Areas of Expertise in the SOC
In this article, we’ll discuss the many disciplines that make up a successful company, their scope of duties, and how their role brings them into contact with the Security Operations Center (SOC). We’ll also cover the external organizations that the SOC might interact within their day- to-day job.
Your time as a SOC analyst will bring you into contact with many teams from within your organization. Everyone, including the CEO, could be involved in a security investigation. However, the SOC plays an essential role in the functions of other teams as well, including external organizations. This article will break down the teams into three sections: information security teams, internal teams, and external teams. So, let’s get started.
Information Security
Information security teams in most large organizations today are made up of three groups: analysts, engineers, and architects. The size of the companies’ enterprise network is usually the main factor in determining if the team is staffed internally or outsourced to third-party organizations. Some mid-sized organizations might combine the duties of two teams to save costs. Regardless of who staffs these positions, the scope of responsibility for each group is different and distinct. Job titles vary from company to company, so instead we are categorizing each function into the type of work they do, whether its analysis, engineering, or architecture.
Analysts
Let’s start with an easy one. The Security Operations is where you work as a SOC analyst. I hope by now you’ve learned that “SOC” is an acronym for Security Operations Center. Right, now that we’ve gotten that large knee-slapper out of the way, let’s talk briefly about the Security Operations’ scope of duties. Security Operations is home of Analysts: threat intelligence, threat hunting, digital forensics, and incident response analysts. Sometimes more subgroups and sometimes less. Sometimes companies give analysts an engineer or specialist job title. Job titles are just made up so we are referring to the type of work that you’ll be doing. Each subgroup works together to ensure that day-to-day operations are running smoothly.
The SOC is responsible for monitoring, investigating, and remediating security events. Their scope of responsibility depends on who is staffing the SOC. As previously discussed, SOCs can be internal to the company or outsourced to an MSSP. Internal SOCs typically have higher privileges to take remedial actions during an incident, where Managed Security Services Providers (MSSPs) usually must report the incident to a customer’s information technology (IT) team. The key benefit to an internal SOC vs. an MSSP is the ability of the internal SOC to learn the details of a single network. MSSPs have multiple customers and must monitor several enterprise networks at once. This leaves the SOC analysts at a disadvantage as they never truly learn the granular details of a customer’s enterprise. This is most people’s starting point in cybersecurity.
Threat Intelligence (TI) is usually a smaller team that’s focused on researching new threat reports, determining if the new threat is a danger to the company, and provides pertinent details to management and other information security teams. In some situations, the TI team is responsible for managing the Threat Intelligence Platform, which serves as a single point of collection for indicators of compromise and intelligence reports from multiple intel sources.
Some typical intel sources are threat feeds such as AlienVault or Talos Intelligence and Open Source Intelligence. The best threat feeds require a subscription and can get expensive. However, they have dedicated security researchers teamed with intelligence collection specialists to generate high fidelity reports. Open Source Intelligence, or OSINT for short, can provide excellent intel if you have a team dedicated to sifting through it all. A quick Google search for “Open Source Intel Feeds” will net you a plethora of top ten lists of the best OSINT feeds out there.
Threat Intelligence Analyst requires foundational knowledge of all cybersecurity, good communication skills both written and verbal, presentation skills, technical knowledge of cybersecurity threats, and a love for reading tons of information and fostering relationships with people who share information. Threat Intelligence Analysts empower the operations teams to detect and protect efficiently. This is not a junior position and can be staffed without having worked in the SOC. This could be a great position to try right out of the gate for transitioning military.
