Security Operations Centre – part 4
The human factor of SOCs
According to the definition of Security Operations Centre (SOC) we used in part 1 of these series, ‘SOC is a combination of people, processes and technologies (…)’.
How does a SOC’s team look like, what are the roles & responsibilities of its members, and what skills sets are required?
A full SOC structure will normally comprise of four tiers with the potential for additional layers as outlined below.
Tier 1 – Alert Investigator
The most junior position in the SOC hierarchy. Sometimes called the Alert Investigator or Triage Specialist.
Their role is to continuously monitor the system for alerts generated by tools such as SIEM to determine their relevancy and urgency and prioritise these alerts or issues. If deemed necessary, they will perform triage to confirm whether a real security incident is taking place and for alerts that signal a probable incident they create a trouble ticket for a Tier 2 review (Incident Response).
They are also responsible for managing and configuring the security monitoring tools.
The skills set for this role usually includes qualifications in the field of System Administration (Windows/macOS/Linux), knowledge of programming languages such as Python, Ruby, PHP, C, C#, Java, etc. As well as security skills certified with CISSP, GCIA, GCIH, etc
Tier 2 – Incident Responder
The security analyst of Tier 2 can be also referred to as Incident Responder.
They follow up on the alerts generated by the Tier 1 specialist by performing an in-depth analysis checking against available threat intelligence to establish the source of the attack (the threat actor), the nature of the attack, and the systems and the scope of the attack. Tier 2 also determines the incident containment strategy as well as the remediation and recovery strategy and implements it.
When it comes to the skills set, it will include all of that from Tier 1 enriched by experience in incident response. A natural ability to get to the root cause of the problem will also be helpful along with the knowledge of advanced forensics, malware assessment, and threat intelligence. A former white-hat hacker experience will also come in handy in this position.
Tier 3 – Threat Hunter
Sometimes referred to as Expert Security Analyst, Subject Matter Experts, or Threat Hunter.
The Threat Hunter conducts penetration tests and vulnerability assessments and assesses them alongside reviewing asset discovery data, alerts, industry news, threat intelligence, and security data. They actively work to identify threats that may have found their way into the network as well as unknown vulnerabilities and security gaps. In case of a major incident, they respond to it and contain it together with the Tier 2 analyst.
Alongside the experience required for Tier 1 and 2 roles, the Expert Security Analyst is familiar with cross-organisation data visualisation tools and penetration testing tools and has more experience in dealing with high-level incidents. They will also have experience in malware reverse engineering and in identifying and developing responses to novelty threats and attack patterns.
Tier 4 – SOC Manager
SOC Manager or the Chief Operating Officer for the SOC
The SOC Manager is responsible for all the activities of the SOC team including the hiring, training, and assessing the SOC staff; designs and oversees the implementation of the defensive and offensive SOC strategy; manages resources, priorities, the escalation process and projects as well as directly manages the SOC team when responding to business-critical security incidents; reviews incident reports; runs compliance reports and supports the audit process; develops and executes the crisis communication plan to the Chief Information Security Officer (CISO) and other stakeholders; runs compliance reports and supports the audit process.
In addition to the skills of the Tier 3 analyst, they have command over strong leadership and communication skills.
Security Engineer – Support and Infrastructure
The Security Engineer is responsible for the security architecture of the whole enterprise. They create solutions and tools that help the organisation deal effectively with the disruption of operations or a malicious attack. They don’t necessarily have to be organisationally part of the SOC but the matter they with is directly related to the SOC’s day-to-day operations.
Next week we will continue with Threat Inteligence
Do you require help with Managed Security for your solution on Amazon Web Services?
SEQRED offers AWS level 1 Managed Security Services.
To discuss your requirements, contact SEQRED at firstname.lastname@example.org.