A Security Operations Centre (SOC) works 24x7 to secure an Enterprise’s digital assets. They’re both the front line and the strategic command centre. The department’s SOC teams rely on key individuals working day and night to maintain IT system integrity.
A SOC team has many roles & responsibilities that they are expected to manage across several functions. Typically, their positions cover two broad areas of responsibility:
Although companies may name titles differently, businesses will require similar responsibilities regarding cyber security.
So, if you’re tasked with building an SOC or looking for an outsourced SOC team, we’ve created a best-practice structure for the common roles and their associated tasks and duties to guide you toward SOC team success.
The SOC Manager bridges the SOC team and the rest of the business. Working with the SOC Lead, they formulate policy for the entire team, escalate processes, and review incidents.
They’re a vital part of the auditing process. SOC Managers develop crisis communication plans for the CISO and other stakeholders. In addition to these hard deliverables, the SOC Manager should champion the team and demonstrate its value to the wider organisation.
The SOC Lead is a role that demands a big-picture view. This person is the General in the Bunker, coordinating response to threats through effective management of other team members. They run the SOC hands-on on a day-to-day basis.
Aside from leading the charge with their sleeves rolled up, their responsibilities extend to documenting processes and recording incidents.
This “eyes on glass role” is the front line. Your Security Analyst will actively monitor the system for suspicious activity and threats. They decide on the severity of the danger, passing more complex attacks up the chain of command. They will deal with the less complex attacks themselves.
This SOC role steps in to combat higher levels of threat. Senior Security Analysts identify affected systems, review intelligence reports and identify the nature of the attack. They formulate plans to repair damaged assets, keep other assets safe, and work to remove the threat.
Security Information and Event Management (SIEM) Engineers fine-tune the SIEM tools to identify and repel threats. They also work closely with other team members, especially if the system is attacked.
Threat Hunters are the detectives in the team. They’ll use SIEM tools to review your log files (in real-time), finding clues as to the nature of the attack and how to repel it.
Working with all aspects of the SIEM team, they focus on containing and repelling attacks and repairing affected systems.
A key aspect of detecting the nature of the threat is identifying its origin and form. The threat intelligence researcher does this, passing intelligence to the SIEM Engineer, who feeds it into the system.
The Forensic Specialist conducts thorough investigations into the nature of the attack. The intelligence gathered is often shared with authorities and used to prevent future attacks.
Red Team Specialists actively attack the system to identify vulnerabilities, using ethical hacking techniques to highlight areas of weakness through various Penetration Testing areas so other teammates can fix them.
The red team acts as an independent group that challenges the organisation to improve its effectiveness by assuming an adversarial role.
Depending on your resources and individual business requirements, the size and structure of your SOC team will vary, possibly with several roles combined into one job.
Many companies find that fully outsourcing their SOC or supporting their internal team with additional external resources is beneficial to avoid the challenges of building a full SOC team.
An ’ always-on’ team with the expertise to help you hit the ground running, rapidly scale and secure your cyber security operations - without the overhead of building, training and managing a specialist team.