Mar 2, 2020
One team two team red team blue team
Read More
At the center of any successful Security Operations Center (SOC) are people. Security professionals such as SOC analysts, SOC managers and engineers protect and secure an enterprise’s sensitive data and systems. But what roles make up a SOC team, and what roles and responsibilities does each person have? Let’s explore how SOC teams work and the SOC team structure below.
What is a SOC Team?
The security operations center (SOC) team is made up of security professionals who are responsible for managing an organization’s security posture. The specific roles within a SOC may vary depending on the size and complexity of the organization, but there are some common SOC roles and responsibilities.
What are the SOC Team’s Roles and Responsibilities?
The SOC team is responsible for monitoring and maintaining an organization’s computer systems and networks to ensure they are secure and running smoothly. This can include tasks such as monitoring for security breaches, responding to security incidents, patching vulnerabilities, and implementing security policies and procedures. The SOC team may also be responsible for monitoring the performance of the organization’s systems and troubleshooting any issues that arise.
Common SOC Roles
Every SOC is different, based on the size, industry and maturity of the organization. Here are the top common SOC roles:
SOC Analyst – Tier 1, 2 and 3
The job of a security analyst – also called SOC analyst – is to monitor an organization’s networks and systems for potential security threats, and respond to those threats as needed. They often use tools such as security information and event management (SIEM) systems and threat intelligence feeds to identify and assess potential threats. Analysts may also work closely with other teams, such as the incident response team, to resolve those threats.
Another one of the SOC analyst’s roles is also to utilize a Security Orchestration, Automation and Response (SOAR) platform to manage cases and gather information in one location.
There are typically three “tiers” of security analysts, based on experience and responsibilities:
Tier 1 SOC Analyst
A Tier 1 security analyst’s work focuses on alert triage and reporting. A typical day for Tier 1 SOC analysts is reviewing and categorizing security alerts and potential threats.
Tier 2 SOC Analyst
Tier 2 security analysts are incident responders. These analysts review and respond to alerts that can’t be handled by Tier 1 analysts.
Tier 3 SOC Analyst
The Tier 3 analyst is a qualified threat hunter. These SOC analysts proactively hunt and uncover complex threats within an organization.
SOC Engineer
What is a SOC Engineer? A security engineer’s roles and responsibilities Security engineers are to design, implement and maintain the technical controls and defenses that are used to protect the organization’s assets and systems. This may include activities such as firewall and intrusion detection system configuration, access control implementation, and conducting security assessments and audits.
SOC Manager
The SOC Manager oversees the day-to-day operations of the SOC team and ensures that the organization’s systems and networks are secure and running smoothly.
Some of the specific SOC Manager roles and responsibilities may include the following:
- Setting priorities and managing resources
- Developing and implementing security policies and procedures
- Monitoring the performance of security systems and networks
- Managing incident response processes
- Managing the team and communication with other departments
Chief Information Security Officer (CISO)
A Chief Information Security Officer (CISO) is a senior-level executive who oversees an organization’s cybersecurity strategy and operations, often including more than the SOC team. The CISO falls within the enterprise leadership team and reports directly to the CEO or other executive-level manager.
The specific responsibilities of a CISO may vary depending on the size and nature of the organization, but some common responsibilities may include the following:
- Developing and implementing the organization’s cybersecurity strategy and policies
- Monitoring and analyzing the organization’s security posture, and identifying areas for improvement
- Working with senior management and other stakeholders to ensure that the organization’s security practices align with its business objectives and priorities
- Advising the organization on best practices and emerging trends in cybersecurity, and recommending investments in new tools and technologies
Additional SOC Roles
The above list is only some of the roles that can be found within a SOC team. There are a variety of other positions, especially in larger enterprise teams for advanced incident response and threat intelligence. Compliance roles are also seen within the SOC, such as compliance auditors. These team members ensure that an organization’s security practices and procedures comply with industry and federal security regulations.
- Compliance Auditor: These team members ensure that an organization’s security practices and procedures comply with industry and federal security regulations.
- Threat Responder: This individual is responsible for actively engaging in threat hunting activities to detect, analyze, and respond to different types of cybersecurity attacks facing the organization’s systems and infrastructure.
- Forensic Investigator: These team members examine and analyze the structure, components, source, purpose, and extent of cybersecurity threats to determine how they have infiltrated and affected systems, aiding in incident response and mitigation efforts.
Security Metrics for SOC Teams
There are various security metrics that a SOC team can use to measure the performance of their security processes. Here are a few examples:
- Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR): These metrics measure how long it takes for the SOC team to detect a security incident and how long it takes to respond to it.
- Dwell time: Dwell time is the duration a threat actor has undetected access in a network until their completely removed.
- False positive rate: This measures the percentage of alerts that are generated by security systems but are not actual security incidents. A low false positive rate is desirable as it means that the SOC team is not wasting time investigating non-issues.
- Compliance rate: This looks at the percentage of security controls that are in compliance with industry regulations and standards.
- Level of preparedness: This analyzes how effective your technology and tool implementation is. Avoid and eliminate gaps in controls that could be affecting your risk management program.
It’s important to note that SOC metrics should be tailored to the specific organization and its unique security needs. These metrics can help organizations measure their security posture, identify areas of improvement and track the effectiveness of their security measures over time.
SOC Roles and Responsibilities FAQs
What does a SOC operator do?
A Security Operations Center (SOC) operator is responsible for protecting an organization against cyberattacks by detecting, analyzing, and responding to cybersecurity incidents. Their responsibilities include investigating incidents, escalating situations to appropriate parties within the SOC, implementing and managing security solutions and tools, monitoring alerts, preparing reports and dashboards, and resolving technical problems to ensure the security and integrity of the organization’s systems.
What is the Primary Responsibility of a Security Engineer in a SOC?
The primary responsibility of a Security Engineer in a SOC is to develop security policies and standards, manage and monitor systems enforcing these policies, and play a central role in safeguarding the organization’s digital infrastructure against cybersecurity threats.
How big should a SOC team be?
The size of a SOC team can vary based on factors such as the organization’s size, complexity, and threat landscape. Traditionally, SOC teams can range from a handful of experts to larger teams with multiple roles, depending on the evolving threat vectors of cybersecurity.
No matter the size of the SOC team, these security professionals are critical to maintaining efficient and effective security operations (SecOps)and incident response. Both small and large SOC teams can benefit from extra help responding to the thousands of daily alerts. Options include outsourced support with a Managed Security Services Provider (MSSP) or implementing a security automation solution. Either way, SOC teams are a critical component of an organization’s security and need all the help they can get.
Download: Gartner SOC Model Guide
Download the Gartner SOC Model Guide to learn: how to select the best SOC model for your organization, the key components of the Gartner SOC framework, and how to gain organizational alignment when engaging with leaders enterprise-wide. Access this Gartner SOC report, courtesy of Swimlane.
