Security Operations Center Roles and Responsibilities

Security Operations Center Roles and Responsibilities

Published
May 14, 2019

Author
Orion Cassetto

Learn about the main roles in a SOC team, the difference between a SOC team and a CSIRT, and best practices for building winning SOC teams.

What is a SOC Team?

A security operations center continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and mitigates security risks.

A SOC team comprises the following key roles:

  • Security analyst—responsible for triage, detection, and investigating potential security threats and handling them. Also implements security measures and is involved in disaster recovery plans.
  • Security engineer—in charge of maintaining and updating tools and systems and is usually a software or hardware specialist. They are also responsible for any documentation that might be needed by other team members, such as protocols.
  • SOC manager—directs SOC operations, responsible for the SOC team. Responsible for syncing between analysts and engineers, hiring, training, and security strategy. Directs and orchestrates response to major security threats.
  • Chief information security officer (CISO)—establishes security related strategies, policies, and operations. Works closely with the CEO, informs and reports to management on security issues.
  • Director of incident response—responsible for managing incidents in large companies as they occur and communicating security requirements to the organization in the case of a significant breach.

In this article, you will learn:

SOC Roles and Responsibilities

SOC analysts are organized in four tiers. Initially, SIEM alerts flow to Tier 1 analysts who monitor, prioritize and investigate them. Real threats are passed to a Tier 2 analyst, with deeper security experience, who conducts further analysis and decides on a strategy for containment. 

Critical breaches are moved up to a Tier 3 senior analyst, who manages the incident, and is responsible for actively hunting for threats on an ongoing basis. The Tier 4 analyst is the SOC manager, in charge of recruitment, strategy, priorities and the direct management of SOC staff when major security incidents occur. 

SOC Team Roles and Responsibilities Explained

The table below explains each SOC role in more detail.

Role Qualifications Duties
Tier 1 Analyst

Alert Investigator

System administration skills, web programming languages such as Python, Ruby, PHP, scripting languages, security certifications such as CISSP or SANS SEC401 Monitors SIEM alerts, manages and configures security monitoring tools. Prioritizes alerts or issues and performs triage to confirm a real security incident is taking place.
Tier 2 Analyst

Incident Responder

Similar to Tier 1 analyst but with more experience including incident response. Advanced forensics, malware assessment, threat intelligence. White-hat hacker certification or training is a major advantage. Receives incidents and performs deep analysis, correlates with threat intelligence to identify the threat actor, nature of the attack and systems or data affected. Decides on strategy for containment, remediation and recovery and acts on it.
Tier 3 Analyst

Subject Matter Expert / Threat Hunter

Similar to Tier 2 analyst but with even more experience including high-level incidents. Experience with penetration testing tools and cross-organization data visualization. Malware reverse engineering, experience identifying and developing responses to new threats and attack patterns. Day-to-day, conducts vulnerability assessments and penetration tests, and reviews alerts, industry news, threat intelligence and security data. Actively hunts for threats that have found their way into the network, as well as unknown vulnerabilities and security gaps. When a major incident occurs, joins the Tier 2 Analyst in responding and containing it.
Tier 4 SOC Manager

Commander

Similar to Tier 3 analyst, including project management skills, incident response management training, strong communication skills. Like the commander of a military unit, responsible for hiring and training SOC staff, in charge of defensive and offensive strategy, manages resources, priorities and projects, and manages the team directly when responding to business critical security incidents. Acts as point of contact for the business for security incidents, compliance and other security
Security Engineer

Support and Infrastructure

Degree in computer science, computer engineering or information assurance, typically combined with certifications like CISSP.

A software or hardware specialist who focuses on security aspects in the design of information systems. Creates solutions and tools that help organizations deal robustly with disruption of operations or malicious attack. Sometimes employed within the SOC and sometimes supporting the SOC as part of development or operations teams.

SOC Team vs. CSIRT – What is the Difference?

A computer security incident response team or CSIRT, also called CERT or CIRT, is responsible for receiving, analyzing, and responding to security incidents. CSIRTs can work under SOCs or can stand alone.

What makes a CSIRT different from a SOC? While the core function of a CSIRT is to minimize and manage damage caused by an incident, the CSIRT does not just deal with the attack itself, they also communicate with clients, executives, and the board.

How to determine if you need a SOC or team, CSIRT team, or both?

The case for a single entity

Often a single entity that unites the SOC and CSIRT is desirable. Why? Because the distinction between detection and response is not clear cut, and may even become irrelevant. For example, threat hunting is used to identify threats, but also operates as a method of response.

Both SOC teams and CSIRT teams use security orchestration, automation and response (SOAR) tools, which could indicate that these teams need to be merged, as it is hard to decide who owns the tool and is accountable for its evolution. Threat intelligence (TI) related activities also provide a case for a single entity. A single TI consumption position can offer insights into identification and response methods.

Another reason to unite these groups is related to managing the workforce. One problem with SOCs is that it is difficult to keep “level 1” analysts motivated, particularly when they work weekends and night shifts. By bringing IR and threat hunting together you create the option for job rotation.

