If you’ve ever seen a movie featuring a hacker who penetrates a high-profile system, only to be thwarted by the witty yet unlikely tech hero, then you’ve got the basis for the possibilities of a security operations center, or a SOC. (Think Live Free and Die Hard). While Hollywood doesn’t always get it right, these movies at least offer us a basis for what it’s like working in a SOC. But not every day can be fraught with danger and cinematic drama. Sometimes, it’s just business as usual.
Even without manufactured drama, working in a SOC can be quite exciting. Days are frequently whiled away with incident response and management. If you like being at the helm when difficult problems arise, then a SOC career may be awaiting you.
But it’s important to remember that being a cybersecurity professional isn’t just a job, it’s a lifestyle. According to Exabeam’s Cybersecurity Professionals Salary, Skills and Stress Survey, 96% of cybersecurity pros are happy with the job and the responsibilities associated with it. But what does that look like on the day-to-day? This is what real life looks like in a SOC.
Morning in the SOC
Mornings in the security operations center often begin with night-shift hand-off tasks and debriefing. On the regular, this consists of reviewing log files, network resources and intrusion detection systems. This may also include following up on reports from the help desk. It’s the job of the cybersecurity professional to monitor activities and look for red flags indicating a possible incident.
“To start out, you might be watching different systems, or you might be working on a report to get out to the business on a larger level,” said Exabeam security strategist Samantha Humphries, who shared insight about the demands of working in the SOC. She added that the tasks vary greatly, and it can be difficult to identify a regular schedule. But it’s that lack of predictability that many find enticing when considering a job in cybersecurity.
“There’s rarely a dull day, but some are quieter than others,” she said.
If all is quiet on the incident front, SOC workers often spend their time communicating with stakeholders, compiling reports or enhancing their knowledge with current research. Well-run SOCs will have professional development in continuous play, such as capture the flag events (internally or joint external exercises). Some will have you study for cybersecurity certification exams during work hours. Others will have you research specific malware types and run reverse-engineer projects. A well-run SOC is one where the analysts come first and where there is gamification of skills development within the ranks.
Encountering an Incident
When an incident is encountered, time becomes one of the most critical factors. How quickly can you take action? What needs to be done first? Who’s calling the shots? Minutes often make a huge difference when you’re talking about a breach and a level head is a necessity.
“The ability to deal with stress is a must have,” Humphries said. Working in the SOC also means being able to think on your feet and engage in active problem solving.
But threat management goes further than that. You have to strike the delicate balance of knowing what to flag and when.
“You have to be able to decide what needs attention and what can be logged as regular activity. A big part of it is trying to ascertain what needs to be escalated to someone more senior and what can be closed out,” she said. Knowing what constitutes an escalation and what doesn’t is a key part of working in a SOC.
Midday in the SOC
Once you have verified an incident has been identified, it’s time to enter management mode. You need to communicate with stakeholders and work the situation.
Communicate About the Incident
The first thing you need to do is communicate. While it can sometimes seem counterintuitive to communicate first, it’s exceptionally important to educate and instruct stakeholders and users regarding what is taking place. Identify any restrictions and clearly outline expectations to prevent further damage to the business.
“If you’re running the incident, you’ve got a lot of stakeholders who care about what’s going on, and you’ve got lots of people who are worried about that,” Humphries said. “Communication skills are really, really important.”
Exabeam senior director, security strategy, Richard Cassidy noted that communication is one of the most important aspects of incident response.
“Especially outside of the security operation center walls, being able to communicate in a way that users understand is so important,” he commented. “You may be looking at it from an IT perspective, but it’s good to put the incident in terms of the business.”
Cassidy recommended that communications be concise and action-oriented. They should provide detail about what needs to be done and the risks of non-action. Overall, your communication should serve the notion of business impact – what does this risk mean to the business?
Work the Incident
Working the incident is the adrenaline-rush portion of the job. Things get very tight, and it often requires undivided attention. Sometimes this means devoting yourself entirely to incident management, which can lead to long hours.
Humphries warned that “breaches generally don’t last a day, and you do work long hours when an incident takes place.” In fact, according to Exabeam’s report, working long hours is the most common complaint noted by cybersecurity professionals, with 35% stating it’s the least satisfying aspect of their job.
Despite the minor dissatisfaction, working the incident is often the most exciting and desirable part of the job.
“It’s very exciting, it’s tiring, it’s emotional…but there’s also a wonderful point when you get to the end of it, which can be extremely satisfying,” Humphries said.
Cassidy cautioned that it’s important to consider the real-life implications of an incident. He recalled working a situation that impacted a healthcare organization where patients’ lives were actually at stake.
“The most harrowing incident I worked on – they couldn’t get people medicine because things were down,” he said. “Then we had to start looking at moving people out of the facility.” At the end of the day, we’re still talking about the effect breaches and incidents have on real lives.
End of Day in the SOC
In the SOC, the day is likely to wrap up with a successful conclusion and incident resolution. But this does not indicate an end to the problem. True closure occurs when the incident is contained and you have put measures in place to prevent the situation from taking place all over again. Humphries advised that you conduct an analysis after the incident to determine mitigation efforts.
“The vital part is that you learn from it and put measures in place to make sure the same thing doesn’t happen again,” she warned.
With any energy remaining, SOC professionals compile an incident report, alert stakeholders of the resolution and engage with the security community to share wins and areas for improvement.
Words of Advice from the SOC
Most of those working in the field say they would recommend a career in cybersecurity. According to Exabeam, 85% of participants recommend it to others. If you do choose to pursue this path, here is some advice.
There are mixed feelings regarding the need to follow the degree path as an entrance into cybersecurity. While degrees aren’t frowned upon by any means, they don’t always validate the needed cybersecurity skills because the threat landscape changes so rapidly.
To truly be a good security operations center analyst, you have to stay up on the latest developments.
“A degree is great, but you must supplement it with more modern research,” Cassidy said. CompTIA certifications are beneficial for helping you build skills without going the long educational path of a degree.
Practice Your Cybersecurity Skills
One of the most dominant pieces of advice that comes from SOC analysts is that you must practice your skills. Exabeam’s survey uncovered that the most frequently given advice from practitioners was to keep learning (65%).
A close second piece of advice was to get hands-on experience (56%). Practice in any way you can. Cassidy strongly urged anyone wanting to work in the SOC to think creatively and practice in any and every way possible.
“Take part in online learning or professional development. Test your skills and take opportunities to develop them in whatever way you can,” he said. “To me, that’s almost as valuable as experience.”
Engage in the Cybersecurity Community
The cybersecurity community is a tight-knit group, and cybersecurity pros readily share their knowledge with each other. Humphries advises aspiring SOC analysts to engage in communities. She recommends looking into BSides and DEF CON, finding experts to follow on Twitter, checking out podcasts and just doing whatever you can to stay current and informed.
Do you want to work in a SOC? CompTIA Cybersecurity Analyst (CySA+) proves you have the skills needed to be a SOC analyst. Download the exam objectives for free to see what’s covered.