SOC Analysts: What They Are, What They Do + Salary
Worldwide spending on security and risk management is expected to grow 11.3% in 2023, reaching more than $188.3 billion, according to Gartner research.
As organizations increase focus on cybersecurity, a security operations center or SOC is becoming increasingly important. Your SOC serves as the central unit in charge of dealing with cyber threats to your organization.
SOCs include at least a few SOC analysts whose expertise lies at the core of robust security. SOC analysts help fill in the gaps of even the most advanced threat detection software solutions to stop cyberattacks and threats.
In this article, we’ll dive into the role SOC analysts fill along with the three different types, some typical analyst job duties, and skills these professionals need to succeed.
What is a SOC analyst?
A SOC analyst is a cybersecurity specialist who monitors an organization’s IT infrastructure for threats. They are often the first responder in the battle against those threats. They also look for vulnerabilities and make improvements or recommend changes to strengthen security.
As mentioned, SOC analysts are often part of a larger security team. Some organizations hire SOC analysts in-house. However, companies that don’t have the time, resources, or desire to build an in-house SOC team may outsource to a dedicated SOC firm.
The SOC analyst’s input is crucial to an organization. Their recommendations can enhance cybersecurity and prevent loss through hacks and other security events.
Note that in this instance, SOC stands for security operations center. This is different from System and Organization Controls, a set of standards and guidelines created by the American Institute of Certified Public Accountants to evaluate various internal controls.
SOC analyst certification
In addition to having a bachelor’s degree in computer engineering, computer science, or a related field, SOC analysts often undergo additional training and obtain a Certified SOC Analyst (CSA) license to enhance skills.
Other relevant certifications include:
- Certified Ethical Hacker (CEH)
- Computer Hacking Forensics Investigator (CHFI)
- EC-Council Certified Security Analyst (ECSA)
- Licensed Penetration Tester (LPT)
- CompTIA Security+
- CompTIA Cybersecurity Analyst (CySA+):
SOC analyst tiers
There are three tiers of SOC analysts, each responsible for more advanced and critical tasks.
Tier 1 SOC Analysts: Triage
Tier 1 SOC analysts are the least experienced of the three tiers. Most of their duties involve security monitoring for suspicious activity and possible threats. They aren’t often involved in actually combating threats.
Instead, if a Tier 1 analyst believes something needs a closer look, they’ll create a ticket and pass it to a Tier 2 analyst for review.
Tier 2 SOC Analysts: Incident Response and Investigation
Tier 2 SOC analysts are more experienced than Tier 1. They can do everything a Tier 1 analyst can if needed, but their main job is to dive deeper into issues Tier 1 analysts refer to them.
While a Tier 2 professional investigates an issue, they’ll gather more data from various sources for further investigation. They’ll also try to find where the threat came from and how it got in to prepare an adequate response.
Tier 3 SOC Analysts: Proactive Threat Hunting
Tier 3 SOC analysts are at the top of the analyst hierarchy. These highly experienced professionals employ their advanced skill sets to support Tier 2 analyst responses to complex security issues.
Additionally, a Tier 3 analyst is a threat hunter. They routinely look for threats that may have slid past a firm’s defenses — along with any vulnerabilities those threats may have exploited to get in.
Plenty of companies spend most of their time on Tier 1 and 2 activities — finding suspicious activities and defeating threats — so they won’t employ as many Tier 3 analysts. They’ll likely have a few of these analysts dedicated to strengthening security.
Some people consider SOC managers to be Tier 4, but that’s a management position rather than an analyst. SOC managers aren’t doing “on-the-ground” work most of the time.
SOC analyst salary
According to Glassdoor, the average salary of a SOC analyst in the United States is $84,439 per year.
How much a SOC analyst makes varies by years of experience, certifications, location, and other factors. The salary range is therefore broad, falling between $79,000 and $125,000.
Earnings also depend on tier. Tier 3 earns the most, followed by Tier 2 and Tier 1. You’ll see why when we cover SOC analyst duties and responsibilities next.
What does a SOC analyst do?
SOC analysts have several responsibilities pertaining to strengthening and maintaining cyber defenses and responding to threats.
Exact job duties differ between companies and analyst tiers, of course, but here are some broad SOC analyst job responsibilities.
1. Monitor security access
First and foremost, SOC analysts monitor security access for any suspicious activity.
This is generally a Tier 1 task. If a Tier 1 analyst finds something suspicious, they may do some light investigation, but they typically send the potential threat up to a Tier 2 analyst.
However, some Tier 3 analysts may monitor security access on a much deeper level that Tier 1 analysts aren’t yet skilled enough to handle.
2. Respond to threats
When a cyber threat rears its head, SOC analysts are the first to jump in and respond.
The Tier 1 analyst generally spots these first while monitoring for suspicious activity. They send it up to Tier 2, who will review the information.
Tier 2 will then try to determine the attack’s scope and what systems are at risk. They’ll gather data from other sources and stakeholders to get a better picture of the problem.
The analyst then develops a solution for mitigating the threat and recovering from it.
