Security Operations Centre – part 4

Security Operations Centre

The human factor of SOCs

According to the definition of Security Operations Centre (SOC) we used in part 1 of these series, ‘SOC is a combination of people, processes and technologies (…)’.

How does a SOC’s team look like, what are the roles & responsibilities of its members, and what skills sets are required?

A full SOC structure will normally comprise of four tiers with the potential for additional layers as outlined below.

Tier 1 – Alert Investigator

The most junior position in the SOC hierarchy. Sometimes called the Alert Investigator or Triage Specialist.

Their role is to continuously monitor the system for alerts generated by tools such as SIEM to determine their relevancy and urgency and prioritise these alerts or issues. If deemed necessary, they will perform triage to confirm whether a real security incident is taking place and for alerts that signal a probable incident they create a trouble ticket for a Tier 2 review (Incident Response).

They are also responsible for managing and configuring the security monitoring tools.

The skills set for this role usually includes qualifications in the field of System Administration (Windows/macOS/Linux), knowledge of programming languages such as Python, Ruby, PHP, C, C#, Java, etc. As well as security skills certified with CISSP, GCIA, GCIH, etc

Tier 2 – Incident Responder

The security analyst of Tier 2 can be also referred to as Incident Responder.

They follow up on the alerts generated by the Tier 1 specialist by performing an in-depth analysis checking against available threat intelligence to establish the source of the attack (the threat actor), the nature of the attack, and the systems and the scope of the attack. Tier 2 also determines the incident containment strategy as well as the remediation and recovery strategy and implements it.

When it comes to the skills set, it will include all of that from Tier 1 enriched by experience in incident response. A natural ability to get to the root cause of the problem will also be helpful along with the knowledge of advanced forensics, malware assessment, and threat intelligence. A former white-hat hacker experience will also come in handy in this position.

Tier 3 – Threat Hunter

Sometimes referred to as Expert Security Analyst, Subject Matter Experts, or Threat Hunter.

The Threat Hunter conducts penetration tests and vulnerability assessments and assesses them alongside reviewing asset discovery data, alerts, industry news, threat intelligence, and security data. They actively work to identify threats that may have found their way into the network as well as unknown vulnerabilities and security gaps. In case of a major incident, they respond to it and contain it together with the Tier 2 analyst.

Alongside the experience required for Tier 1 and 2 roles, the Expert Security Analyst is familiar with cross-organisation data visualisation tools and penetration testing tools and has more experience in dealing with high-level incidents. They will also have experience in malware reverse engineering and in identifying and developing responses to novelty threats and attack patterns.

Tier 4 – SOC Manager

SOC Manager or the Chief Operating Officer for the SOC

The SOC Manager is responsible for all the activities of the SOC team including the hiring, training, and assessing the SOC staff; designs and oversees the implementation of the defensive and offensive SOC strategy; manages resources, priorities, the escalation process and projects as well as directly manages the SOC team when responding to business-critical security incidents; reviews incident reports; runs compliance reports and supports the audit process; develops and executes the crisis communication plan to the Chief Information Security Officer (CISO) and other stakeholders; runs compliance reports and supports the audit process.

In addition to the skills of the Tier 3 analyst, they have command over strong leadership and communication skills.

Security Engineer – Support and Infrastructure

The Security Engineer is responsible for the security architecture of the whole enterprise. They create solutions and tools that help the organisation deal effectively with the disruption of operations or a malicious attack. They don’t necessarily have to be organisationally part of the SOC but the matter they with is directly related to the SOC’s day-to-day operations.

Next week

Next week we will continue with Threat Inteligence

Do you require help with Managed Security for your solution on Amazon Web Services?

SEQRED offers AWS level 1 Managed Security Services. 

To discuss your requirements, contact SEQRED at [email protected].

About this guide

The idea for this article was inspired by an in-house presentation by Józef Sulwiński which you can watch here.

Other sources are a series of entries on SOC by AT&T accessible here as well as an article by Orion Cassetto from Exabeam available here.



Dodaj komentarz


Submit a Comment

Your email address will not be published. Required fields are marked *