SOC Analyst: Job Description, Skills, and 5 Key Responsibilities

A security operations center (SOC) analyst is a central role in modern security teams. SOC analysts are on the front line of cyber defense, detecting and responding to cyber attacks as they happen. Read on to understand the role, its responsibilities, and what it takes to be a great SOC analyst.

SOC analyst job description

SOC analysts are the first to respond to cyber security incidents. They report on cyberthreats and implement any changes needed to protect the organization.

Job duties of SOC analysts include:

• Threat and vulnerability analysis.
• Investigating, documenting, and reporting on any information security (InfoSec) issues as well as emerging trends.
• Analysis and response to previously unknown hardware and software vulnerabilities.
• Preparing disaster recovery plans.

SOC analysts are considered the last line of defense and they usually work as part of a large security team, working alongside security managers and cybersecurity engineers. Typically, SOC analysts report to the company’s chief information security officer (CISO).

SOC analysts need to be detail oriented because they are responsible for monitoring many aspects simultaneously. They need to watch the protected network and respond to threats and events. The level of responsibility typically depends on the size of the organization.

SOC analyst career path

A security operations center typically assigns analysts to three or four tiers:

• Tier 1 support security analyst — receives and looks into alerts daily. Reviews the most recent SIEM alerts to see their relevance and urgency. Carries out triage to ensure that a genuine security incident is occurring. Oversees and configures security monitoring tools.
• Tier 2 support security analyst — addresses real security incidents. Evaluates incidents identified by tier 1 analysts. Uses threat intelligence such as updated rules and indicators of compromise (IOCs) to pinpoint affected systems and the extent of the attack. Analyzes running processes and configs on affected systems. Carries out in-depth threat intelligence analysis to find the perpetrator, the type of attack, and the data or systems impacted. Creates and implements a strategy for containment and recovery.
• Tier 3 security analyst — more experienced than a tier 2 analyst. Deals with critical incidents. Carries out vulnerability assessments and penetration tests to assess the resilience of the organization and to isolate areas of weakness that need attention. Reviews alerts, threat intelligence, and security data. Identifies threats that have entered the network, and security gaps and vulnerabilities currently unknown.
• Incident response manager — manages and prioritizes actions during isolation, analysis, and containment of an incident. They also communicate any special requirements of high severity incidents to both internal and external stakeholders.

5 responsibilities of SOC analysts

SOC analysts ensure that possible security incidents are accurately identified, analyzed, guarded against, investigated and made known.

1. Implement and manage security tools

SOC analysts should have access to a suite of technology products that provide insight into the organization’s security environment. They should be trained or certified on the relevant security tools and be able to operate them effectively.

Basic security tools include firewalls, intrusion detection and prevention technology, threat and vulnerability management tools, data loss prevention tools, filtering technologies, traffic inspection solutions, reporting technology and data analytics platforms. The SOC may also have access to enterprise forensic tools that support incident response investigations.

On top of this toolset, a SIEM solution can help aggregate security events and generate alerts for analysts to investigate. Next-generation SIEM tools include new capabilities like user and entity behavior analytics (UEBA) and security orchestration and automation (SOAR), which can save time for analysts and help identify threats that traditional tools could not. For an example of a next-gen SIEM solution that includes UEBA and SOAR, see Exabeam’s Security Operations Platform.

2. Investigate suspicious activities, contain and prevent them

With the assistance of security monitoring tools, SOC analysts look into suspicious activity within IT systems and networks. Typically, they do this by receiving and analyzing alerts from the SIEM, which may contain signs of compromise and related threat intelligence. Analysts perform triage on alerts, understand the extent of the threat, and respond, or if necessary, escalate the incident to higher-tier analysts.

SOC personnel may not be able to entirely stop threats from entering their network, but they can stop threats from spreading. If a network system is compromised, SOC analysts should identify the infected hosts and prevent them from affecting the rest of the network. Analysts can use controls on switches, routers, and virtual local area networks (VLANs) to stop the threat from spreading.

SOC analysts should correlate and validate alerts to ensure they represent relevant security incidents. Part of an analyst’s role is to contextualize events within the network environment of the business, understand their impact on the business, and coordinate response activities with key staff in real time.

3. Reduce downtime and ensure business continuity

Businesses need to ensure their network and systems run with minimal or no downtime. It was once possible to shut down a mail server infected by a virus for cleanup, but in today’s environment the business cannot sustain downtime of critical infrastructure.