The Digital Forensics and Incident Response (DFIR) teams are responsible for conducting investigations on long and enduring incidents. Sometimes this team is split into two separate teams at more defined companies and other times its one team known as the DFIR team. In both cases, they are common escalation points from the SOC. The SOC conducts the initial investigation, and if the incident isn’t resolved after it has travelled through all of the tiers, the incident transitions to Digital Forensics and Incident Response who often have to work together to resolve it. This is why it’s common to learn that the team is combined into one (Figure ). 1–1
Any engagements with legal, privacy, fraud, or external law enforcement organizations get filtered through the Digital Forensics and Incident Response teams, essentially becoming the experts on such matters. Also, in most organizations, the Digital Forensics and Incident Response teams work hand in hand with threat intelligence to conduct threat hunting. These are not junior positions and are often staffed by people who first worked in the SOC.
The Threat Hunting team is an advanced security function that combines a proactive methodology, innovative technology, highly skilled people, and in-depth threat intelligence to find and stop the malicious, often hard-to-detect activities executed by stealth attackers that automated defenses may miss. Threat Hunting Analysts proactively search environments for traces of malicious activity. It requires knowledge of common SIEM tools and their query languages and familiarity with all of the rest of the tools in an environment such as endpoint tools, vulnerability scanners, and cloud security brokers, to name a few. Anything that is currently producing security events, the Threat Hunter needs to know about it. They also need expert knowledge of offensive security and how attacks happen. Just because the title might say Analyst doesn’t mean this is a Junior position. It requires a lot of expertise but is becoming more accessible to smaller companies as tools automate threat-hunting and/or make suggestions for threat-hunting queries. This position is often staffed by people who first worked in the SOC.
The Red Team are your in-house penetration testing analysts. Not all businesses have a Red Team, as it might be more cost-efficient to outsource the function, but they play a critical role in any company. How do you test to ensure your security controls are working? Easy, hack yourself. Ethical hackers are analysts with the skills needed to compromise your enterprise network. Let’s talk briefly about a few types of penetration tests businesses utilize today.
Black Box Test: The penetration tester has no prior knowledge of the target environment. This mimics an attacker with a limited understanding of the company. Typically, this type of test is contracted from a third-party penetration testing firm due to the Red Teams’ experience with the network.
White Box Test: Testers have full knowledge of the target environment. This type of test is usually more pointed at a smaller portion of the enterprise. It could be a software company’s code pipeline or source code repository. The Red Team thrives in this type of penetration test.
Gray Box Test: A combination of black box and white box, with the tester having partial knowledge of the target environment. This replicates a malicious insider or an outside attacker that has successfully infiltrated your network and has established a foothold.
Purple Team Test: This type of test is used to measure the effectiveness of the SOC and DFIR teams (Blue Teams). This is a planned exercise where the Red Team will intentionally trigger a security alert to force the Blue Team to respond. The findings of this test will be used to drive improvements in the security program. Blue Team + Red Team = Purple Team! Cyber Professionals sure love their colors.
This list is not all-encompassing; there are many other types of penetration tests that can be conducted. But generally speaking, these four will cover the large majority of all tests performed. Penetration testers are a special breed of security professionals; they dedicate a lot of time to honing their skills and testing new hacking tools and techniques. Red Team is often staffed by people who first worked in the SOC but also has a knack to attract the special lone wolves in the wild with special talent and skills.
Engineers
The Security Engineering team is responsible for deploying, managing, and maintaining the enterprise’s security tools and appliances. Many smaller companies will combine this function with the SOC analysts. They’re able to do this due to the small footprint of the network; however, more defined companies will have entire teams for engineering. Whether this role is staffed or handled by the SOC, security engineers are also responsible for updating and tuning the security tools.
Many organizations will assign a single technology group to an engineer. Common technology groups for engineers are:
Application Security Engineer: Responsible for identifying and addressing security weaknesses in applications that a business develops or uses. They implement controls, including app authentication, encryption, and authorization settings, test software, set up firewalls, and scan/test applications.
Network Security Engineer: Responsible for maintaining the safety of a business’ organizational network. They monitor the network for breaches, identify vulnerabilities, and develop solutions and safeguards to protect the network against attacks.
