What does a SOC analyst do?

[00:00:05] Chris Sienko: Welcome to the InfoSec Career Video Series. These set of short videos will provide a brief look inside cybersecurity careers and the experience needed to enter them. Today, I’ll be speaking with InfoSec’s skills author, Mark Viglione, about the role of SOC analyst. So let’s get into it. Welcome, Mark.

[00:00:21] Mark Viglione: Thanks, Chris.

[00:00:22] CS: Mark, let’s start with the basics. What is a SOC analyst? Also, for people who are just getting started, what does SOC stand for? What does a SOC analyst do?

[00:00:32] MV: Sure. SOC stands for security operation center. Essentially, what these analysts do is they work in some form of operation center where they have different teams, different tiers of analysts. Typically, what they do, their day consists of monitoring, a lot of eyes on glass, a lot of looking at different tools and alerts. They try to triage what’s important, and what’s not, and what needs the best [inaudible 00:00:54] and what doesn’t need the best [inaudible 00:00:55]. A lot of hands on, a lot of looking at [inaudible 00:00:59] glass.

[00:01:01] CS: Okay. Are there other levels of SOC analysts? Do you start at one level and then the tasks sort of increase as your experience grows?

[00:01:09] MV: Yeah, definitely. A lot of – different organizations call different things. Sometimes within a SOC, you’ll have different tiers, whether it’s a SOC, and then it goes to incident response, and maybe advanced threat hunting, they might put all of that in the SOC. But yeah, there’s definitely different tiers and different experience levels for these individuals.

[00:01:26] CS: Okay. Now, how does one become a SOC analyst? Is this an entry level position or do you need experience in other aspects of cybersecurity first?

[00:01:33] MV: Yeah. I would say, it’s typically an entry or junior level position. A lot of times, you’ll get either some – college kid, if you have the right degrees, stuff like that, you kind of get into the field. Do a couple years of tier one work, and then you get into SOC. So yeah, it’s definitely something that’s a more junior, but also can be an entry level as well.

[00:01:55] CS: Okay. Are there particular education or certification requirements that you need to get in or can you just go on unexperienced alone? Are there particular certs that specially help in this regard?

[00:02:07] MV: Yeah. I would say, along with like, depending on your experience, or education, if you have a degree in IT or as a security potentially in general. I would say there’s a lot of the certs like Security+, is a great resource to get into. Again, this is not like, a senior level role. So you know, you’re not supposed to get a lot of different high advanced certs, but like Security+ or SSCP, stuff like that probably gives you a good edge to getting that.

[00:02:32] CS: Okay. What skills, whether hard skills or soft skills does a SOC analyst need to do their job well, whether it’s the tech background, or just things like, yeah, like you said, being able to read lots of data and interpret it. What are the skill sets for a SOC analyst?

[00:02:49] MV: I think it’s really two parts. I think there’s the technical side, which you have to have. Like the analytics, you have to be able to interpret that, and want to do that, and find it funny because you’ve be doing a lot [inaudible 00:03:00] and different alerts. And then also the soft skill side, where you need to present your findings to either your team member, maybe your SOC manager, or maybe there’s an IT director who has no idea what was some of the technical jargon is and they still need to know. Those soft skills are just as important, I think as the technical skills as well.

[00:03:19] CS: Okay. And you sort of grow in levels by sort of getting better at interpreting those numbers and finding sort of higher-level ways to sort of like crunch the data, I imagine.

[00:03:29] MV: Exactly, yeah. As you start to like, for instance, “Oh! What is this alert?” Then it moves into like, “How can I solve this? If not, I pass it up.” And then, obviously, you’re the one who solves it, and then, yeah, so it’s all different progression perhaps.

[00:03:42] CS: Okay. We always ask about different tools that SOC analysts use or all the careers use. But I imagine, the SOC analyst is especially tool heavy. Can you talk about some of the tools that SOC analysts use to do their work?

[00:03:55] MV: Yeah, sure. So I would say, depending on the organization, and the panel, the size and what you’re using, you’re going to use a lot of either open source tools or commercial. I would say on the commercial side, a lot of them are going to be commercial sims, like algorithm RSA, Splunk, all these giant tools that are spitting off logs. And then tons of alerts you’re going to be looking at every single day. Also, intrusion detection systems. If you’re a smaller shop and you’re on the open-source side, Suricata. If you want to use some of the Cisco products, you have like Firepower and all those different things on the commercial side. It’s a lot of tools that are either spitting off alerts via network data, or sims where it’s like [irating 00:04:31] everything to a lot of different tools.

[00:04:35] CS: If you’re wanting to get into SOC analyst as a job, would you recommend just getting some of the open-source tools and playing around with them yourself on your own so you have a comfortableness of?

[00:04:47] MV: Yeah. I would absolutely recommend that because it gives you a hands-on experience. You might not use the exact tool on the job you end up getting, but you’ll probably use a version of that to tool at that job. That experience will help you with interview process and also when you’re on the job working, crunching data.

[00:05:06] CS: Okay. For people who are interested in doing SOC analyst as a job, can you move into other roles if you find that this isn’t what you like? Is this a good job that you can pivot into other places with?

[00:05:19] MV: Yeah, absolutely. It’s a really good, like I said, entry, middle level job for security professionals, I think for sure. Because there’s a lot of different roles you can grow into. Again, sometimes, on the SOC team, you can go into incident response, which is more responding. You can go into threat hunting, which are just actively probing. And then also as a penetration tester. They always say like, it’s great knowing how to defend your network, the blue team work, and then we transition over to the pen testing, having both of those skill sets. So it’s definitely, definitely a lot of areas to grow. You’re not like locked in on, “Okay. This is the only thing I’m going to be doing.

[00:05:52] CS: Okay. As we wrap up today, for our listeners who are ready to get started, what’s something they can do right now, right after this video ends, that would move them towards the goal of becoming a professional SOC analyst?

[00:06:03] MV: Yeah. I think there are couple of things. I think, reviewing different content, looking at different course. Where some are like the ones at InfoSec and just understanding, diving to some of that knowledge base and doing some training. Then also, just reading blogs and staying active in the community. Because it seems, a lot of security changing every day, and you got to be keeping up with it. That looks really impressive to employers as well, when you’re actively probing for that stuff. Definitely just doing a lot caption flag as well around different stuff so you’re getting experience.

[00:06:34] CS: Are there any kind of experience-based things that you could do to sort of put on your resume even before you have a job? Can you show your ability to use a tool or do something with your own network like that?

[00:06:48] MV: Yeah. I think a great thing is like building a home lab. I know now a lot of people, colleagues do that, and they put that on their resume, they put down [inaudible 00:06:56] different attacks and this is how I use this tool, so it’s not just reading a book. It’s also just building it hands-on, so it’s definitely a great advantage.

[00:07:10] CS: Mark Viglione, thank you for your time and experience.

[00:07:13] MV: Yeah, thank you. Appreciate it.

[00:07:14] CS: And thank you all for watching this episode. If you’d like to know more about other cybersecurity job roles, please check out the rest of InfoSec’s Career Video Series. We’ll see you next time.