Working in a SOC

Whats in a SOC?

The purpose of the SOC is to monitor the network, usually using a SIEM. The SOC is not a digital forensics or incident response point, although, people wish it could be.

There are two kinds of SOCs in the private sector – in-house and MSSP. I work for the latter, providing a managed security service of a security operations center to various customers across multiple industries.

In-House vs MSSP SOC

An in-house SOC is an internal, laser focused, team of individuals with the goal of securing their network and responding to incidents. This type of SOC is often closely inter-twined with the IT or networking (NOC) departments, with the need focused solely on defense. A SOC analyst in an in-house SOC have a more specialized skill set to go along with the solutions they purchased.

A MSSP SOC is an external organization that providers managed services and expertise of security solutions & products to a wide range of customers. The MSSP SOC monitors and alerts on the services provided such as SIEM, NGFW, vulnerability management, to name a few, under negotiated SLAs and contracts. The customer can also leverage the MSSP SOC for their security knowledge and expertise when making decisions.

MSSP SOC Services

MSSP SOCs offer a range of specialized services;

  • Managed SIEM, NGFW, Vulnerability Management, etc.
  • Endpoint Detection and Response
  • Threat Hunting
  • Penetration Testing
  • 24×7 Customer Service Support

SOC Chores

When I first sit down and log in, I conduct initial health checks;

  • Read emails from previous shift, see if there were any incidents, follow up on them
  • Do a quick health check of the SIEM – are logs coming in? Is there a spike in traffic? Investigate any alarms.
  • Do a quick health check of any other managed devices
  • Briefly read the news, keep up to date with current events, check virus repositories (from Pastebin to VirusTotal), and browse through my custom Twitter lists for new virus outbreaks or threat intelligence

If everything looks okay, the daily tasks can be done;

  • Investigate and tune SIEM alarms
  • Research attack techniques and create new alarm use-case
  • Create, run, analyze, and send high-level executive reports to customers
  • Research new security products, meet vendors, enroll in partner training
  • Proactively threat hunt

How to land a gig in a SOC?

Getting a job in a SOC is a great way to start your cyber security career. A relevant college degree or certifications such as CCNA or Security+ should be enough to get you in the door as a security analyst in a SOC. Moreover, a year behind a help desk with sufficient knowledge of Windows/Linux should would be an asset.

Additional Readings

If you are interested to learn more about SOCs and how they operate, check out the following links;