Cloud Security Engineer: Responsible for defending a business against attacks within the cloud. The engineer is responsible for configuring the network security, building applications, identifying and addressing vulnerabilities, and maintaining a secure cloud infrastructure.
SIEM Engineer: Responsible for collaborating with various stakeholders to understand business requirements and devise strategies for utilizing data in a more effective and efficient manner. Works closely with the Security Operations Center (SOC) team, assisting in the implementation and management of SIEM and SOAR technologies, while also focusing on leveraging ML/AI techniques to enhance threat detection and analysis.
Detection Engineer: Responsible for designing, building, and fine-tuning systems and processes to detect malicious activities or unauthorized behaviors. They also maintain the monitoring portfolio and track the coverage gaps in the security tools. They define change management processes to ensure alerts aren’t modified or removed and often develop “detection as code” by migrating threat detection development into code pipelines such as Github or Gitlab.
Vulnerability Management Engineer: Responsible for scanning the environment for known vulnerabilities, prioritizing them, and assisting with managing the patching of these devices.
This list isn’t inclusive of all of the types of engineers and it’s essential to understand the need for cross-leveling of skills here and how big the teams can get. A single person managing the Network Security would leave the organization in a predicament if the employee were to tender their notice. A best practice is to have a minimum of two engineers on a technology group; this allows for a checks-and-balances approach that limits the risk of a single point of failure.
The number one customer of the Security Engineering team is the SOC. Because these teams work so closely together, security engineering is a natural progression for SOC analysts in the ladder upward to architect.
This role requires advanced knowledge of how to administer systems and technologies. If you’re interested in engineering, take on some projects in your spare time at home. Learn a new technology group, such as virtualization or containers. The best way to learn this job is by doing it. So get out there and experiment, and when you fail, delete it all and start again.
A note on Vulnerability Management Engineers, they also work closely with a different department in helping prioritize vulnerabilities. Prioritizing vulnerabilities isn’t as straightforward as you might think. When a vulnerability is found, it gets assigned a criticality that is adjusted by them based on many factors such as if the device is dev or prod, if it’s public-facing, or if it can be patched at all because it’s a legacy system with dependencies that require older versions of software. It’s not as easy as reading a report and taking action on it. These engineers typically work closely with the IT teams who are the ones that conduct the patching, often trying to convince them to patch things out-of-cycle or in a higher priority. Vulnerability Management requires a specific knowledge of how corporate environments operate and specifically how their company operates. It also requires good people skills, and knowing how to manage without authority. Those two skills should be practiced throughout your career no matter which technology group you fall into place with.
Engineers usually have worked in the SOC first, but can come from other areas of IT such as Software Development, or IT/Cloud Engineering.
Architects
The Cybersecurity Architecture team is unique to large organizations and is focused on enforcing best security practices and compliance controls while implementing new technology in the enterprise. Let’s look at an example: Your company wants to move its on-premises database into a cloud solution such as Amazon AWS or Microsoft Azure. It’s the Security Architecture team’s job to work with the database and cloud administrators to ensure that the systems and data being migrated into the cloud are as secure as possible. This team is usually composed of senior security specialists with several years of experience in cybersecurity. Some organizations will outsource this to a third-party security consulting firm due to the limited scope of work needed for individual projects.
A common practice for Cybersecurity Architecture teams at large companies is to have a small team with a broad knowledge of all of cybersecurity and each one has mastery skill of a different specialty. To name a few of these specialties, they are software security, network security, infrastructure security, and cloud security. At smaller companies there might only be one or two Cybersecurity Architects often with a broad cybersecurity background with a mastery of the specific company’s IT practices. An example of a cybersecurity architect’s objective is that they might devise the security and logging plan for a project to ensure a proper balance of security and cost saving.