In the event of a breach, SOC analysts are responsible for proactively notifying the appropriate business stakeholders about serious security events. If possible, risks are mitigated before security events reach key business infrastructure, and if they do reach critical systems, redundancy must be in place to ensure business continuity.

4. Providing security services to the rest of the organization

SOCs ideally function as shared service centers that provide value to business stakeholders and help them meet their agendas. SOCs are cross-functional organizations that centralize operations carried out by different departments. SOC analysts play a crucial role in providing this service.

Organizations should empower analysts and enable them to take responsibility for security incidents, oversee communication, and guide interactions with individuals from IT, IR, HR, legal, compliance and other groups. A clear line of authority can limit confusion during critical emergency actions, such as connectivity termination or complete system shutdown.

5. Audit and compliance support

SOC analysts are often responsible for auditing systems to meet compliance requirements for government, corporate and industry regulations such as SB 1386, HIPAA, and Sarbanes-Oxley. Efficient access to threat information, patch levels, identity and access control data is essential for compliance.

In the past, SOC analysts used documentation templates to create new documentation for an audit. This process is error prone and time-consuming. Modern SOCs leverage security tools such as the SIEM, which aggregates security data from across the organization and makes it easy for analysts to generate compliance audits and reports.

For example, here’s how Exabeam’s next-generation SIEM solution provides support for compliance with GDPR, PCI DSS, SOX, and more.

SOC analyst skills

Here are several must-have skills all SOC analysts need:

• Network defense – must have the ability to defend the network. Tasks include monitoring, discovering, and analyzing possible threats. A SOC analyst should have the skills needed to maintain secure network traffic and respond to suspicious activities. 
• Ethical hacking – must know how to detect threats and report vulnerabilities in a manner that ensures the organization remains protected from attacks. SOC analysts should know how to perform perpetration testing for systems, web applications, and networks to find vulnerabilities.
• Incident response – must be able to manage several effects of breaches in a manner that reduces the impact of breaches. SOC analysts should also be able to provide recommendations that can help prevent future security breaches.
• Computer forensics – must be familiar with computer forensic techniques that can help prevent cybercrime. Tasks include collecting, analyzing, and reporting security data. 
• Reverse engineering – must be able to read and understand the operation and performance parameters of software programs, and at a higher level of skill, should be able to reverse-engineer malware. 

Tier 1 SOC analysts serve as the first responders during security events and when analysis of cyberattacks is required. They review incident alerts, run vulnerability tests, and escalate severe incidents to senior analysts in Tier 2. 

Here are the main skills required by Tier 1 and Tier 2 analysts:

• Tier 1 SOC analysts – must have administrative skills in several operating systems, such as Windows, OS X, and Linux. Tier 1 SOC analysts are proficient in several programming languages, including Python, C, C#, Java, Ruby on Rails, Perl, and PHP. These professionals are required to handle common security incidents independently.
• Tier 2 SOC analysts – also called ‘incident responders.’ These professionals review tickets received from Tier 1 analysts, which represent more severe security incidents or those requiring in-depth investigation. Tier SOC 2 analysts are responsible for gathering all details needed to assess the scope of a cyberattack and respond to severe attacks or those with high business impact.

SOC analyst certification and training

A common requirement for SOC analysts is a bachelor’s degree in computer science or computer engineering, and practical experience in IT and networking roles. 

In addition, the following certifications are recognized or required by many employers:

• Cisco Certified CyberOps Associate – provides practical knowledge about real world tasks performed in SOC environments
• EC-Council Certified SOC Analyst (CSA) – a three-day program, covering both entry-level and intermediate tasks for Tier 1 and Tier 2 analysts.
• EC-Council Certified Ethical Hacker – teaches emerging attack vectors, tools used by hackers and penetration testers, and practical experience in malware analysis.
• CompTIA Security+ – trains candidates to perform the entire security lifecycle in a modern IT environment. Compliant with ISO 17024 and approved for US Department of Defense 8570 compliance.

Exabeam helps organizations get the most out of their current SOC team by automating cumbersome, time-consuming, and prone-to-error manual tasks enabling security analysts to spend more time putting their specialized skills to use.  

Learn More about Security Operations Centers

See our additional guides about key SOC topics:

• Complete Guide to Security Operations Centers
• The SOC Team
• SOC and SIEM