What is a SOC analyst?
Cybersecurity is becoming ever more vital, especially as the number of companies going remote increases.
That’s what a security operations center or SOC is for. Your SOC serves as the central unit in charge of dealing with cyber threats to your organization.
SOCs include at least a few SOC analysts whose expertise lies at the core of robust security. In this article, we’ll dive into the role SOC analysts fill along with the three different types, some typical analyst job duties, and skills these professionals need to succeed.
What is a SOC analyst?
Even the most advanced threat detection software solutions can’t always stop every threat — human analysis and brainpower are needed.
That’s where the SOC analyst comes in.
A SOC analyst is a cybersecurity specialist who monitors an organization’s IT infrastructure for threats. They are often the first responder in the battle against those threats. They also look for vulnerabilities and make improvements or recommend changes to strengthen security.
SOC analysts often undergo additional training and obtain a Certified SOC Analyst (CSA) license to enhance skills. Other relevant certifications include:
- Certified Ethical Hacker (CEH)
- Computer Hacking Forensics Investigator (CHFI)
- EC-Council Certified Security Analyst (ECSA)
- Licensed Penetration Tester (LPT)
As mentioned, SOC analysts are often part of a larger security team. Some organizations hire SOC analysts in-house.
However, companies that don’t have the time, resources, or desire to build an in-house SOC team may outsource to a dedicated SOC firm.
The SOC analyst’s input is crucial to an organization. Their recommendations can enhance cybersecurity and prevent loss through hacks and other cyber breaches.
Note that in this instance, SOC stands for security operations center. This is different from System and Organization Controls, a set of standards and guidelines created by the American Institute of Certified Public Accountants to evaluate various internal controls.
SOC analyst tiers
There are three tiers of SOC analysts, each responsible for more advanced and critical tasks.
Tier 1: Triage
Tier 1 SOC analysts are the least experienced of the three tiers. Most of their duties involve security monitoring for suspicious activity and possible threats. They aren’t often involved in actually combating threats.
Instead, if a Tier 1 analyst believes something needs a closer look, they’ll create a ticket and pass it to a Tier 2 analyst for review.
Tier 2: Incident Response and Investigation
Tier 2 SOC analysts are more experienced than Tier 1. They can do everything a Tier 1 analyst can if needed, but their main job is to dive deeper into issues Tier 1 analysts refer to them.
While a Tier 2 professional investigates an issue, they’ll gather more data from various sources for further investigation. They’ll also try to find where the threat came from and how it got in to prepare an adequate response.
Tier 3: Proactive Threat Hunting
Tier 3 SOC analysts are at the top of the analyst hierarchy. These highly experienced professionals employ their advanced skill sets to support Tier 2 analyst responses to complex security issues.
Additionally, a Tier 3 analyst is a threat hunter. They routinely look for threats that may have slid past a firm’s defenses — along with any vulnerabilities those threats may have exploited to get in.
Plenty of companies spend most of their time on Tier 1 and 2 activities — finding suspicious activities and defeating threats — so they won’t employ as many Tier 3 analysts. They’ll likely have a few of these analysts at a maximum dedicated to strengthening security.
Some people consider SOC managers to be Tier 4, but that’s a management position rather than an analyst. SOC managers aren’t doing the “on-the-ground” work most of the time.
How much do SOC analysts make?
Earnings depend on tier. Tier 3 earns the most, followed by Tier 2 and Tier 1. You’ll see why when we cover SOC analyst duties and responsibilities next.
What are a SOC analyst’s roles and responsibilities?
SOC analysts have several responsibilities pertaining to strengthening and maintaining cyber defenses and responding to threats.
Exact job duties differ between companies and analyst tiers, of course, but here are some broad SOC analyst job responsibilities.
Monitor security access
First and foremost, SOC analysts monitor security access for any suspicious activity.
This is generally a Tier 1 task. If a Tier 1 analyst finds something suspicious, they may do some light investigation, but they typically send the potential threat up to a Tier 2 analyst.
However, some Tier 3 analysts may monitor security access on a much deeper level that Tier 1 analysts aren’t yet skilled enough to handle.
Respond to threats
When a cyber threat rears its head, SOC analysts are the first to jump in and respond.
The Tier 1 analyst generally spots these first while monitoring for suspicious activity. They send it up to Tier 2, who will review the information.
Tier 2 will then try to determine the attack’s scope and what systems are at risk. They’ll gather data from other sources and stakeholders to get a better picture of the problem.
The analyst then develops a solution for mitigating the threat and recovering from it.