Security Architecture is one of the many pathways for a SOC analyst to move up in their career, but typically it happens after they’ve progressed as an engineer. You should have at least 7–10 years of cybersecurity experience before considering a move into Security Architecture. It is a highly stressful job and just because you’re able to do it, doesn’t mean that it’s what you should do. Tyler was a Cybersecurity Architect at a Fortune 50 company for only about four months before he resigned and decided they couldn’t pay him enough to do the job. He hardly slept the entire four months worrying about the ramifications if just one tiny calculation was incorrect. It just wasn’t for him, yet. Maybe when he’s much older and wiser.
Architects are typically Engineers first (Figure ). 1–2
In summary, most organizations have some embodiment of these three information security teams: Security Operations, Security Architecture, Security Engineering. Whether the team is outsourced or owned by the SOC, the roles exist in every company. Each is a puzzle piece that fits together to form a well-rounded cybersecurity program. No one team is more important than the other, and I ask that you remember this as you move forward in your career.
You’ll likely leave the SOC one day and pick a specialty. You’ll make more money, and you’ll have more freedoms like being able to work your own schedule and you’ll not have to do shift work. You’ll need less hand holding and you’ll become more independent as you grow more senior and you might one day look down on the SOC. It’s a typical progression that a lot go through in their careers, but know that it’s not leadership. No one team is more important than the other… and to lead is to serve.
On that note, let’s move on to the next section.
Internal Teams
As you gain and demonstrate experience as a SOC analyst, opportunities to interact with teams outside of the SOC will occur. These opportunities In summary, most organizations have some embodiment of these three information security teams: Security Operations, Security Architecture, Security Engineering. Whether the team is outsourced or owned by the SOC, the roles exist in every company. Each is a puzzle piece that fits together to form a well-rounded cybersecurity program. No one team is more important than the other, and I ask that you remember this as you move forward in your career.
You’ll likely leave the SOC one day and pick a specialty. You’ll make more money, and you’ll have more freedoms like being able to work your own schedule and you’ll not have to do shift work. You’ll need less hand holding and you’ll become more independent as you grow more senior and you might one day look down on the SOC. It’s a typical progression that a lot go through in their careers, but know that it’s not leadership. No one team is more important than the other… and to lead is to serve.
On that note, let’s move on to the next section.
Internal Teams
As you gain and demonstrate experience as a SOC analyst, opportunities to interact with teams outside of the SOC will occur. These opportunities In summary, most organizations have some embodiment of these three information security teams: Security Operations, Security Architecture, Security Engineering. Whether the team is outsourced or owned by the SOC, the roles exist in every company. Each is a puzzle piece that fits together to form a well-rounded cybersecurity program. No one team is more important than the other, and I ask that you remember this as you move forward in your career.
You’ll likely leave the SOC one day and pick a specialty. You’ll make more money, and you’ll have more freedoms like being able to work your own schedule and you’ll not have to do shift work. You’ll need less hand holding and you’ll become more independent as you grow more senior and you might one day look down on the SOC. It’s a typical progression that a lot go through in their careers, but know that it’s not leadership. No one team is more important than the other… and to lead is to serve.
On that note, let’s move on to the next section.
Internal Teams
As you gain and demonstrate experience as a SOC analyst, opportunities to interact with teams outside of the SOC will occur. These opportunities are an excellent way to stand out and make a great impression on your leadership. Regardless of the task, you should approach each encounter with external teams with a high level of professionalism and confidence. You’ll find that when you’ve put in maximum effort toward the task, word of your accomplishments will make it back to your supervisor. And of course, the reverse is true as well. The last thing you want is for your supervisor to learn that you failed to contribute to a task. They tend to remember those conversations when reviewing compensation adjustments.
Let’s first talk about Management. Technically, not all of management works outside the SOC. The SOC has a manager, and usually, somewhere up the chain, there’s a director. But, management makes business decisions, so this topic will cover the standard positions and scope of responsibility of those in management. It’s important to know that every organization is different in how they staff their management team. We’ll start in the SOC with the SOC manager and work upward to the executive staff.
