the initial triage, investigation, and response. Their activities are focused on understanding the breadth and validity of the threat to clearly communicate next steps to the business.

Though specific daily tasks for a SOC analyst can vary by organization, they commonly include several broad responsibilities:

  • Monitor and analyze network traffic for malicious activity. 
  • Investigate, document, and report suspicious activity.
  • Differentiate between actual intrusion attempts and false alarms.
  • Analyze breaches to identify the root cause and make recommendations to prevent the attack from occurring again.
  • Conduct vulnerability assessments and risk analysis to make recommendations for hardening the overall security posture of the organization.
  • Configure, manage, and tune security monitoring tools.

While all SOC analysts have an underlying focus on identifying and preventing incidents, they may specialize in certain areas like web applications or compliance.

SOC Levels 

The composition of security teams can vary across organizations, but generally, SOC analysts fall into progressive tiers and gradually shift from an escalation source to an escalation point as they progress up the ladder:

  • Tier 1 analysts are triage specialists. These analysts primarily monitor the output of an organization's security systems. They review and prioritize day-to-day incident alerts, determine their relevance and urgency, and escalate as necessary, always leveraging documentation and pre-defined workflows and escalation procedures.
  • Tier 2 analysts are incident responders. They review incidents escalated by Tier 1 analysts, correlating them with threat intelligence to determine the threat actor, the scope of the attack, and the affected systems. They collect data for further investigation and determine and execute a response.
  • Tier 3 analysts are threat hunters. These highly specialized and experienced analysts use their deep knowledge of the threat landscape and the individual organization's environment, in conjunction with threat intelligence, to proactively hunt for unknown threats or risks that are already in the network but not yet detected, or that elude traditional prevention and detection technologies altogether. They may work with Tier 2 analysts to respond to and contain the threats they find.
  • Tier 4 analysts typically have a technical leadership role driving new processes in given areas of expertise. These analysts are the subject matter experts in their given domain of security operations. They ensure the team is constantly evolving the processes and approaches in the varying areas of expertise and that training meets the needs of business in the given domain.

MDR SOC Analysts

Because of the shortage of skilled cybersecurity professionals, most SOCs have had to take a security generalist approach to stretch their limited resources. Security team members are expected to know how to secure applications and services in all kinds of scenarios and environments - cloud, on-premises, hybrid, containers, and IoT and mobile - without much knowledge depth in any particular area. That's become untenable as the attack surface expands, threat techniques become more sophisticated, and environments grow unmanageably complex.

MDR provides the security experts required to successfully respond to today's attacks. In addition to foundational security abilities, security analysts at each tier of the SOC in an MDR solution provide deeper levels of knowledge based around the individual customer's unique business needs. By design, SOC analysts work on more advanced security incidents as their knowledge and skills expand, gaining expertise as they respond to more complex attacks.

MDR complements the SOC's tactical responsibilities with strategic and platform-specific expertise and recommendations. Managed detection and response services collect and analyze data from across the organization's network, endpoints, servers, and cloud to detect advanced threats. Contextualizing this data against threat intelligence allows MDR providers to measurably improve the organization's security posture to reduce risk while ensuring it gets the most out of its technology investment.

Shore Up the SOC with MDR

SOCs are finding themselves under resourced at the precise moment organizations are facing their biggest security challenges. Responding to the continuous evolution of today's sophisticated threat landscape requires expertise and skills most businesses don't have, and often can't afford to maintain, even in larger enterprises. MDR provides team members that can handle the day-to-day tasks while providing higher-level guidance to drive to a hardened security posture.


Previous Articles in the Series:

1.         Defining MDR and MSS

2.         Defining Detection Left of Boom and Right of Boom

3.         Defining Visibility and Threat Management

4.         Defining Active Threat Hunting and Threat Intelligence

5.         Defining Success for a SOC


About the Author

Tom Gorup 

Tom Gorup is Vice President of Security and Support Operations at Alert Logic and leads Alert Logic's global Security Operations Centers. Prior to joining Alert Logic, Tom served as co-founder and Director of Security Operations for Rook Security where he oversaw its Managed Detection and Response services and developed proprietary security operations management technologies for organizations ranging from fast-growing startups to Fortune 100 companies. Tom has been quoted in numerous industry journals and media outlets including The New York Times, Forbes, CNBC, Bloomberg, and Dark Reading. He has also been a featured speaker at (ISC)².

Published Friday, August 28, 2020 7:33 AM by David Marshall
Defining Active Threat Hunting and Threat Intelligence : @VMblog - (Author's Link) - August 31, 2020 9:58 AM
Defining Success for a SOC : @VMblog - (Author's Link) - September 22, 2020 8:39 AM
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<August 2020>