Security Operations Center (SOC) analysts are on the front lines of an organization’s cybersecurity efforts. In a typical SOC, a team of analysts adds diverse specializations and expertise, and works together around-the-clock to monitor and analyze security data and alerts from assets across the environment. If you’ve ever wondered what an “average day” of detecting and responding to threats looks like, read on.
Much like a sports team, a high-performing SOC is made up of individual analysts with a common goal – to defeat threats.
A diversity of experience, skills, and expertise is a key part of a SOC team’s success, and allows team members to learn from each other and handle different types of work. Some analysts are mentally or operationally better at triaging large volumes of incidents and at a very fast pace. Others may be better at deeper analysis. Still others may excel at interfacing with customers or internal partners, explaining and displaying the value of the work being performed.
It’s important to note that each SOC is unique in how it operates, the number of analysts, and the functions it performs. Some operate 24x7x365 with staffing coverage that’s around-the-clock – or that “follows the sun” with daily transitions to multiple global SOC locations. Other SOCs operate a day shift, implementing on-call operations for higher-priority incidents that occur overnight. In-house SOCs work to protect the organization. A SOC-as-a-Service offering by a managed security service provider (MSSP), though, can protect hundreds or even thousands of businesses at once.
Regardless of the type of SOC operations, when a SOC analyst starts work for the day, a “handover” meeting is usually first on the agenda. The previous shift members document and explain the threat status and context, reassign urgent work, and relate any key changes – for example, a temporary change in escalation protocol if a stakeholder is out of the office.
This transfer of knowledge and incident context becomes fundamental to the fabric of a SOC over time. For MSSPs that service multiple customers around-the-clock, the process is particularly essential to ensure a seamless transition for each SOC shift change. It also helps teams develop and enhance their muscle memory about how best to approach problems for specific customers.
Once the handover is complete, the analyst is ready for the day. Over the course of the shift, the work typically falls into several categories:
The central function of the SOC, incident work refers to the triage and analysis of any “reactive” system-generated security issue from a security incident and event monitoring (SIEM) platform or other system. These reactive issues are the heartbeat of the SOC, and are the highest-priority work for the analyst. The term, “eyes on glass” represents the analyst’s continuous monitoring of an organization’s security data and alerts for threats.
Not all incidents are of equal importance. Prioritization is an essential part of ensuring that a SOC analyst gets to the right outcomes quickly. It is standard practice for incidents to be graded by severity – usually, low, medium, and high – to indicate the order or priority of analysis. The important thing to remember is that low risk doesn’t mean NO threat, but infers that either the potential impact of the threat is low, or that there is a low chance of the presence of a threat. The analyst needs to review all levels of incidents, and depending on the volume of incidents and the handling times defined in the service-level agreement (SLA), “eyes on glass” can include multiple SOC analysts at any one time.
The handling of incidents is a critical part of the analyst’s day-to-day SOC responsibilities, but it is not the sole work performed. As with all technical systems, SOCs require a level of maintenance and continual improvement. This is the core of the day’s non-incident efforts.
SOC maintenance and upkeep can take many forms, but typically the work is focused on technology and content. The security data that feeds from the assets across an organization’s environment into a SIEM tool must be monitored regularly to include changes – such as adding feeds from new assets.
The SIEM tool itself requires regular tuning to reduce the number of false alerts, ensure the best signal-to-noise ratio for the SOC, and review prioritization criteria. As new threats or new indicators are discovered, the SIEM’s content must be updated to ensure that new, emerging threats will be highlighted to the SOC as incidents. This maintenance work is vital to helping the analyst focus on identifying and stopping critical threats quickly.
In addition to incident work and non-incident maintenance, the analyst’s day may also include meeting with customers, performing deeper dives into incidents or maintenance, and additional value creation work such as threat hunting. The end of the shift brings the “day in the life” full-circle, as the analyst participates in the transition of the day’s work to the next team in a handover meeting.
The best SOCs effectively prioritize and balance both their incident and non-incident workloads and allow their analysts to contribute to both. Therefore, all members of the SOC team perform a variety of tasks daily, which contributes to greater familiarity of the environments the SOC serves, broadens knowledge and skillsets, and results in more effective and efficient use of time. Similar to a sports team, each individual uniquely contributes to the same SOC goals with a specific set of skills, experience, and perspective. Ultimately, this diversity strengthens the team and sets it up for success.
A SOC requires a variety of technical and cyber expertise to be successful. Don’t have the skills in-house? Get access to the SOC expertise you need to protect your environment from threats 24x7x365 – with SilverSky SOC-as-a-Service.