Security Operations Center Roles and Responsibilities
Learn about the main roles in a SOC team, the difference between a SOC team and a CSIRT, and best practices for building winning SOC teams.
What is a SOC Team?
A security operations center continuously monitors and analyzes the security procedures of an organization. It also defends against security breaches and actively isolates and mitigates security risks.
A SOC team comprises the following key roles:
- Security analyst—responsible for triage, detection, and investigating potential security threats and handling them. Also implements security measures and is involved in disaster recovery plans.
- Security engineer—in charge of maintaining and updating tools and systems and is usually a software or hardware specialist. They are also responsible for any documentation that might be needed by other team members, such as protocols.
- SOC manager—directs SOC operations, responsible for the SOC team. Responsible for syncing between analysts and engineers, hiring, training, and security strategy. Directs and orchestrates response to major security threats.
- Chief information security officer (CISO)—establishes security related strategies, policies, and operations. Works closely with the CEO, informs and reports to management on security issues.
- Director of incident response—responsible for managing incidents in large companies as they occur and communicating security requirements to the organization in the case of a significant breach.
In this article, you will learn:
- SOC Roles and Responsibilities
- SOC Team vs. CSIRT – What is the Difference?
- How to determine if you need a SOC or team, CSIRT team, or both?
- Best Practices for Building a Winning Security Operations Center Team
- Measuring SOC Teams
SOC Roles and Responsibilities
SOC analysts are organized in four tiers. Initially, SIEM alerts flow to Tier 1 analysts who monitor, prioritize and investigate them. Real threats are passed to a Tier 2 analyst, with deeper security experience, who conducts further analysis and decides on a strategy for containment.
Critical breaches are moved up to a Tier 3 senior analyst, who manages the incident, and is responsible for actively hunting for threats on an ongoing basis. The Tier 4 analyst is the SOC manager, in charge of recruitment, strategy, priorities and the direct management of SOC staff when major security incidents occur.
The table below explains each SOC role in more detail.
|Tier 1 Analyst
|System administration skills, web programming languages such as Python, Ruby, PHP, scripting languages, security certifications such as CISSP or SANS SEC401||Monitors SIEM alerts, manages and configures security monitoring tools. Prioritizes alerts or issues and performs triage to confirm a real security incident is taking place.|
|Tier 2 Analyst
|Similar to Tier 1 analyst but with more experience including incident response. Advanced forensics, malware assessment, threat intelligence. White-hat hacker certification or training is a major advantage.||Receives incidents and performs deep analysis, correlates with threat intelligence to identify the threat actor, nature of the attack and systems or data affected. Decides on strategy for containment, remediation and recovery and acts on it.|
|Tier 3 Analyst
Subject Matter Expert / Threat Hunter
|Similar to Tier 2 analyst but with even more experience including high-level incidents. Experience with penetration testing tools and cross-organization data visualization. Malware reverse engineering, experience identifying and developing responses to new threats and attack patterns.||Day-to-day, conducts vulnerability assessments and penetration tests, and reviews alerts, industry news, threat intelligence and security data. Actively hunts for threats that have found their way into the network, as well as unknown vulnerabilities and security gaps. When a major incident occurs, joins the Tier 2 Analyst in responding and containing it.|
|Tier 4 SOC Manager
|Similar to Tier 3 analyst, including project management skills, incident response management training, strong communication skills.||Like the commander of a military unit, responsible for hiring and training SOC staff, in charge of defensive and offensive strategy, manages resources, priorities and projects, and manages the team directly when responding to business critical security incidents. Acts as point of contact for the business for security incidents, compliance and other security|
Support and Infrastructure
Degree in computer science, computer engineering or information assurance, typically combined with certifications like CISSP.
|A software or hardware specialist who focuses on security aspects in the design of information systems. Creates solutions and tools that help organizations deal robustly with disruption of operations or malicious attack. Sometimes employed within the SOC and sometimes supporting the SOC as part of development or operations teams.|
SOC Team vs. CSIRT – What is the Difference?
A computer security incident response team or CSIRT, also called CERT or CIRT, is responsible for receiving, analyzing, and responding to security incidents. CSIRTs can work under SOCs or can stand alone.
What makes a CSIRT different from a SOC? While the core function of a CSIRT is to minimize and manage damage caused by an incident, the CSIRT does not just deal with the attack itself, they also communicate with clients, executives, and the board.
How to determine if you need a SOC or team, CSIRT team, or both?
The case for a single entity
Often a single entity that unites the SOC and CSIRT is desirable. Why? Because the distinction between detection and response is not clear cut, and may even become irrelevant. For example, threat hunting is used to identify threats, but also operates as a method of response.
