SOC Analyst: Career Path Overview

A buzzword in the cyber security world is ‘SOC Analyst.’ While some are familiar with this role and desire to one day hold this title, many are not sure what a SOC analyst does, or what ‘SOC’ even stands for. I’d like to shed some light on this exciting position, and encourage you to consider this career as you dive into studying security.

For starters, ‘SOC’ stands for Security Operations Center. Analysts in Security Operations work alongside security engineers and SOC managers. As a group, their role encompasses “providing situational awareness through the detection, containment, and remediation of IT threats. A SOC manages incidents for the enterprise, ensuring they are properly identified, analyzed, communicated, actioned/defended, investigated and reported. The SOC also monitors applications to identify a possible cyber-attack or intrusion and determines if it is a real, malicious threat and if it could have a business impact.”

Because businesses are becoming more and more vulnerable to threats, this position has grown in importance over the years. For those in cyber security, it can be a dynamic and lucrative role.

Job Responsibilities of a SOC Analyst

A SOC Analyst never rests. They work 24×7 to provide threat/vulnerability analysis and security logs for a larger number of security devices, in addition to Incident Response support when their analysis confirms a threat.

In addition to real-time threats, SOC Analysts must analyze and respond to undisclosed hardware and software vulnerabilities as well as investigate, document, and report on security issues and emerging trends. They act as the ‘security advisors’ for any organization, coordinating with Intel analysts and other teams as needed.

To break the SOC functions down, critical responsibilities include, but are not limited to:

• IDS monitoring and analysis
• Network traffic and log analysis
• Insider threat and APT detection
• Malware analysis and forensics
• Understanding/ differentiation of intrusion attempts and false alarms
• Investigation tracking and threat resolution
• Compose security alert notifications
• Advise incident responders/ other teams on threats

A SOC Analyst’s Perspective

Angler.Exploit.Kit, Bruteforce Attack, and Cryptowall are just a few exploits that are seen almost on a daily basis in a Security Operations Center (SOC). For a security analyst, this means he or she is focused squarely on security incident handling and response. 

Life as a SOC analyst is both challenging and rewarding. An analyst is required to work quickly, efficiently, and error free. An analyst will work on a variety of tickets during the duration of their shift, treating each incident with equal care and responsibility.  An experienced analyst knows exactly what needs to be identified for an attack and where to find it. By providing accurate, informative feedback, an organization can quickly resolve any issues or threats that may presents themselves in their environment.

• Chris Wreckley, SOC Analyst at ReliaQuest

We never know what is going to happen. A day can start out calm or start out on fire and very quickly go from one or another. What are the key activities on the network? What are we monitoring? Is there something that we see that is a potential risk that we need to really come up to speed on quickly? We start there.

The biggest problem we deal with especially in these large networks is the vast volume of things we need to watch. Depending on the types of tools you have in hand, you can trade searches off of that or elevate the monitoring of specific applications. If you keep enough history and enough memory of what has actually happened on your network, you can discover something you didn’t see before.

• Jim Treinen, SOC Analyst at ProtectWise

An Organization’s Perspective on SOC Analysts

Security analysts are, in many ways, the foot soldiers of the organization. Their job is to detect, investigate, and respond to incidents. They may also be involved in planning and implementing preventative security measures and in building disaster recovery plans. Depending on the vulnerabilities your organization faces and the nature of your security program, analysts may need to be on-call at various times to handle incidents as they arise.

Analysts may also be responsible for recommending new technologies and installing them, as well as training other team members to use them. Many organizations break security analysts out by level or tiers, where the rank determines the skill level of the analyst. Higher-ranked analysts will handle escalated events or more complicated incidents that junior analysts may not be prepared for and perform proactive hunting for threats that may have escaped their alerting systems.

• Komand, powered by Rapid7

How do I Become a SOC Analyst?

The work experience and degree requirements will vary from organization to organization, but typically, most companies require a Bachelor’s degree in Computer Science or a related field as well as 1-3 years of work experience.

As we all know, there are exceptions and some successful SOC Analyst have been hired on practical experience or certifications rather than the ‘formal’ route.

Desired technical experience can include:

• Security Information and Event Management (SIEM)
• SQL
• TCP/IP, computer networking, routing and switching
• C, C++, C#, Java or PHP programming languages
• IDS/IPS, penetration and vulnerability testing
• Firewall and intrusion detection/prevention protocols
• Windows, UNIX and Linux operating systems
• Network protocols and packet analysis tools
• Anti-virus and anti-malware

Desired certifications can include:

• Security+ (beginner)
• CEH (intermediate)
• CASP (intermediate)
• GIAC (intermediate)
• CISSP (advanced)

The certifications (beginner- intermediate) listed above outline those that can be desired for a SOC Analyst, or those (intermediate-advanced) for those working their way to SOC manager. These requirements again, are dependent on the specifics of a given organization and how that SOC Analyst fits in with the larger structure of the organization.

Cybrary Resources for SOC Analysts

While Cybrary has resources for all of the above certifications and for the technical skills mentioned, for the sake of this post, we will focus on the GIAC Security Essentials Certification, which was requested in the majority of job descriptions I came across in my research.

For those unfamiliar, this certification from GIAC focuses on 50 objectives and certifies on a broad range of security skills. It signifies that you possess the ability to identify and prevent common cyber attacks and understand access controls, authentication, password management, DNS, cryptography fundamentals, ICMP, IPv6, public key infrastructure, Linux, network mapping, and network protocols.

The GSEC certification exam consists of 180 questions which testers have 5 hours to complete. You must receive a score of 74% or higher in order to pass.