featured.png
Categories: Cybersecurity
Tags: , ,

It's great to be a soc analyst

Stigma

There’s a strange stigma in the cybersecurity industry that SOC analysts are the least knowledgeable of all departments. That working in a SOC is just to start your career but you want to move out of that department as quickly as possible. There’s even a stigma that if you stay in a SOC for too long, it is an indication that you’re not good enough to move to other teams.

SOC - lifelong career

I do believe that working in a SOC can be a lifelong career. Working in a SOC does not mean that everyone is a tier 1 analyst doing nothing but working the queue forever. Working in a SOC can touch many different areas of expertise, including but not limited to, threat hunting, forensics, incident response, threat intelligence, policy development, and more.

My experience

Having worked in two SOCs, most recently as a senior / principal analyst (T2/T3), I have touched many areas of cybersecurity. I have led my own incidents as Incident Commander (IC), developed a well defined process for human-centric threat hunting, assisted the Incident Response (IR) team during engagements, led detection engineering efforts, developed Python code to significantly improve efficiency, and more. Working in a SOC does not inherrently mean that you’re limited to a queue.

SOC diversity

SOC’s can be wildly different from each other. There do exist SOCs where as a T1, you are extremely limited in what you can do. On the opposite end, there are tier-less SOCs where a brand new analyst is given significant freedom to not only work but also to learn.

Benefits of working in a SOC

There are many benefits. Below I describe two specific ones that I think are specifically of high value.

Ability to touch various topics

If you don’t want to be siloed into one specific role, SOC can be a great place to be. For example, as a reverse engineer, your role might be to only reverse malware. As an incident responder, if you don’t have an engagement going on, there’s could be no work to be done outside of preparing for future engagements. Within a SOC, more specifically within senior roles (T2/T3), you’re typically provided with more freedom to work on just about anything.

Lean and mean operations

I don’t think you could ever say a SOC has reached peak potential or peak efficiency. There is always going to be a new data source, a new detection, a new system, a new process. Even during moments when there isn’t something new to work, there’s always room for improvement in efficiency, documentation, processes, etc. I believe that working on this for an organization is a form of art as well as a form of science. There’s so much technology and people working together for this one mission, protecting your company, your customers. This art, this passion, can fuel a happy and lifelong career filled with technical knowledge and experience.

It’s okay

If you’re a SOC analyst, it’s okay to be a SOC analyst. Not only is it okay, it’s okay to be proud. You don’t have to leave the SOC to a more specific department just because that’s the expectation. If you like the SOC and see yourself continuing to work in the SOC for years to come, that’s okay.