A Security Operations Centre (SOC) works 24/7 to keep an Enterprise's digital assets secure. They’re both the front-line and the strategic command centre. Within the department, SOC teams rely on key individuals working day and night to maintain IT system integrity.
A SOC team has many roles & responsibilities that they are expected to manage across several functions. Typically, their positions cover two broad areas of responsibility:
- Maintaining security monitoring and analysing your security on an ongoing basis. They’ll detect, analyse and respond to security incidents using a combination of people, processes and technology.
- Proactively investigating suspicious activities, ensuring that potential security incidents are correctly defended, identified, analysed, investigated and escalated to keep your infrastructure secure.
What are the SOC team roles?
Although companies may name titles differently, a businesses will require similar responsibilities when it comes to cyber security.
So, if you're tasked with building a SOC, or looking for an outsourced SOC team, here we take a look at a best practice structure on the common roles and their associated tasks and duties to guide you on your path to SOC team success.
The SOC Manager is the bridge between the SOC team and the rest of the business. Working with the SOC Lead they formulate policy for the entire team and escalate processes and review incidents.
They’re a vital part of the auditing process. SOC Managers develop crisis communication plans for the CISO and other stakeholders. Aside from these hard deliverables, the SOC Manager should also champion the team and demonstrate it’s value to the wider organisation.
The SOC Lead is a role that demands a big picture view. This person is The General in the Bunker – coordinating response to threats through managing other team members effectively. They run the SOC on a day-to-day bases, hands-on.
Aside from leading the charge with their sleeves rolled up, their responsibilities extend to documenting processes and recording incidents.
This “eyes on glass role” is the front-line. Your Security Analyst will actively monitor the system for suspicious activity and threats. They make the initial decision on the threat severity... passing more complex attacks up the chain of command. They will deal with the less complex attacks themselves.
Senior Security Analyst:
This SOC role steps in to combat higher levels of threat. Senior Security Analysts identify affected systems, review intelligence reports and identify the nature of the attack. They formulate plans to repair damaged assets, keep other assets safe, and work to remove the threat.
Security Information and Event Management (SIEM) Engineers fine-tune the SIEM tools needed to identify and repel threats. They work closely with other members of the team, especially if the system is under attack.
Threat Hunters are the detectives in the team. They’ll use SIEM tools to review your log files (in real-time), finding clues as to the nature of the attack and how to repel it.
Working with all aspects of the SIEM team their focus is to contain and repel attacks and repair affected systems.
Threat Intel Researcher:
A key aspect of detecting the nature of the threat is to identify its origin and form. This is the role of the Threat Intel Researcher who passes intelligence to the SIEM Engineer who in turn feeds it into the system.
The Forensic Specialist conducts thorough investigations into the nature of the attack. Intelligence gathered is often shared with authorities and used as a basis to prevent future attacks.
Red Team Specialists:
Red Team Specialists actively attack the system to identify vulnerabilities, using ethical hacking techniques to highlight areas of weakness in the form of the various types of penetration test areas so other teammates can fix them.
The red team act as an independent group, to challenge the organisation to improve its effectiveness by assuming an adversarial role.
SOC roles and your business
Depending on your resources and individual business requirements, the size and structure of your SOC team will vary, possibly with several roles combines into one job.
To avoid the challenges of building a full SOC team, many companies find that either it is beneficial to fully outsource their SOC, or support their internal team with additional external resource.
Why outsource some or all of your SOC team?
- Cost efficient: Outsourcing your work will save you the expenses of training and recruitment.
- Saves time: Time effectiveness can be maintained as outsourced companies work round-the-clock and have the expertise to get the work done
- Faster and expert quality: The outsourced companies tend to be experts in their field and can get the work done at an efficient speed and high standard, they can also be very reliable
- Priorities: Outsourcing allows you to focus on more important activities such as ensuring your cyber security improvement programmes are up to date and running efficiently.
Looking for a UK SOC team?
An 'always-on' team with the expertise to help you hit the ground running, rapid scale and secure your cyber security operations - without the overhead of building, training and managing a specialist team.
- How to create strong passwords you can remember
- What is SIEM? (Part 3): How does SIEM work?
- Infographic: The best practice password policy
- 6 steps to a successful cyber security improvement programme
- Pros and cons of outsourcing your cyber security: In-house or Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a specialist Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.