A Day in The Life of A SOC Analyst

The term “cyber security” is of paramount importance for nearly all the organizations where there is a dedicated information system infrastructure and another term “security operation center” has become a controversial issue as each day more information and more discussion have been gained about it.

The cyber security field depends on the integration of different technical teams with each other. That’s why in the information technology department of the organizations, technical teams, security experts, analysts, etc., should work and rely on each other. One of these core teams in an organization is the SOC team.

The SOC team consists of employees with various vital responsibilities, and the integral member of the team is the SOC analyst. The role of SOC analysts is basically to take care of the good, the bad, and the ugly of analyzing and applying the triage of the incidents on the organization's existing information system infrastructure. So, let’s take a deeper look at a day in the life of a SOC analyst.

The responsibilities of a SOC analyst are to;

Manage Alarm Notifications

SOC analysts often start their day with security alarms. SOC analysts review numerous alarms every day. These security alarms are flagged by security information and event management (SIEM) software and security orchestration and automated response software if possible. This software configures alarms as anomalies, correlation rules, or just normal alarms. The SOC analyst looks into each incident, analyzes it, and clarifies the root cause. The analyst needs to determine whether these alarms are real incidents or false positives. However, it should be taken into account that the SOC analyst is always at risk of missing an important incident among these numerous alarms.

Prevent Cyber Attacks

When an abnormal activity in the network is detected, s/ the SOC analyst immediately begins to investigate this activity and take measures to prevent the threat to the network. These measures can include detecting advanced persistent threats or hidden malware in the network and extracting them before damage occurs to the network.

Of course, in order to detect these abnormal activities, the SOC analyst must be equipped and capable of detecting activities worth investigating among numerous alarms. When it is decided to explore an activity, it is necessary to determine the required logs to create a timeline of the activities that lead to the threat. In this case, it requires the analyst to know network topology and sufficient experience in dealing with cyber threats.

Incident Response

SOC analysts need to be able to secure the systems under attack as fast as possible by clarifying the root cause and the realization stage of the cyber incident. In such a case, minimizing the impact of the attack by restricting activities on the network is so paramount importance. It also involves making important and precise decisions to reduce the impact of the attack and recovery time.

Threat Hunting

Finally, during an attack, SOC analysts should proactively hunt for threats in the network. Threat hunting is conducted based on information from threat intelligence streams, a data source that integrates and constantly updates various information such as threat vectors, infected websites, recent cyber-attacks, and so forth.

The role of a SOC analyst may also vary depending on the work experience. The SOC analyst's degree of expertise is based on the “Level”, and the specific responsibilities also differ according to each tier.

Level 1

It is the most junior position of SOC analysts. Level 1 analyst responsible for monitoring the information system infrastructure using SIEM and SOAR software and performing the initial response for the cyber incidents. Also, Level 1 needs to triage and detect the severity of alarms. In addition, the analyst at this level performs periodic vulnerability scans on the network and creates evaluation reports regarding these scans.

Level 2

This level of SOC analyst is responsible for in-depth analysis of security incidents. Level 2 works in coordination with the threat intelligence team to understand the nature and scope of the attack. Moreover, the analyst at this level finds a solution to mitigate and correct the attack.

Level 3

SOC analysts at Level 3 must be experienced analysts using advanced tools such as penetration testing tools to understand and detect security vulnerabilities and flaws in the network. Additionally, this experienced analyst is also responsible for threat hunting to detect potential threats stored on the network.

Briefly, SOC analysts can be called the leading forces in cyber networks that constantly work without tired against malware and threats. In this new business world where the whole world starts to work from home, the number of cyberattacks increases day by day. In these times when cybersecurity needs cannot be ignored such as SOC solutions that detect cyber threats are estimated as the cyber shield of an organization.