Tier 3 may be involved here, too, to help find ways to fix up the security weakness the threat used to get in.
Conduct security assessments
Tier 1 analysts sometimes scan for vulnerabilities, but Tier 3 analysts are most often responsible for conducting in-depth security assessments and testing.
In particular, they regularly hunt for vulnerabilities in systems to patch them up and strengthen cybersecurity. A single security breach can cost a company massive sums of money through legal costs, fines, fixing the breach, and losing customers — making this work vital.
One crucial type of security assessment is penetration testing. This involves running a simulated cyberattack against your IT infrastructure to test the strength of your defenses.
Penetration testing also assists in finding hidden weaknesses and identifying what the company needs to fix to strengthen security.
Create and update business continuity and disaster recovery plans
A disaster recovery plan lays out how a company will respond to unexpected damaging events, such as natural disasters or cyberattacks.
A business continuity plan tells an organization how it will continue to operate during one of these events.
Given the risk of breaches and other cyber threats, SOC analysts play a role in developing and refining both these plans. They contribute their expertise to develop a plan for keeping IT operations running during a disaster and getting things back online once the organization remedies the problem.
Stay up-to-date on cyber trends
Cyber threats are constantly evolving, and cybersecurity has to keep pace with them.
Such circumstances make SOC analysts responsible for keeping up with cyber trends and developments in IT and security. They must routinely study emerging types of cyber threats and stay on top of technology and cybersecurity strategies that experts are developing to counteract these.
This part of the job will require some continuing education or professional development time outside of work. Look no further than the CSA’s three-year recertification requirement as evidence that continuing education is crucial to SOC analyst success.
Advise on and implement new security policies
SOC analysts are experts at finding weaknesses and strengthening cybersecurity, especially at the Tier 3 level.
Whether a SOC analyst discovers new vulnerabilities through fighting threats, conducting security assessments, or learning about emerging cybersecurity trends, they need to relay this information to the right people in their organization.
If a company wants to move forward with changes in cybersecurity policy, it usually falls on Tier 3 analysts to implement these changes, too.
What are the most important technical skills SOC analysts need?
Cyber trends might be evolving, but the skills a SOC analyst needs remain mostly the same. If you’re looking to maximize the value that SOC analysts provide to your organization, make sure they have these skills.
Tier 1 analysts spend a lot of time digging through system logs to find hints of suspicious goings-on. This takes significant time and is quite tedious.
Such manual work can cause human analysts to overlook potential threats by accident as they try to get through it all.
Naturally, you can automate some of this work.
Tier 1 analysts should have basic programming skills — enough to write scripts that automate much of the search and alert the analyst to potential issues.
That said, Tier 2 and 3 analysts can benefit from honing their programming abilities, too. Programming skills can come in handy when using data visualization tools.
Computer forensics involves investigating, collecting, and analyzing data and information pertinent to cybercrime.
All SOC analysts should understand computer forensics, but that’s especially vital for Tier 2 since their job is to collect information about cyber threats.
Tier 3 analysts can benefit from computer forensics knowledge, too. It can come in handy when looking for areas where potential cybercriminals can get into an organization’s systems.
Part of the Tier 3 analyst’s job is to assess an organization’s cybersecurity for vulnerabilities and areas of improvement. As mentioned, they often do this through penetration testing, which requires a high degree of ethical hacking skills.
Tier 3 analysts need in-depth knowledge of vulnerabilities in networks, systems, and applications so they can probe defenses and find potential vulnerabilities.
Tier 1 and 2 analysts usually don’t need to have these ethical hacking skills. However, grasping the basics can help Tier 1 analysts understand potential threats and vulnerabilities much better. It allows them to monitor for threats and work with other tiers if necessary.
An understanding of security tools
SOC analysts — being security experts — need to be skilled in several common security tools.
For example, understanding security information, event management (SIEM), and intrusion detection software are musts.
Analysts should also be skilled in system administrator tasks within Macbook, Windows, and Linux/Unix operating systems.
Tier 3 analysts, in particular, should be familiar with popular penetration testing tools as part of their ethical hacking duties, too.
SOC analysts are the thin line between cyberthreats and organizational cybersecurity. This is true whether they’re a Tier 1 analyst looking for issues or a Tier 3 hunting for ways to bolster security.
Even with the best SOC analysts on the planet, though, it never hurts to have a comprehensive SOC audit of your firm — something we specialize in here at Secureframe. Schedule your demo today or reach out to [email protected] if you have any questions.