Tier 3 may be involved here, too, to help find ways to fix up the security weakness the threat used to get in.
3. Conduct security assessments
Tier 1 analysts sometimes scan for vulnerabilities, but Tier 3 analysts are most often responsible for conducting in-depth security assessments and testing.
In particular, they regularly hunt for vulnerabilities in systems to patch them up and strengthen cybersecurity. A single security breach can cost a company massive sums of money through legal costs, fines, fixing the breach, and losing customers — making this work vital.
One crucial type of security assessment is penetration testing. This involves running a simulated cyberattack against your IT infrastructure to test the strength of your defenses.
Penetration testing also assists in finding hidden weaknesses and identifying what the company needs to fix to strengthen security.
4. Create and update business continuity and disaster recovery plans
A disaster recovery plan lays out how a company will respond to unexpected damaging events, such as natural disasters or cyberattacks.
A business continuity plan tells an organization how it will continue to operate during one of these events.
Given the risk of breaches and other cyber threats, SOC analysts play a role in developing and refining both these plans. They contribute their expertise to develop a plan for keeping IT operations running during a disaster and getting things back online once the organization remedies the problem.
5. Stay up-to-date on cyber trends
Cyber threats are constantly evolving, and cybersecurity has to keep pace with them.
Such circumstances make SOC analysts responsible for keeping up with cyber trends and developments in IT and security. They must routinely study emerging types of cyber threats and stay on top of technology and cybersecurity strategies that experts are developing to counteract these.
This part of the job will require some continuing education or professional development time outside of work. The CSA’s three-year recertification requirement shows how crucial continuing education is to SOC analyst success.
6. Advise on and implement new security policies
SOC analysts are experts at finding weaknesses and strengthening cybersecurity, especially at the Tier 3 level.
Whether a SOC analyst discovers new vulnerabilities through fighting threats, conducting security assessments, or learning about emerging cybersecurity trends, they need to relay this information to the right people in their organization.
If a company wants to move forward with changes in cybersecurity policy, it usually falls on Tier 3 analysts to implement these changes, too.
SOC analysts skills
Cyber trends might be evolving, but the skills a SOC analyst needs remain mostly the same. If you’re looking to maximize the value that SOC analysts provide to your organization, make sure they have these skills.
Tier 1 analysts spend a lot of time digging through system logs to find hints of suspicious goings-on. This takes significant time and is quite tedious.
Such manual work can cause human analysts to overlook potential threats by accident as they try to get through it all.
Naturally, you can automate some of this work.
Tier 1 analysts should have basic programming skills — enough to write scripts that automate much of the search and alert the analyst to potential issues.
That said, Tier 2 and 3 analysts can benefit from honing their programming abilities, too. Programming skills can come in handy when using data visualization tools.
Computer forensics involves investigating, collecting, and analyzing data and information pertinent to cybercrime.
All SOC analysts should understand computer forensics, but that’s especially vital for Tier 2 since their job is to collect information about cyber threats.
Tier 3 analysts can benefit from computer forensics knowledge, too. It can come in handy when looking for areas where potential cybercriminals can get into an organization’s systems.
Part of the Tier 3 analyst’s job is to assess an organization’s cybersecurity for vulnerabilities and areas of improvement. As mentioned, they often do this through penetration testing, which requires a high degree of ethical hacking skills.
Tier 3 analysts need in-depth knowledge of vulnerabilities in networks, systems, and applications so they can probe defenses and find potential vulnerabilities.
Tier 1 and 2 analysts usually don’t need to have these ethical hacking skills. However, grasping the basics can help Tier 1 analysts understand potential threats and vulnerabilities much better. It allows them to monitor for threats and work with other tiers if necessary.
An understanding of security tools
SOC analysts — being security experts — need to be skilled in several common security tools.
For example, understanding security information, event management (SIEM), and intrusion detection software are musts.
Analysts should also be skilled in system administrator tasks within Macbook, Windows, and Linux/Unix operating systems.
Tier 3 analysts, in particular, should be familiar with popular penetration testing tools as part of their ethical hacking duties, too.
Reverse engineering involves analyzing the functions and information flow of software programs in order to understand their functionality and performance. This technique can also be applied to malware.
Tier 3 SOC analysts should not only know about advanced malware and be able to neutralize it — they should also be capable of reverse-engineering it in order to harden the organization’s systems against future threats.
Risk management is the ability to identify, analyze, and mitigate risks. Tier 1 SOC analysts should be able to analyze and detail existing vulnerabilities and consider possible risks that may arise in the future. Tier 2 and 3 SOC analysts should be able to develop strategies to treat and mitigate these risks and create a recovery process for when security incidents do happen.
How Secureframe can help optimize your security operations center
SOC analysts are often the front lines of an organization's cyber defenses. This is true whether they’re a Tier 1 analyst looking for issues or a Tier 3 hunting for ways to bolster security.
To help ensure your SOC analysts and security operations center as a whole is performing at its best, consider doing a comprehensive SOC audit — something we specialize in here at Secureframe. Schedule your demo today to find out how Secureframe can help you prepare for an audit and enhance your security posture.