The SOC manager is the direct and first-line supervisor for all SOC analysts. Your interactions with them begin in the interview process as they’re also responsible as the hiring manager for the open analyst positions. SOC managers have a wide range of duties: everything from mentoring the junior analysts to driving collaboration between the SOC and other teams. In fact, the SOC manager has so many duties that there could be an entire article dedicated to the topic. We’ll begin with their responsibilities to you, the newly hired SOC analyst.
The SOC manager is responsible for all aspects of compensation for the analysts under them, including the offer letter when you first applied, bonus payouts, and promotions. However, promotions can’t happen without mentorship, and that’s also a large part of their duties. Each company has different mentorship requirements, but you can expect to sit down with your manager and discuss personal and business goals. Your progress toward achieving these goals is taken into account during the bonus and promotion decisions. Time-off requests, work schedules, and SOC duty assignments are all decided upon by the SOC manager.
The SOC manager is also responsible for generating reports on the number and type of security events the SOC sees to upper management. These reports inform the members of the executive staff on the latest trends of cyberattacks that are targeting the company. The SOC manager is the first level of the management team and is by far one of the hardest jobs in information security. Let’s move on.
The SOC director is the next step up in the chain of managers to the SOC. This title is different for almost every company; some examples are “Director of Security Operations,” and “Director of IT Security.” Regardless of title, this position is usually the SOC manager’s supervisor. They’re responsible for the overall strategic decisions that face the company regarding cybersecurity, including budgeting requests, SOC staffing approval, and the metrics reporting to executive leadership. They also coordinate with other directors to plan and coordinate joint projects. We’ll cover them more later.
The next rung in the management ladder is the Chief Information Security Officer or CISO for short. Depending on the company, the responsibilities of the CISO range considerably. Due to this, we won’t spend too much time discussing the CISO. All you need to understand from a SOC analyst perspective is the CISO is responsible for the high- level decisions regarding information security. They will most likely be the first executive officer you’ll meet, and depending on your company, the CISO likely reports directly to the CEO. So, no pressure trying to make an excellent first impression.
That’ll wrap it up for the management team; from here, let’s move on to some of the common organizations you’ll work with as a SOC analyst. Each team we discuss will have a similar management structure as the SOC. I’ll skip going into detail about the team members and focus on the scope of the team itself.
The Risk Management team is responsible for measuring, reporting, and mitigating the company’s risk levels. In regard to cybersecurity, they’ll look at the likelihood of a compromise, determine the impact on the business if the attack happened, and generate a report to management on the risk. This data allows management to make an informed decision to assume or mitigate the risk. Most likely, if all this sounds familiar, you’ve learned about risk matrices somewhere along the way.
“But how does the SOC assist the Risk Management Team?” I’m so glad you asked. Risk Management teams are not cybersecurity experts. Their understanding of attacks and compromises is limited to what they read in the news. That’s when the SOC consults to define the impact of a compromise. An example of a SOC consultation would be to describe how a critical system is vulnerable to a particular type of compromise. Maybe you’re asked what security control would best stop the attack before it happens. Regardless of the request from Risk Management, the goal is to provide them with the worst-case scenario. To measure risk, Risk Management needs to know the most dangerous outcome for the company and how often it might occur.
The Governance and Compliance team ensures “the overall management approach that board members and senior executives use to control and direct an organization”1 is disseminated and adhered to. They also ensure the company meets or exceeds compliance standards related to certain industries. An example of this would be the Payment Card Industry Data Security Standard (PCI DSS), which enforces controls around payment and card systems. The purpose of compliance is to ensure that proper cybersecurity practices are followed in a uniform manner. There are several global compliance standards, and each has a different set of controls, although some overlap. Table lists the common and well- known compliance standards.
