How to become a professional SOC analyst

by Jones David

SOC analysts monitor and analyze activity on clients’ networks, servers, databases, web resources, and systems, identifying anomalous activity that may indicate a security breach. SOC analysts work closely with a security operations center provider to ensure that security issues are quickly resolved once they are discovered. Today, we invite you to observe this theme step-by-step. So, let’s start!

The SOC definition

SOC is an information security control center. The main tasks of the SOC are to implement measures to monitor and respond to information security incidents.  

Such incidents are identified by analyzing various events generated by corporate infrastructure systems: 

  • information security systems;
  • information systems;
  • network equipment;
  • technological equipment;
  • user workstations;
  • servers, etc.

In large organizations, it is necessary to process tens and even hundreds of millions of events per day, so monitoring in such a volume without automation is impossible. As a rule, SIEM class systems are used as the core of the software and hardware complex.

Security information and event management (SIEM) is a centralized system for collecting, analyzing, and storing events. As UnderDefense explains, SIEM allows you to visualize data, detect violations according to certain rules and notify responsible personnel.  

Modern information security systems are not able to repel 100% of possible attacks, therefore, constant monitoring by qualified specialists of the level of information security in the corporate network is required.

The benefits of SOC

There are several benefits of SOC, like:

  1. Protection. Intrusion protection, regardless of the source, time of day, and types of attacks.
  2. Detection and response. Timely detection and response to security incidents.
  3. Continuous monitoring. Constant monitoring and analysis of data activity.
  4. Budget saving. SOC is also a great tool to save costs.

Who is a SOC analyst?

SOC Analyst is a person who analyzes events and identifies and responds to information security incidents. 

There are two main scenarios for monitoring information security events: 

  1. Alerting. Alerting is a method in which the search for signs of various attacks is carried out according to the developed rules. The main task of identifying is carried out by information security tools (IPS) or SIEM. The result of the operation of the system is an event about a possible IS incident with a certain accuracy (a suspicion of an IS incident). It requires manual processing by the SOC analyst in order to confirm or deny a particular event.
  1. Hunting. Hunting is a method of analyzing events by identifying atypical activity in the operation of certain information systems, network traffic, and other events processed during monitoring. It is carried out mainly “manually” by experienced specialists. The main goal is to identify information security incidents that cannot be determined by the current information security tools (ISP) in automatic mode.

When an IS incident is detected, the analyst classifies and registers it in the accounting system. 

The response process generally aims to:

  • confirm or deny the fact of an information security incident;
  • implement deterrent measures: disconnecting hosts from the network, restricting attackers’ access to systems, and so on; 
  • collect detailed information about the incident, identify all sources and targets; 
  • eliminate the IS incident; determine the degree of impact of the information security incident on the affected business processes; 
  • draw up a report on the information security incident; 
  • form a list of recommendations to eliminate such incidents in the future and take part in their implementation.

It is important to note that the authority of the SOC is never, and should not be, absolute, even if the SOC has “full authority” within any area of ​​its activities. The official authority of the SOC should be exercised up to a certain limit, beyond which the SOC should use influence rather than demand, and be sure to listen to the owners of protected information systems and data custodians.

Skills of a SOC analyst

What knowledge and skills should a SOC analyst have to perform their job duties? Firstly, knowledge of information security regulations, as well as general principles of action and methods of protection against modern types of threats, is necessary to identify risks and make decisions when analyzing suspected incidents.

Secondly, knowledge of various attack vectors and principles of their detection will be required. An undoubted advantage is given by practical experience in conducting penetration tests (Penetration testing).  

Thirdly, an understanding of the principles of operation and technical capabilities of many information security systems is required.

All incidents are somehow related to various violations in the operation of the corporate network or information systems, so much knowledge is required: 

  1. Principles of operation of computer networks.
  2. OSI models and basic TCP/IP protocols.
  3. Principles of operation of client-server applications.
  4. OS administration.
  5. Active Directory domain management.

When performing work on data analysis, programming skills often help, they contribute to the automation of routine operations and the development of algorithmic thinking.

As a rule, the main candidates for the position of SOC analyst are graduates of specialized universities and specialists with experience in various areas of IT and information security. Due to the general shortage of specialists in the information security industry, it is extremely difficult to find an experienced analyst.  

The main selection criterion is experience and knowledge. To develop practical skills, it is enough to be interested in the subject and gradually develop your skills.

How to become a SOC analyst

The rapid development of offensive tactics and tools provokes a continuous process of training for SOC specialists at all stages of the career ladder. Constant updating of knowledge is necessary. 

It is worth starting self-education with corporate networks, using simulation programs that allow you to test various work scenarios. Organizations typically use Windows and Linux family operating systems, so you need to maintain your knowledge of how to administer and manage them. More exciting facts you can find out by contacting UnderDefense.

Wrapping it up

Building your own SOC (Security Operations Center, a center for monitoring and prompt response to information security incidents) is a large-scale project for any organization. The initial planning stage is the foundation on which clearly the mechanism for identifying and responding to information security incidents will work.  

Based on the practical experience of building our commercial SOC (Angara Cyber ​​Resilience Center, ACRC), building SOC for our customers, as well as international methodologies and practices, we will talk about the first critical steps that need to be taken at the beginning of the SOC building process.

You may also like

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy