Learn about the typical core roles that make up a SOC team.
What is the role of a Security Operations Center?
Security Operations Centers (SOC) were created to facilitate collaboration among security personnel, with a primary focus on security monitoring and alerting, including the collection and analysis of data to identify suspicious activity and improve the organization's security. A SOC can streamline the security incident handling process as well as help analysts triage and resolve security incidents more efficiently and effectively. In today’s digital world, a SOC can be located in-house, in the cloud (a virtual SOC), staffed internally, outsourced, for example, to an MSSP or MDR, or a mix of these. SOCs can provide continuous protection with uninterrupted monitoring and visibility into critical assets across the attack surface. They can provide a fast and effective response, decreasing the time elapsed between when the compromise first occurred and the mean time to detection.
Roles and responsibilities
Typical core roles that make up a SOC team consist of different tiers of SOC analysts and dedicated managers:
Tier 1 ‑ Triage specialist: Mainly responsible for collecting raw data as well as reviewing alarms and alerts. They need to confirm, determine, or adjust the criticality of alerts and enrich them with relevant data. For every alert, the triage specialist has to identify whether it’s justified or a false positive, as alert fatigue is a real issue. An additional responsibility at this level is identifying other high-risk events and potential incidents. All these need to be prioritized according to their criticality. If problems occurring cannot be solved at this level, they have to be escalated to tier 2 analysts. Furthermore, triage specialists are often managing and configuring the monitoring tools.
Tier 2 ‑ Incident responder: Reviews the higher-priority security incidents escalated by triage specialists and does a more in-depth assessment using threat intelligence, such as indicators of compromise and updated rules. Incident responders need to understand the scope of an attack and be aware of the affected systems. The raw attack telemetry data collected at tier 1 is transformed into actionable threat intelligence at this second tier. Incident responders are responsible for designing and implementing strategies to contain and recover from an incident. If a tier 2 analyst faces major issues with identifying or mitigating an attack, additional tier 2 analysts are consulted, or the incident is escalated to tier 3.
Tier 3 ‑ Threat hunter: Most experienced workforce in a SOC. Threat hunters handle major incidents escalated to them by the incident responders. They also perform or at least supervise vulnerability assessments and penetration tests to identify possible attack vectors. Their most important responsibility is to proactively identify possible threats, security gaps, and vulnerabilities that might be unknown. They should also recommend ways to optimize the deployed security monitoring tools as they gain reasonable knowledge about a possible threat to the systems. Additionally, any critical security alerts, threat intelligence, and other security data provided by tier 1 and tier 2 analysts need to be reviewed at this tier.
SOC manager: Supervises the security operations team. SOC managers provide technical guidance if needed, but most importantly, they are in charge of adequately managing the team. This includes hiring, training, and evaluating team members; creating processes; assessing incident reports; and developing and implementing necessary crisis communication plans. They also oversee the financial aspects of a SOC, support security audits, and report to the chief information security officer (CISO) or a respective top-level management position.