Domain & Roles in Cybersecurity: SOC Analyst

Introduction

A SOC analyst is a professional who works in a security operations center (SOC) or a computer emergency response team (CERT) to protect an organization’s information systems and networks from threats, attacks, and unauthorized access. SOC analysts may specialize in offensive or defensive security and are responsible for designing, implementing, and maintaining an organization’s security defenses.

SOC analysts are highly skilled professionals who develop security policies and procedures, monitor network traffic, and identify and respond to security incidents. They use a range of tools and techniques to detect and prevent threats, including intrusion detection and prevention systems (IDS/IPS), security information and event management (SIEM) systems, and vulnerability scanners.

A typical day in the life of a SOC analyst may involve monitoring alerts from security systems, investigating potential security incidents, and responding to security breaches. Additionally, SOC analysts may work closely with other IT professionals, such as network administrators and system engineers, to implement security controls and ensure compliance with security policies and regulations.

Roadmap to a SOC Analyst

Learn the basics of computer networking, operating systems, and programming languages such as Python, C, and Bash.

Networking

Networking encompasses the architecture, protocols, and technologies that facilitate the connection of devices, systems, and applications within an organization’s network infrastructure. A profound comprehension of networking concepts is pivotal for SOC analysts as it empowers them to monitor and detect security threats, scrutinize security incidents, and counteract security breaches adeptly. Personally, I hold networking in high esteem as it serves as the backbone of cybersecurity. Proficiency in networking skills can serve as a stepping stone to other roles, and I highly recommend it to anyone.

Here are some key networking concepts that SOC analysts should be familiar with:

1. TCP/IP: The Transmission Control Protocol/Internet Protocol is the foundational protocol suite used to enable communication between devices on the internet and private networks.
2. Network Architecture: The structure of a network, including the physical components (such as routers, switches, and firewalls) and logical components (such as subnets and VLANs).
3. OSI Model: The Open Systems Interconnection model is a reference model for network communication, consisting of seven layers (Physical, Data Link, Network, Transport, Session, Presentation, and Application) that describe the functions of networking protocols.
4. DNS: The Domain Name System is a hierarchical naming system used to translate domain names into IP addresses.
5. Routing and Switching: The process of forwarding network traffic between devices within a network and between networks.
6. Wireless Networking: The technologies and protocols used to enable wireless communication between devices, such as Wi-Fi and Bluetooth.

Operating Systems

Windows is a crucial operating system for SOC analysts to learn, given its prevalence in business environments. It is widely used on desktops, laptops, and servers in organizations of all sizes, making it an attractive target for cybercriminals. To counter this, SOC analysts need to possess a comprehensive understanding of the Windows OS architecture, features, and security mechanisms to effectively safeguard Windows-based systems from security threats. Therefore, SOC analysts need to have a comprehensive understanding of Windows security features and configurations, specific techniques for threat hunting in Windows, the ability to troubleshoot Windows-based systems, and proficiency in analyzing Windows logs to identify and address security threats.

Linux is widely used in enterprise environments, making it crucial for SOC analysts to understand its intricacies to secure critical operations effectively. Many SOC security tools run on Linux, which allows SOC analysts to customize and use them efficiently. Linux is highly customizable and secure, and SOC analysts must leverage its security features to protect their organization’s systems. Linux skills are in high demand, and mastering Linux can boost a SOC analyst’s career opportunities.

Here are some key OS concepts that SOC analysts should be familiar with:

1. File Systems: The structures used to organize and store data on storage devices.
2. Processes: The programs running on a computer system, including system processes and user processes.
3. User Management: The management of user accounts and privileges on a system, including authentication and authorization.
4. A Command-Line Interface (CLI) is a method of interacting with a computer system using text-based commands, instead of relying on a graphical user interface (GUI). Examples of CLI programs include PowerShell and Bash.
5. Patch Management: The process of identifying, testing, and deploying software updates (patches) to address security vulnerabilities.

Security Tools

To enhance your cybersecurity skills, it’s important to learn about various security tools such as intrusion detection systems (IDS), security information and event management (SIEM), firewalls, and more. 

1. IDS/IPS — A SOC analyst might use an IDS/IPS to monitor network traffic for known malicious patterns or behaviors. For example, they might configure the IDS/IPS to alert them when a specific type of attack or malware is detected, such as a SQL injection or ransomware. They might also use the IDS/IPS to block traffic from known malicious IP addresses or to quarantine infected endpoints.
2. SIEM — A SOC analyst might use a SIEM to collect and analyze log data from various sources, such as firewalls, servers, and endpoints. They might configure the SIEM to generate alerts when certain events occur, such as failed logins, unauthorized access attempts, or unusual network traffic patterns. They might also use the SIEM to investigate security incidents by searching for relevant log data and correlating events across multiple sources.
3. Vulnerability Scanner — A SOC analyst might use a vulnerability scanner to scan their organization’s network, applications, and systems for known vulnerabilities. They might use the scanner to generate reports on the vulnerabilities detected and prioritize them based on their severity. They might also use the scanner to track the status of remediation efforts and to re-scan systems after patches or updates are applied.
4. Forensic Tools — A SOC analyst might use forensic tools to investigate security incidents and gather evidence. For example, they might use a packet capture tool to capture and analyze network traffic related to a specific incident. They might also use a file analysis tool to examine suspicious files or malware samples and identify their behavior and capabilities.
5. Threat Intelligence Tools — A SOC analyst might use threat intelligence tools to gather and analyze data on potential security threats from external sources. They might use the tool to monitor social media or underground forums for discussions of new attack techniques or malware variants. They might also use the tool to track the activities of known threat actors or to gather information on emerging threat trends.

