Discover more from Becoming Cyber Newsletter
Cyber 201: What is a Security Operations Center?
Most lists of entry-level cybersecurity jobs will undoubtedly include the SOC analyst. The lingering question for many aspiring cybersecurity professionals is: “What’s a SOC?” We’re going to take a look at the Security Operations Center (SOC) and its role in the cybersecurity landscape. It’s important to have at least a basic understanding of how the SOC fits in organizationally, regardless of where you land your first cybersecurity job.
According to security vendor CrowdStrike, “A security operations center (SOC) includes the people, processes and technologies responsible for monitoring, analyzing and maintaining an organization’s information security.” So what does that actually mean? Let’s focus on those stated tasks: monitor, analyze and maintain.
Basically, security operation centers monitor everything that happens on its organization’s network continuously looking for anomalies. As you can imagine, that's a lot of traffic to monitor, so the people, processes and technologies become very important.
In order to maximize the visibility SOCs have of their network, they need to understand which technology and process gives them visibility of which portions of their network. Just ensuring full visibility is a big task. Once an organization has visibility to fully monitor their network for anomalies, then they need to do something with all that data.
Anomalies don’t always represent bad or malicious activity. After all, by definition an anomaly is simply, “something that is different from what is ordinary or expected.” That means that monitoring can produce a lot of suspicious events—any observable occurrence in a network or system—which aren’t threats.
According to security vendor CrowdStrike, “A security operations center (SOC) includes the people, processes and technologies responsible for monitoring, analyzing and maintaining an organization’s information security.”
How does the SOC determine which suspicious events are actually threats? People, processes and technologies really come into play here. Obviously, SOC analysts are a big part of the equation. (There’s a reason why we call them analysts.) However, you can’t just throw people at the problem. Qualified cybersecurity professionals are a limited resource (thus the skills shortage) and it’s unsustainable, leading to burnout.
Organizations therefore need to design processes and adopt technologies, which allow them to employ their people most effectively. Well designed and executed processes and technologies allow SOCs filter out suspicious events, in order to intelligently utilize the time of SOC analysts.
At first glance, maintaining an organization’s information security may sound like a mundane task. But what is the actual task? It is to maintain the confidentiality, integrity, and availability (CIA) of an organization’s information systems. That sounds like a bigger task, doesn’t it? How do you maintain the CIA triad after you’ve identified malicious incidents through analysis? You contain whatever has disrupted confidentiality, integrity or availability of your organization’s information systems.
Maintaining an organization’s information security leans heavily on people, processes and technologies. In order to maintain security the SOC needs to understand what “right” looks like (i.e., get a good baseline of normal network activity). It will need to develop processes to standardize complex tasks. As part of these processes, the SOC will really depend on its people. SOC analysts at various levels will need to execute interconnected tasks in a coordinated manner to maintain the organization’s information security.
Sounds like challenging work? It is. But it can be exciting and it’s important.
SOC Analysts Tiers
You’ll hear about SOC Level 1, 2, and 3 Analysts. Those roles with a higher number require greater experience and have greater responsibilities. A SOC Level 1 Analyst is a front-line cybersecurity professional responsible for monitoring and responding to security related alerts. A SOC Level 3 Analyst is more of a subject matter expert (SME) and/or manager.
A SOC Level 1 Analyst role can be a good place to start one’s cybersecurity career. SOC Level 1 Analysts are always in demand and the role provides a lot of hands-on experience.
A Security Operations Center is a big investment, so many organizations will outsource the roles to a Managed Security Service Provider (MSSP). Whether using an in-house SOC or an external MSSP, Security Operations is often the first line of defense against cyberattacks.