The most common interaction the SOC will have with Governance and Compliance teams is during the auditing process. The SOC plays a vital role in providing evidence of compliance for the Audit team. Some common evidence requests might be logs collected, process documentation, and a security event walk-through. We’ll cover more about the Audit team later in this article.
Definition Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities.
The next team we’ll cover is the Privacy and Legal team. Usually, you’ll interact with Privacy and Legal during security incidents that involve evidence collection or public disclosure of a compromise. In the previous article, we briefly discussed the Capital One data breach.3 The privacy half of this team was responsible for identifying the nature of the data that was stolen. Working with legal, together they inform executive leadership on disclosure requirements, legal obligations, and options to pursue actions against the attacker. In the case of Capital One, the Privacy and Legal team notified victims of the data breach and assisted the FBI in apprehending the suspect.
Let’s segue to our final team for this section, the Fraud team. The Fraud team works hand in hand with Privacy and Legal in investigations of a data breach to determine if the data has been leaked, sold, or used for malicious means. For example, the data stolen from Capital One included 140,000 US Social Security Numbers. The Fraud team is responsible for investigations tied to the use of stolen data such as identity theft or data brokerage on the dark web. The Fraud team’s responsibilities shift depending on the company’s industry. A software company’s Fraud team might scour the Internet for license key generators, while a manufacturing company has their Fraud team looking for signs of stolen blueprints.
External Teams
For this article, external teams are defined as any team that does not work for your company. So far, we’ve covered information security and internal teams that the SOC will interact with to accomplish business objectives. Your interaction with external teams requires special considerations. The most important note is that you are a representative of your organization and company.
The first external team we’ll discuss is government agencies, and they’ll play a critical role in any country. Whether it’s for compliance, reports of data breaches, or interpreting privacy laws, the SOC will eventually find itself interacting with the local or federal government. As both authors are located in the United States, we’ll cover what we know and not speculate on other countries’ stance on cybersecurity. I urge you to research local laws and regulations in your region to prepare yourself when interacting with your local government agency.
There are different types of government agencies that we need to cover, and the SOC will interact with each one in various capacities. Law enforcement agencies will be the most common government entity you’ll encounter. Some examples of law enforcement agencies in the United States are the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and State and Local Police. Like the Legal and Privacy team, the SOC will most likely work to provide evidence of data breaches or insider threats to the investigating agency. When communicating with law enforcement agencies, it’s important to only state facts. Try to remain professional and pay respect to the members of the agency you are working beside. The majority of individuals you’ll deal with won’t be cybersecurity analysts, so speak in common terms.
The second government entity we’ll discuss is military and intelligence agencies. Today, many companies provide services or goods to their federal government, and most countries have cybersecurity regulations that must be followed by companies that do business with the government. This comes in the form of tighter compliance controls and mandatory reporting requirements. A benefit of working with the government is the shared threat intelligence provided by the network of companies that work with the government. In the United States, companies that work with the federal government can join the Defense Industrial Base Cybersecurity (DIB CS) program. This program allows companies to share threat reports, indicators of compromise, and malware samples in a central location. The Department of Defense (DoD) also provides threat reports and alerts based on intelligence collected by military or intelligence agencies.
The last government organization we’ll cover is regulatory agencies. Regulatory agencies are bodies created to set a baseline of standards for a particular field of activity in the private sector of the economy and then enforce those standards. Regulatory agencies are commonly broken out into business sectors; for example, the US Department of Health and Human Services regulates the HIPAA compliance standards.
Not all regulatory bodies are government-affiliated; the International Organization for Standardization is an independent, nongovernmental international organization with a membership of 164 national standards bodies. Since nongovernment regulatory agencies can’t enforce compliance or issue punishment to companies out of compliance, government agencies who adopt compliance standards such as ISO 27001 will assume responsibility for enforcement and punishment. In this model, a committee of representatives from the member countries developed new and revamped compliance standards.