Both SOC teams and CSIRT teams use security orchestration, automation and response (SOAR) tools, which could indicate that these teams need to be merged, as it is hard to decide who owns the tool and is accountable for its evolution. Threat intelligence (TI) related activities also provide a case for a single entity. A single TI consumption position can offer insights into identification and response methods.
Another reason to unite these groups is related to managing the workforce. One problem with SOCs is that it is difficult to keep “level 1” analysts motivated, particularly when they work weekends and night shifts. By bringing IR and threat hunting together you create the option for job rotation.
The case for separate entities
Some industry experts argue that keeping SOC teams and CSIRT teams separate lets them concentrate on their core objectives, namely detection vs. response. Also, occasionally multiple SOCs are required (because of multiple regional offices or subsidiaries), yet organizations wish to keep incident response centralized because of the sensitivity of investigation results.
Strategic plans for outsourcing may demand the separation of these two functions. Today, this may not be an issue as many SOCs operate as hybrid organizations. Keeping SOC and CSIRT separate, however, may help an organization clearly define the responsibilities of a partner.
Best Practices for Building a Winning Security Operations Center Team
Security operations teams face many challenges—they can be overworked, understaffed and often gain little attention from upper management. Security operations best practices can give companies the tools they need to protect themselves and offer SOC teams a better working environment.
- Efficient SOCs use security automation
By using highly-skilled security analysts together with security automation, organizations can analyze more security events, identify more incidents and protect against them more effectively.
- Use effective technology
The abilities of your SOC are dependent on its technology capabilities. Technology should collect and aggregate data, prevent threats, and respond as they occur. A team that is equipped with tools and data sources that reduce false positives to a minimum can maximize the time analysts spend investigating real security incidents. Learn more in our detailed guide about the SOC, SIEM and other tools used in a modern SOC.
- Be up to date with current threat intelligence
Threat intelligence data from within the organization in conjunction with information from external sources provides insight into vulnerabilities and threats to the SOC team. External cyber intelligence includes signature updates, news feeds, incident reports, vulnerability alerts, and threat briefs. SOC staff can leverage SOC monitoring tools that provide integrated threat intelligence.
- People and responsibilities
Organizations often share administrative duties across subsidiaries, between partner organizations, and business units. The organization’s security policy standards should be used to define responsibilities in relation to tasks and accountability for a response. An organization can also define the role of each business unit or agency in relation to the SOC.
- Defend the perimete
A key responsibility of a SOC team is to defend the perimeter, but what information are analysts required to gather? Where can that information be found?
The SOC team can take into account all data input, for example:
- Network information, such as URLs, hashes, connection details
- The monitoring of endpoints, vulnerability information revealed by vulnerability scanners, security intelligence feeds, intrusion prevention (IPS) and detection (IDS) systems
- Operating systems
- Topology information
- External-facing firewall, and antivirus
Measuring SOC Teams
Organizations need to measure the performance of SOC teams to continuously improve their processes. Here are a few important metrics that can help understand the scale of activity in the SOC, and how effectively analysts are handling the workload.
|Metric||Definition||What it Measures|
|Mean Time to Detection (MTTD)||Average time the SOC takes to detect an incident||How effective the SOC is at processing important alerts and identifying real incidents|
|Mean Time to Resolution (MTTR)||Average time that transpires until the SOC takes action and neutralizes the threat||How effective the SOC is at gathering relevant data, coordinating a response and taking action|
|Total cases per month||Number of security incidents detected and processed by the SOC||How busy the security environment is and the scale of action the SOC is managing|
|Types of cases||Number of incidents by type—web attack, attrition (brute force and destruction), email, loss or theft of equipment, etc.||The main types of activity managed by the SOC and where security preventative measures should be focused|
|Analyst productivity||Number of units processed per analyst—alerts for Tier 1, incidents for Tier 2, threats discovered for Tier 3||How effective analysts are at covering maximum possible alerts and threats|
|Case escalation breakdown||Number of events that enter the SIEM, alerts reported, suspected incidents, confirmed incidents, escalated incidents||The effective capacity of the SOC at each level and the workload expected for different analyst groups|
- Modern SOCs require cooperation and collaboration between development, operations and security teams. Increasingly complex infrastructures and the speed of agile processes require capabilities that security teams cannot achieve on their own.
- Effective security tools should support all steps of the incident response process. Centralizing information, providing fast analyses, and supporting in-depth investigations are key.
- Metrics can help you evaluate the effectiveness of your SOC processes when used carefully. Make sure to incorporate metrics results into evaluation and refinement processes.
Learn More about Security Operations Centers
See our additional guides about key SOC topics: