Modern SOCs are highly specialised security operations centres whose objective is to detect attackers who have gained access to an organisation’s device or network. Built around complex environments, a team of cybersecurity experts who have been assigned different roles coordinate operations at SOCs. These professionals execute a sequence of specific processes supported by tools capable of processing a large volume of data in real time to detect, analyse and respond to attacks as quickly as possible.
The main roles in a modern SOC
Cybercriminals are always active, they lurk in the system, ready to attack as soon as organisations are careless about security. This means SOCs, and more specifically modern SOCs, have to operate 24 hours a day, 365 days a year at the same intensity and ensure the coverage provided by their teams and roles is sufficient to keep malicious activity under control. The key professionals working in a modern SOC include:
- Security Analyst:
There are three tiers for security analysts with different responsibilities assigned to each level. Tier 1 security analysts are tasked with proactively monitoring and classifying alerts, as well as detecting anomalies or indicators of attack and then identifying the root cause and recommending remediation. Tier 1 analysts filter out false positive alerts from real incidents, so efficiency is critical. They are also responsible for configuring security and monitoring tools. Tier 2 analysts are known as investigators and work closely with the response team. They are responsible for investigating the security incident and determining what has happened, which systems are affected, which techniques have been used, when and why. Then they need to work with the response team to develop response and remediation measures to prevent similar attacks in the future. Tier 2 analysts review any weaknesses found in an organisation’s preventive measures aiming to strengthen its resilience. Finally, Tier 3 analysts are regarded as the expert analysts within the SOC team. They assist Tier 2 whenever complex incidents require new behavioural data analysis and security intelligence. - Threat Hunter:
The approach adopted by threat hunters centres on professional knowledge of key attacker techniques and behaviours more than on detection technologies. Their job is to locate unknown and sophisticated threats that have managed to circumvent existing controls. Seeking to identify and respond to threats quickly, they assess the security of the organisation from a proactive point of view, enabling them to reduce the dwell time of a threat. - The response team:
This specialised team is tasked with developing and deploying containment, mitigation and eradication strategies. Sometimes, the response is carried out by a third team, the internal IT or security function at the company, guided by the response team that identifies which actions are needed to ensure a 100% effective response to eradicate the attacker’s presence in all affected systems. - SOC Manager:
He or she is in charge of leading the team by performing management and operational tasks rather than specific technical tasks. This role carries out management responsibilities such as budgeting, defining strategies, managing SOC members, coordinating operations, achieving the objectives set by the company’s management, purchasing solutions and tools for the SOC, reviewing incident reports and generating reports on the SOC’s activities to present to the company’s management and the client’s Central Information Security Officers (CISO). - Architecture team:
This team is responsible for creating and maintaining the architecture of the SOC’s infrastructure and applications through testing, evaluating and suggesting the appropriate tools for the SOC’s complex processes. In close collaboration with the other teams and experts, they suggest, assess, develop and test new tools and processes that improve efficiency in detecting sophisticated threats, are faster in triage and investigation, and more agile in providing a coordinated and multi-domain response. This ensures that the attacker has nowhere to hide and no chance to attack again once the response team decides to eradicate the threat from the organisation. They are also sometimes tasked with ensuring security compliance, which involves documenting, adhering to and constantly updating security practices against internal and industry frameworks.
Defining tasks for optimal performance
As mentioned above, a modern SOC team should have an organisational structure that helps deploy optimised and well-executed work processes, where each member of the team knows what his or her role is so that attackers lurking inside the network can be detected and dealt with as soon as possible.
Modern SOCs automate critical yet repetitive tasks while elevating the maturity and efficiency of the security operations team. These teams are also able to prepare more effectively and administer critical equipment upgrades and expansions, lowering costs and complexity further, allowing them to provide greater value to businesses. Get in touch with the Dolos team to find out more about how your organisation can build a modern SOC.