The second external team we’ll discuss is Audit teams. Auditors play a significant role in a company’s path to regulatory compliance and will be a source of many headaches for the SOC. The auditor’s primary responsibility is to understand the compliance standards and the security controls that satisfy the requirement. Next, they apply their knowledge and expertise in their field to compare a company’s security posture against the compliance standards. Let’s look at an example of how an auditor might interact with the SOC during a compliance engagement by looking at a PCI DSS Version 1.2 controls in Table 2–2.
The goal, “Regularly Monitor and Test Networks,” is a typical example of data the SOC will be responsible for providing. Specifically, the SOC would be the team monitoring access to network resources, and the data that auditors will want to see most likely resides in the SOC’s SIEM. Each auditor is different, so the exact data they’ll ask for will vary depending on the experience level and individual preference. Some auditors will request for the SOC to give a live demo of their ability to access and monitor the data, while others will request screenshots of the monitoring platform and the data held within. Depending on the compliance standard, audits will happen anywhere from every three months to annually. Also, depending on your company, the SOC might be responsible for providing evidence to multiple audit teams throughout the year.
As a new SOC analyst, you won’t likely interact with the auditors directly. If a demo is requested, it’s usually handled by a senior analyst due to their experience with the company’s data sources and monitoring portfolio. Your manager and team lead will own the responsibility of planning and coordinating with the compliance and audit teams, and your tasks begin with evidence collection.
Let’s move on to our final team for this article, and likely the most common external team you’ll interact with as a junior analyst. Vendors are external product or service providers that have sold a product to your company or are attempting to sell a product. Any tool the SOC uses, which wasn’t created by your company, came from a vendor. The SOC’s interaction level with existing vendors will be limited to requesting assistance with issues, feature requests, and bug reports. However, you might be asked to join a tool demo or proof of concept (POC) evaluation of a security tool.
Insight Working with vendors can be a great networking opportunity; leaving a good impression with the vendor could lead to future job offers if you decide to move away from the SOC.
When working with existing vendors, there are specific ethical concerns around requesting features or accepting gifts. It’s important to remember that you’re a representative of your company. Vendors who provide an existing service or product could take your feature request and bill your company for the hours spent on the work. That shouldn’t deter you from asking for new features. When communicating with the vendor, be sure to ask them if the company will be billed before any agreement is made.
Similarly, when communicating with vendors trying to sell your company a product or service, it’s important not to promise anything to the vendor. The best conversation you can have with a vendor providing a demo or POC is by offering your honest feedback on their product. Good or bad, they will take your feedback to their company for product changes. So when providing your thoughts on their product, be sure to offer constructive criticism. Comments like “your product adds no value for us” and “we could build this ourselves” is a surefire way to get you removed from future vendor conversations.
Summary
Working in the SOC brings you into contact with many other teams, both from within and external to your company. Each team covered in this article combines to shape your SOC’s daily scope of duties. The team names and roles discussed in this article are not standardized from company to company. As previously mentioned, some team member responsibilities might belong to the SOC. Regardless of whether the positions exist, the team’s functions are required for a company to succeed.
We’ve talked previously about our purpose for this book and how we hope to prepare you for a great, new career in cybersecurity by way of the SOC. Consider the overhead of having to teach a new SOC analyst the functions of each team member, external organization, and government entity for a moment. This article helps you set yourself up for success by providing a cursory introduction to the areas of expertise in cybersecurity. Whether you’re working with your local law enforcement to investigate a malicious insider or collecting audit evidence to the compliance team, your better understanding of the groups and their roles and responsibilities will help to make you stand out as a productive member of the SOC team.
ARTICLE QUIZ (SOLUTIONS FOLLOW)
Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them?
Ⓐ IAM
Ⓑ Operations
Ⓒ Engineering
Ⓓ Architecture
The Threat Intelligence (TI) team does which of the following?
Ⓐ Takes over incidents from the SOC and conducts investigations on long and enduring incidents.
Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC.