The case for separate entities

Some industry experts argue that keeping SOC teams and CSIRT teams separate lets them concentrate on their core objectives, namely detection vs. response. Also, occasionally multiple SOCs are required (because of multiple regional offices or subsidiaries), yet organizations wish to keep incident response centralized because of the sensitivity of investigation results.

Strategic plans for outsourcing may demand the separation of these two functions. Today, this may not be an issue as many SOCs operate as hybrid organizations. Keeping SOC and CSIRT separate, however, may help an organization clearly define the responsibilities of a partner.

Best Practices for Building a Winning Security Operations Center Team

Security operations teams face many challenges—they can be overworked, understaffed and often gain little attention from upper management. Security operations best practices can give companies the tools they need to protect themselves and offer SOC teams a better working environment.

  1. Efficient SOCs use security automation
    By using highly-skilled security analysts together with security automation, organizations can analyze more security events, identify more incidents and protect against them more effectively.
  1. Use effective technology
    The abilities of your SOC are dependent on its technology capabilities. Technology should collect and aggregate data, prevent threats, and respond as they occur. A team that is equipped with tools and data sources that reduce false positives to a minimum can maximize the time analysts spend investigating real security incidents. Learn more in our detailed guide about the SOC, SIEM and other tools used in a modern SOC.
  1. Be up to date with current threat intelligence
    Threat intelligence data from within the organization in conjunction with information from external sources provides insight into vulnerabilities and threats to the SOC team. External cyber intelligence includes signature updates, news feeds, incident reports, vulnerability alerts, and threat briefs. SOC staff can leverage SOC monitoring tools that provide integrated threat intelligence.
  1. People and responsibilities
    Organizations often share administrative duties across subsidiaries, between partner organizations, and business units. The organization’s security policy standards should be used to define responsibilities in relation to tasks and accountability for a response. An organization can also define the role of each business unit or agency in relation to the SOC.
  1. Defend the perimete
    A key responsibility of a SOC team is to defend the perimeter, but what information are analysts required to gather? Where can that information be found?

The SOC team can take into account all data input, for example:

  • Network information, such as URLs, hashes, connection details
  • The monitoring of endpoints, vulnerability information revealed by vulnerability scanners, security intelligence feeds, intrusion prevention (IPS) and detection (IDS) systems
  • Operating systems
  • Topology information
  • External-facing firewall, and antivirus

Measuring SOC Teams

Organizations need to measure the performance of SOC teams to continuously improve their processes. Here are a few important metrics that can help understand the scale of activity in the SOC, and how effectively analysts are handling the workload.

Metric Definition What it Measures
Mean Time to Detection (MTTD) Average time the SOC takes to detect an incident How effective the SOC is at processing important alerts and identifying real incidents
Mean Time to Resolution (MTTR) Average time that transpires until the SOC takes action and neutralizes the threat How effective the SOC is at gathering relevant data, coordinating a response and taking action
Total cases per month Number of security incidents detected and processed by the SOC How busy the security environment is and the scale of action the SOC is managing
Types of cases Number of incidents by type—web attack, attrition (brute force and destruction), email, loss or theft of equipment, etc. The main types of activity managed by the SOC and where security preventative measures should be focused
Analyst productivity Number of units processed per analyst—alerts for Tier 1, incidents for Tier 2, threats discovered for Tier 3 How effective analysts are at covering maximum possible alerts and threats
Case escalation breakdown Number of events that enter the SIEM, alerts reported, suspected incidents, confirmed incidents, escalated incidents The effective capacity of the SOC at each level and the workload expected for different analyst groups

Key Takeaways:

  • Modern SOCs require cooperation and collaboration between development, operations and security teams. Increasingly complex infrastructures and the speed of agile processes require capabilities that security teams cannot achieve on their own.
  • Effective security tools should support all steps of the incident response process. Centralizing information, providing fast analyses, and supporting in-depth investigations are key.
  • Metrics can help you evaluate the effectiveness of your SOC processes when used carefully. Make sure to incorporate metrics results into evaluation and refinement processes.

Learn More about Security Operations Centers

See our additional guides about key SOC topics:

Recent Security Operations Center Articles

Automated SOCs — Musings from Industry Analysts (and Ex-analysts)

Read More

Demystifying the SOC, Part 5: The New SOC Maturity Model based on Outcomes

Read More

Threat Hunting: Methodologies, Tools and Tips for Success

Read More

Demystifying the SOC, Part 4: The Old SOC Maturity Model based on Speeds and Feeds

Read More

Demystifying the SOC, Part 3: Whether You Know It or Not, You Have a SOC

Read More



Recent Information Security Articles

Exabeam Fusion XDR and Exabeam Fusion SIEM now available in Google Cloud Marketplace

Read More

Cloud SIEM: Features, Capabilities, and Advantages

Read More

Ransomware: Prevent, Detect and Respond

Read More

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Read More

Exabeam Adds Automated Incident Diagnosis to Speed Investigations

Read More