A security operations center (SOC) is an organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks. Structurally, a SOC (usually pronounced “sock”) often exists as its own separate unit or within a CSIRT. You may be familiar with the term blue team, which refers to the security professionals who are responsible for defending against all security threats and attacks at an organization. A SOC is involved in various types of blue team activities, such as network monitoring, analysis, and response to incidents.
SOC organization#
A SOC is composed of SOC analysts, SOC leads, and SOC managers. Each role has its own respective responsibilities. SOC analysts are grouped into three different tiers.
Tier 1 SOC analyst
The first tier is composed of the least experienced SOC analysts who are known as level 1s (L1s). They are responsible for:
- Monitoring, reviewing, and prioritizing alerts based on criticality or severity
- Creating and closing alerts using ticketing systems
- Escalating alert tickets to Tier 2 or Tier 3
Tier 2 SOC analyst
The second tier comprises the more experienced SOC analysts, or level 2s (L2s). They are responsible for: - Receiving escalated tickets from L1 and conducting deeper investigations
- Configuring and refining security tools
- Reporting to the SOC Lead
Tier 3 SOC lead
The third tier of a SOC is composed of the SOC leads, or level 3s (L3s). These highly experienced professionals are responsible for: - Managing the operations of their team
- Exploring methods of detection by performing advanced detection techniques, such as malware and forensics analysis
- Reporting to the SOC manager
SOC manager
The SOC manager is at the top of the pyramid and is responsible for: - Hiring, training, and evaluating the SOC team members
- Creating performance metrics and managing the performance of the SOC team
- Developing reports related to incidents, compliance, and auditing
- Communicating findings to stakeholders such as executive management
Other roles
SOCs can also contain other specialized roles such as: - Forensic investigators: Forensic investigators are commonly L2s and L3s who collect, preserve, and analyze digital evidence related to security incidents to determine what happened.
- Threat hunters: Threat hunters are typically L3s who work to detect, analyze, and defend against new and advanced cybersecurity threats using threat intelligence.
Note: Just like CSIRTs, the organizational structure of a SOC can differ depending on the organization.
Resources#
- The security operations ecosystem ↗
- Cyber career pathways tool ↗
- Detection and Response ↗ at Google: Episode 2 of the Hacking Google ↗ series of videos