In a security operations center (SOC), your cybersecurity tools are only as good as the people using them and your SOC’s culture. What are the critical SOC roles? What qualities should you look for when hiring for them? And, what should you expect from a cybersecurity career?Learn more about why IBM was selected as a Global and European Leader in Managed Security Services.
Drawing from my experience working in IBM Security’s Managed Security Services SOC, here are some insights on how SOCs around the world should staff and organize based on their needs.
Key Roles in a SOC
Making sure you have the right people in the right roles is crucial for the success of a modern-day SOC. The main roles found within a company’s SOC depend on the program’s maturity, company size and budget.
At IBM, I work with clients who have one or two security people who wear many hats within the organization. I also work with mature SOCs who have their own 24/7 operations and highly specific roles.
But, most of my clients are somewhere in the middle. They have full-time employees for some roles and supplement with service providers for others, such as to achieve 24/7 “eyes on glass” or for incident responders who can be kept “on retainer.”
In general, roles are centered around key SOC functions: investigation and analysis, operations and maintenance, engineering and architecture, protection and defense, threat intelligence and oversight and governance.
Investigation and Analysis
These roles respond to a trigger, such as an alert or suspicious event. They can be separated based on technology, such as host, network-based or tiered-based on skill/scope, such as “Tier 1,” and “Tier 2.” They include:
- Security analyst
- Incident responder
- Incident manager
Operations and Maintenance
These roles are key to the day-to-day management of tools. Typical responsibilities include managing device health, troubleshooting, version management and policy management. They include:
- Device administrator (firewall, intrusion prevention system, endpoint agent, etc.)
- Security engineer
Engineering and Architecture
Architect and engineering roles are key to advancing and improving your security operations. They can be correlation engineers responsible for writing new use cases and collecting and operating new logs. This role can also be developers who write custom tools or integration architects who help to recommend and implement new tools. These roles include:
- Security architect
- Security engineer
Protection and Defense
Roles in this category tend to be proactive in nature, helping to identify security gaps and improve security posture before a threat actor has the opportunity to exploit them. They include:
- Threat hunters
- Vulnerability manager
- Penetration tester
Threat intelligence is a unique SOC function in some cases. In other cases, it is combined with other roles. Intel analysts are responsible for tracking the threat landscape, including actors and campaigns that may target the organization. In most cases, intelligence analysts work closely with engineers and architects to ensure the right detection tools are in place proactively.
- Threat intelligence analyst
- Threat research analyst
Oversight and Governance
These roles can include management positions to help drive strategy, manage security budgets and maintain compliance. They include:
- Compliance officer
- Security awareness and training professional
- SOC manager
- Chief information security officer
Changes to SOC Roles
The cybersecurity industry has evolved, and the roles needed within the SOC have changed. We’re in the middle of a transition period where SOCs everywhere are seeking to move from a reactive, alert-driven approach to a proactive, “smart” approach — a step closer toward “SOC 2.0.”
Alert fatigue is also a real driver among SOC employees. It contributes to chronic staffing and retention challenges, as well as hiring shortages. Time and time again, SOCs get stuck in a hire-train-replace cycle, constantly churning through analysts as they move on to bigger and better career options. It’s a cycle that can’t continue.
As a result, more and more companies are seeking to identify and automate routine tasks. SOAR (Security Orchestration, Automation and Response) platforms are becoming more popular, and many companies are introducing elements of machine learning for initial alert triage.
While automation takes over most of the previous “Level 1” analyst work, the remaining alerts will require in-depth analytical skills. This, in turn, leads to increasing specialization of roles within the SOC and drives demand for higher-value skills, introducing new opportunities for employee career growth and simultaneously contributing to overall SOC maturity.
Hiring for the SOC 2.0
As a hiring manager, I often look more for personality traits than skills, because skills can be taught. For example, when hiring analysts, I look for passionate and motivated individuals, who have an innate curiosity. This is more important to me than in-depth experience with a particular tool or platform, as it shows me that they will excel at analysis and investigations, regardless of the tool. I love tinkerers and experimenters — bonus points if they’ve set up a home lab for testing and playing with malware.
For more senior roles, I look for employees who have experience in and understand best-practice methodologies. If you want to be an intel analyst, for example, learn the intelligence lifecycle. Study industry frameworks, such as MITRE ATT&CK, so you can understand adversary tactics, techniques and procedures. Strive for highly technical certifications, such as the Offensive Security Certified Professional or GIAC Certified Incident Handler.
At the more senior levels, specialization is key. You should also be able to interact and effectively communicate with other stakeholders. Generally, the more senior the role, the more frequent is the customer interaction. Technical skill is a must, but team members must also be able to convey complex security information to clients in a way that makes sense and allows them to make the best decisions on how to use their limited resources to maximize their security posture.
Real-World Example: Maze Ransomware
Ultimately, the goal of any SOC is to detect, analyze and respond to security threats. Regardless of your role, everyone in an SOC has this key goal in mind at all times, so the environment must be highly collaborative.
This really starts to come to life when you look at recent threats our SOC has handled. One such example is the Maze ransomware. After responding to several engagements, our X-Force Incident Response Team started to learn about the ways the Maze actors exfiltrated data, deleted backups, encrypted files and held the exfiltrated data for ransom. The group would post some of the stolen data on their “Wall of Shame” to scare victims into paying.
As our incident response team saw more of this activity, our intelligence team learned more about the threat actors. They then passed their findings to our threat hunters, who started hunting proactively, and to our correlation engineers, who pushed out new detection tools, which then fed into our “eyes-on-glass” monitoring teams. It’s the cyber threat circle of life.