SOC Analyst Fundamentals

What is a SOC?

Security Operation Center (SOC) is a place where an information security team monitors and analyses the security of an organisation. Their main purpose is to detect, analyse and respond to incidents.

SOC Models

In-house SOC The enterprise builds its own cybersecurity team. Firms considering establishing an internal SOC should have a budget to support continuity.

Virtual SOC The security team does not have its own facility and often works remotely in different locations.

Co-Managed SOC The Co-Managed SOC consists of internal SOC personnel working with an external Managed Security Service Provider (MSSP). Coordination is really important for this type of model.

Command SOC A senior group that oversees smaller SOCs in a large region. Organisations using this model include major telecom providers and defence agencies.

What are the responsibilities of a SOC Analyst?

A SOC Analyst is the first person to analyse a threat. They examine alerts on the SIEM and determine which ones are real threats. When the situation requires it, they escalate incidents to their seniors.

Security Information and Event Management (SIEM)

Security Information and Event Management (SIEM) provides real-time logging of events in an environment. The purpose of a SIEM is to log events so that security threats can be detected. They can filter data and create alerts for suspicious activities.

Log Management

Log management is a solution that allows you to access logs in an environment all in one place. If we can't access logs from one point, it would increase our margin of error and the amount of time we need to spend.

Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. Some popular EDR solutions (CarbonBlack, SentinelOne, FireEye HX)

Security Orchestration Automation and Response (SOAR)

Allows security products and tools in an environment to work together. For example, it will automatically search VirusTotal for the source IP of a SIEM alert, reducing the workload of the SOC analyst.

Some common SOAR products (Splunk Phantom, IBM Resilient, Logsign, Demisto)

Threat Intelligence Feed

A Threat Intelligence Feed is data (such as malware hashes, C2 (Command&Control) domain/IP addresses etc.) provided by a third party company.

As a SOC analyst, you need to search threat intelligence feeds to determine if a hash file at hand has ever been used in a malicious scenario in the past.