Ⓒ Focuses on enforcing the best security practices and compliance controls while implementing new technology.
Ⓓ Identifies, catalogs, and remediates new and existing vulnerabilities.
Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following?
Ⓐ Focuses on enforcing the best security practices and compliance controls while implementing new technology.
Ⓑ Deploys, manages, and maintains security tools.
Ⓒ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC.
Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents.
The Security Engineering Team covers which of the following tasks?
Ⓐ Identifies, catalogs, and remediates new and existing vulnerabilities.
Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC.
Ⓒ Deploys, manages, and maintains security tools.
Ⓓ Focuses on enforcing the best security practices and compliance controls while implementing new technology.
The Vulnerability Management team is responsible for which of the following?
Ⓐ Researching new threats, determining if they’re dangerous, and providing details to management.
Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network.
Ⓒ Taking over incidents from the SOC and conducting investigations on long and enduring incidents.
Ⓓ Deploying, managing, and maintaining security tools.
Responsibilities of the Security Architecture team include which of the following?
Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology.
Ⓑ Deploying, managing, and maintaining security tools.
Ⓒ Researching new threats, determining if they’re dangerous, and providing details to management.
Ⓓ Taking over incidents from the SOC and conducting investigations on long and enduring incidents.
The _________ is the first level of management and one of the most difficult jobs in cybersecurity.
Ⓐ SOC Director
Ⓑ SOC Manager
Ⓒ Chief Information Security Officer (CISO)
Ⓓ Risk Management Team
The SOC Director may also be called _______. Which of the following does not apply?
Ⓐ Director of Security Operations
Ⓑ Director of Threat Management
Ⓒ Director of ITSecurity
Ⓓ Director of Risk Management
Which of the following internal teams focuses on the worst-case scenario and how often that may occur?
Ⓐ Risk Management.
Ⓑ Governance and Compliance.
Ⓒ Privacy and Legal.
Ⓓ Digital Forensics and Incident Response (DFIR).
ARTICLE QUIZ SOLUTIONS
Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them?
Ⓐ IAM
While there may be an IAM team in very large organizations, the three general teams can be broken down into Operations, Engineering, and Architecture
The Threat Intelligence (TI) team does which of the following?
Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC.
The Threat Intelligence team typically researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC.
Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following?
Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents.
Typically, the DFIRteam takes over incidents from the SOC and conducts investigations on long and enduring incidents.
The Security Engineering Team covers which of the following tasks?
Ⓒ Deploys, manages, and maintains security tools.
Typically the Security Engineering team deploys, manages, and maintains security tools.
The Vulnerability Management team is responsible for which of the following?
Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network.
The Vulnerability Management teams Is responsible for identifying, cataloging, and remediating existing vulnerabilities throughout a network.
Responsibilities of the Security Architecture team include which of the following?
Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology.
The Security Architecture team typically focuses on enforcing the best security practices and compliance controls while implementing new technology.
The _________ is the first level of management and one of the most difficult jobs in cybersecurity.
Ⓑ SOC Manager
The first level of management and the one that you will interact with most frequently is the SOC Manager.
The SOC Director may also be called _______. Which of the following does not apply?
Ⓓ Director of Risk Management
The SOC Director typically isn’t called a Director of Risk Management.
Which of the following internal teams focuses on the worst-case scenario and how often that may occur?
Ⓐ Risk Management.
The Risk Management team focuses on all of the “bad” things that can happen and how often they may occur, as well as the impact they have on the organization.
Tyler Wall is the founder of Cyber NOW Education by night and works full time in the cybersecurity industry as his day job. He creates cybersecurity training material in his free time, often after feeling the need to shout what he’s just learned and also because a little bit of passive income never hurt anyone.
He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “MEDIUMFRIENDS”
For a limited of time get a free copy of Jump-start Your SOC Analyst Career eBook that was published June 1, 2024, in exchange for a review on Amazon. Email tyler@cybernoweducation.com