Programming Languages

Learning programming can enhance abilities to effectively analyze and respond to security incidents. Programming skills can allow a SOC analyst to write scripts and develop tools that can automate repetitive tasks, extract data from logs and other sources, and perform custom analysis of security data.

A SOC analyst with programming skills can develop scripts that automatically parse and analyze security logs for indicators of compromise or develop custom tools that can extract and analyze data from network traffic. Additionally, programming skills can enable SOC analysts to work with APIs to integrate different security tools and automate incident response workflows.

Moreover, programming skills can help SOC analysts to better understand the inner workings of security tools and how they operate, which can help in customizing and configuring them to meet specific organizational needs.

Here are some key programming concepts that SOC analysts should be familiar with:

1. Variables: Containers for storing data, such as integers, strings, and arrays.
2. Conditional Statements: Statements used to control the flow of a program based on specific conditions, such as if/else statements.
3. Loops: Statements used to repeat a block of code until a specific condition is met, such as for and while loops.
4. Functions: Blocks of code that can be reused throughout a program, making it more modular and easier to maintain.
5. Regular Expressions: Patterns used to match and manipulate text data, such as email addresses or IP addresses.

Enhancing Skills

SOC Analysts have a variety of avenues to pivot into, depending on their interests and career goals. Some of these avenues include:

1. Incident response: SOC analysts can transition into incident response roles, where they investigate and respond to security incidents, identify the root cause of security breaches, and develop strategies to prevent future incidents.
2. Security engineering: SOC analysts can transition into security engineering roles, where they design and implement security controls and technologies to protect an organization’s IT infrastructure.
3. Threat intelligence: SOC analysts can transition into threat intelligence roles, where they gather and analyze data on potential security threats to identify emerging risks and develop strategies to mitigate them.
4. Security architecture: SOC analysts can transition into security architecture roles, where they design and implement security systems and processes to protect an organization’s IT infrastructure from threats.

Obtain Certifications

Certifications allow SOC analysts to demonstrate their expertise in cybersecurity, meet industry standards, stay current with industry developments through ongoing education and training, and advance their career opportunities. They show employers and colleagues that the SOC analyst has a specific level of knowledge and skill in a particular area, and are often required for specific job roles. Certain certifications, such as those from ISC2 and GIAC, are highly valued by employers and can lead to higher salaries and more job opportunities.

Note: Rather than chasing after numerous certifications, I recommend obtaining certifications that are necessary for your chosen career path and that provide quick knowledge acquisition. However, the key to success lies in taking what you learn and applying it in a lab environment, teaching others, or using other means to enhance your skills and career development. This practical application of knowledge will be your bread and butter for success.

• CompTIA: Network+, Security+, CySA+
• Cisco: CCNA, Cisco CyberOps Associate
• eLearnSecurity: eNDP, eCIR, eCRE, eCDFP, eWDP, eCMAP, eCTHPv2
• TCM Security: PJMR
• Security Blue Team: BTL(1, 2, 3)
• CyberWarFare Labs: CCSA and CPTA
• Splunk Certifications

Practical Experience

1. Training / Platforms: TryHackMe, HackTheBox, Pentester’s Academy, CyberWarFare Labs — These platforms have GREAT courses and training pathways for cyber defense, SOC, and other security avenues. 10/10 recommend, defintely check them out.
2. Joining a cybersecurity or IT security club: There’s many organizations that have cybersecurity clubs where students can gain hands-on experience in simulated cyber attack scenarios.
3. Participating in capture the flag (CTF) competitions: CTF competitions are a great way to gain practical experience in identifying and solving security challenges. Many CTFs are available online, and some are specific to certain skill levels or industries.
4. Building a lab environment: SOC analysts can build their own lab environment to simulate various security scenarios and practice their skills — CyberWox lab, The Cyber Mentor lab
5. Participating in internships or work-study programs: SOC analysts can gain practical experience through internships or work-study programs, which allow them to work alongside experienced professionals and gain hands-on experience in real-world scenarios.
6. Conducting security research and reporting vulnerabilities: SOC analysts can contribute to the security community by researching and reporting security vulnerabilities in products or services, and providing recommendations for remediation.
7. Volunteering for cybersecurity events: SOC analysts can volunteer for cybersecurity events, such as security conferences or meetups, which provide opportunities to network with other professionals and gain practical experience in a collaborative setting.
8. Participating in online communities: SOC analysts can participate in online communities, such as discords, social media groups, etc to gain insights and learn from other professionals in the industry.

Wrapping Up

While the path to becoming a SOC Analyst may not be the same for everyone, there are key steps to focus on such as mastering IT fundamentals and exploring various career routes. By doing so, one can create a tailored career path that aligns with their interests and goals. I hope this guide has provided useful insights on how to embark on a journey towards becoming a SOC Analyst. Thank you for taking the time to read this.

Footer

My name is Quinyon Nave, aka Digital Quinn, and I am an Active Duty Soldier and the Founder of Nave Security. I want to be a cybersecurity pioneer and teach others about data and information security. My other professional ambition is to research the brain and create new forms of neuro-biomedical technology. I am an outspoken proponent of self-love and self-care, and I am on a mission to spread positivity throughout the world.