A Security Operations Center (SOC) analyst is a cybersecurity professional who works on a team to monitor and counteract threats to an organization’s IT infrastructure. SOC refers to the name of the team they work on. The main responsibility of an SOC analyst is to assess security systems and measures for weaknesses and report cyber threats.
Depending on the analyst’s skill level, they may be responsible for incident response (investigating and containing a cyberattack) and even ethical hacking, which involves performing penetration testing (simulated hacking in a controlled environment) to find vulnerabilities in IT infrastructure to prevent a future breach. An entry-level SOC analyst is more concerned with monitoring alerts and making decisions about triaging and escalation.
The Prelude Institute describes SOC analysts as “watchdogs and security advisors” because of their dual role in keeping an eye out for attacks while also shoring up an organization’s cyber defenses. An SOC analyst must have great attention to detail and a level head.
What Skills Does An SOC Analyst Need?
An SOC analyst needs the following skills:
- Network defense: Monitoring alerts and analyzing trends to defend against unauthorized activity within computer networks
- Ethical hacking: Performing penetration testing and other types of tests to gauge the security of an organization’s information systems
- Incident response: Reporting, investigating, and mitigating a cyberattack
- Computer forensics: Collecting and analyzing data from computer systems and networks to recreate the events of a cyberattack
- Reverse engineering: Reenacting or recreating a breach to better understand how an attacker entered the system
What Is the Difference between a Tier 1, 2, and 3 SOC Analyst?
The main difference between the different tiers is the level of responsibility (and liability) each one assumes in the event of a cyberattack. For example, the role of a Tier 3 analyst is to devise, install and maintain security measures that prevent a cyberattack, while a Tier 1 analyst merely reports breaches if and when they occur.
- Tier 1: Triage specialists who monitor user activity, network events and signals from security tools to identify events that merit escalation. Typically, the SIEM or analytics software will issue an alert if there is a potential issue. The job of a Tier 1 SOC analyst is to determine which alerts and other abnormal activity represent real threats and escalate them accordingly.
- Tier 2: Incident responders who remediate attacks escalated from Tier 1 analysts. Their job is to collect data for further analysis, assess the scope of the attack, identify the source of the attack, implement necessary security measures to counter the attack, and restore system operations. They also investigate, document, and generate reports on information security issues for IT administrators and security leaders.
- Tier 3: Threat hunters who work proactively to seek out weaknesses in IT infrastructure. They conduct penetration tests, review vulnerability assessments and suggest improvements. Another key responsibility is to keep security systems up to date and contribute to ongoing security strategies to protect the organization against further attacks.
To find out more about the day-to-day experience of being an SOC analyst, we talked to Tze Wang, a security analyst at Superior Energy Services, a company that provides specialized oilfield services and equipment to the oil and gas industry.
Wang is responsible for incident response, advanced endpoint detection/prevention, and conducting security awareness and training to spread security best practices throughout the organization.
When a cyber threat has been detected, I…
Respond according to established procedures. It involves determining the severity and impact of the threat and performing mitigation. Mitigation can be anything from just opening a ticket and clicking on a few buttons to locking down endpoints or even calling senior management in the middle of the night if it’s really bad.
During an important day/event, such as Black Friday or election day, I can be found…
Keeping my eyes open for topical scams and phishing attempts. Attackers will often attempt to use current events or existing circumstances to rope in unwitting victims. For example, there have been a number of phishing scams and malicious attacks mentioning COVID-19 treatments or vaccines in order to get people to open the email or click on a link, and tax season will see scammers trying to impersonate the IRS or other financial entities.
On a regular day, you will usually find me…
Watching for endpoint alerts through our various security tools and third-party SOC, responding to requests for security exceptions and troubleshooting, working tickets, updating documentation, and trying to keep up to date with new threats, vulnerabilities, and attacker TTPs. There are often meetings to attend and reports to write.
Here’s what a “slow” day looks like for me…
Nobody has clicked on a phishing email link ( or at least one that has been reported by our tools), there are no calls from the SOC, and threat activity is just simple stuff like users trying to install free stuff with bundled adware and such. I’ll use the downtime to clear out low-priority tickets and ongoing tasks, like evaluating new tools or checking up on security news.
The most exciting days on the job are when…
Everything is going wrong or something major happens, like a company-wide ransomware attack. When you work in cybersecurity, you don’t want excitement; part of your job is to try to prevent it.
My most interesting story from working on the job is…
I don’t have one particular story that stands out, but I always find it astounding how many people so brazenly use their work computers for personal, unauthorized activities while they’re in the office.
Is cybersecurity the right career for you?
According to Cybersecurity Ventures, the cybersecurity industry is expected to have 3.5 million high-paying, unfilled jobs this year. With Springboard’s comprehensive Cyber Security Career Track, you’ll work 1:1 with an industry-mentor to learn key aspects of information technology, security software, security auditing, and finding and fixing malicious code. Learning units include subject-expert approved resources, application-based mini-projects, hands-on labs, and career-search related coursework.
The course will culminate in a multi-part capstone project that you can highlight on your resume for prospective employers or use to demonstrate your technical knowledge in your job interview. The learning materials will also help prepare you to pass the globally-recognized CompTIA Security+ certification so you stand out when applying for cybersecurity roles.
Learn more about Springboard’s Cyber Security Career Track here.