What is a SOC analyst?
A SOC analyst is a cybersecurity professional who works as part of a team to monitor and fight threats to an organization’s IT infrastructure, and to assess security systems and measures for weaknesses and possible improvements. The SOC in the job title stands for security operations center; this is the name for the team, which consists of multiple analysts and other security pros, and often works together in a single physical location. A SOC may be an internal team serving a single enterprise or an outsourced service providing security for one or more external clients.
SOC analyst is a job title held by infosec newbies and more experienced pros alike. The job can be a great stepping stone into a cybersecurity career, but it’s also a demanding and somewhat repetitive job that can cause burnout. Let’s take a close look at what the job entails and the skills you need to succeed.
SOC analyst job description
Perhaps the best way to understand what a SOC analyst does is to ask one! SOC analyst Molly Webber recently gave an interview to the Center for Internet Security in which she describes her day:
I assist state, local, tribal, and territorial (SLTT) governments in monitoring their networks for malicious activity. The job requires great attention to detail and a general awareness for all things cyber. We look at IDS (Intrusion Detection System) alerts, suspicious emails, network logs, and any other resource that provide insight into an entity’s network activity. Analysts are expected to be able to read, understand, and notify on cyber trends. It’s critical that we have basic knowledge in areas like networking, malware analysis, incident response, and cyber etiquette.
The Prelude Institute describes SOC analysts as “watchdogs and security advisors,” which is a good way to capture their dual roles: they both keep an eye out for attacks in progress and try to figure out ways to beef up defenses to prevent or mitigate future attacks. To that end, they need to install security tools, investigate the suspicious activities those tools detect, support audit and compliance initiatives, and participate in developing security strategies.
That said, the task that can dominate the job, particularly at the entry level, is dealing with alerts thrown up by users and various security software, which in practice can mean wading through a lot of false positives. Kelly Jackson Higgins, writing in Dark Reading, describes the job as “one of the least glamorous and most tedious information security gigs: sitting all day in front of a computer screen, manually clicking through the thousands of raw alerts generated by firewalls, IDS/IPS, SIEM, and endpoint protection tools, and either ignoring or escalating them,” while enduring the “constant, gnawing fear of mistakenly dismissing that one alert tied to an actual attack.” That sounds like a grind, but there’s good news: she’s describing the life of a Tier 1 SOC Analyst, and you probably won’t stay at that level forever.
SOC analyst career path
The first step on this career path comes before you even get a job as a SOC analyst. The prerequisites aren’t that different from any of the many other beginning security jobs that have “analyst” in the title. The key thing to remember is that, as Jonathan Gonzalez, Lead Member of Technical Staff at AT&T says in this interview, “There’s no such thing as an entry-level job in cybersecurity.” Most people work for at least a year or two in networking or some similar IT discipline before moving over to a security job.
That said, it’s not unusual for a Tier 1 SOC Analyst gig to be your first stop in the journey of your cybersecurity career. While every employer will attach a slightly different set of duties to any given job title, in general there are three tiers of SOC analyst jobs. The EC-Council’s blog has a detailed breakdown of the differences among those tiers, but to sum up:
- Tier 1 SOC analysts are triage specialists who monitor, manage, and configure security tools, review incidents to assess their urgency, and escalate incidents if necessary.
- Tier 2 SOC analysts are incident responders, remediating serious attacks escalated from Tier 1, assessing the scope of the attack and affected systems, and collecting data for further analysis.
- Tier 3 SOC analysts are threat hunters, working proactively to seek out weaknesses and stealthy attackers, conducting penetration tests, and reviewing vulnerability assessments. Some Tier 3 analysts focus more on doing deep dives into datasets to understand what’s happening during and after attacks.
And these tiers aren’t the only jobs within a SOC. There are also SOC engineers, who are responsible for building and maintaining the systems that the analysts use, and at the top of the heap are SOC managers, who oversee the entire operation. Either of these roles are a potential place where SOC analysts might “graduate” to.
Beyond that, once you’ve honed your skills within a SOC, there are a number of other career possibilities for you. A post on the Microsoft Security blog discusses these issues in some depth, explaining that an analyst’s post-SOC career could end up in “incident response, program management, security product engineering, or leadership tracks.”
SOC analyst skills
The EC-Council describes the top-level skills a SOC analyst needs as follows:
- Network defense
- Ethical hacking
- Incident response
- Computer forensics
- Reverse engineering
But what are the specific technical skills required? The EC-Council’s breakdown of different analyst tiers we referenced above has some details: SOC analysts need to have an understanding of common security tools like intrusion detection systems and SIEM software. They’ll need to have sysadmin skills on Windows, Macs, and Linux/Unix platforms. Upper-tier analysts will also need to know how to use penetration testing tools.
Much of the job of a SOC analyst revolves around digging into system logs to try to trace attacks and determine when and how systems were compromised. Since manually scrolling through logs is slow and will quickly drive an analyst mad, SOC analysts need skills to automate these kinds of tasks and extract useful data from logs. Tier 1 analysts will need to know how to write scripts that can find key patterns in large text files like system logs, whereas upper-level analysts will need to understand how data visualization tools can provide insights. Some programming knowledge is therefore a must.
SOC analyst certification and training
We’ve established that on-the-job experience from within IT is what you most need to get a SOC analyst job. But there are certifications out there that can signal your knowledge base to potential employers, and plenty of online education and training resources you can use to study up for them. In IDG Insider’s Guide To Top Security Certifications, Neal Weinberg recommends Cisco Certified CyberOps Associate, a cert “designed for people who work as analysts in SOCs in large companies and organizations”; he says it “provides practical, relevant, and job-ready certification curricula aligned closely with specific, real-world tasks needed as an associate-level SOC professional.” (The certification was formerly known as “Cisco CCNA Cyber Ops.”) You can get training for the certification from the Cisco Learning Network.
The EC-Council has as cert of its own in this field — Certified SOC Analyst (CSA) — and also offers an iClass to help prepare you for it. A variety of other boot camps and training programs from third parties are also available, including from Training Camp and InfoSecTrain.
But SOC-specific certs aren’t the only way to prove your worth: after all, SOC analysts mainly need to demonstrate the standard set of security skills, and there are plenty of certs to help you do so. In a Reddit thread where SOC pros chimed in on what certs were most helpful, CompTIA Security+ was one of the most frequently cited, as was the EC-Council’s Certified Ethical Hacker.
SOC analyst interview questions
You can find endless lists of interview questions online for cybersecurity jobs, most of which rehash the basic factual areas of which you’ll have to command mastery in order to impress an interviewer. This article on Cybrary has a decent explanation of what you should expect in a SOC analyst interview in particular, and, even better, some background on why certain questions will be asked and how you should respond beyond just regurgitating content. Our favorite piece of advice: “Competent analysts don’t use buzzwords. They demonstrate an in-depth understanding of each step, each mechanism and object as well as the authentication framework.”
There are also two great Reddit threads (here and here) in which several hiring managers at SOCs chime in to talk about what sort of things they ask in an interview, and what the answers tell them about the job candidate.
SOC analyst jobs and SOC analyst salary
Has all this piqued your interest in working as a SOC analyst? Jobs are out there, and salaries are decent, though they do reflect the fact that SOC analysts are often in an entry-level position. It can be difficult to parse out SOC analyst salaries from the aggregated data on security analysts generally, but as of March 2020 Glassdoor estimated the average base pay at around $71,000 a year, with a range between $50,000 and $97,000. Good luck getting ready for that job, and we wish you the best in your fight against cyberfoes on the front lines!
Copyright © 2020 IDG Communications, Inc.