With open cybersecurity positions at near-record levels, organizations of all sizes are eager to fill these roles and help shore up their defenses against attacks both external and internal. For tech professionals eager to take advantage of this market, having the right set of skills, along with a certain level of experience, is the ticket to career advancement and growth.
For those looking to gain valuable, entry-level cyber experience, one position stands out: security operations center analyst, a.k.a. SOC analyst. Many industry-watchers consider this job a stepping stone to other more senior positions within an organization’s security team.
In most cases, a SOC consists of multiple analysts working together and monitoring threats, alerts and other security incidents that are either detected within the network or infrastructure or reported by another employee of the organization. Large-scale enterprises typically build and host their own SOC, while smaller firms and businesses outsource these operations to a third-party service provider.
In a post for the Center for Internet Security, one SOC analyst describes her typical workday as looking at “IDS (Intrusion Detection System) alerts, suspicious emails, network logs, and any other resource that provides insight into an entity’s network activity. Analysts are expected to be able to read, understand, and notify on cyber trends. It's critical that we have basic knowledge in areas like networking, malware analysis, incident response and cyber etiquette.”
SOC analysts work at the frontline of many organizations' security cyber defenses. These are the security pros who sort through reams of data generated by firewalls, security information and event management (SIEM) systems and other software tools to determine if an incident is a true threat to the network or simply a false alert. These analysts also have the responsibility to escalate an incident up the chain of command if there is potential for an attack on the network.
While learning how to work within the SOC and properly detect an attack or breach are valuable skills for those looking to start or advance their cybersecurity career, these analysts work long hours, are under constant stress and are prone to burnout.
A study released earlier this year found that 69 percent of SOC analysts reported that they are satisfied with their jobs, although 71 percent of participants said they have experienced some level of burnout at work.
“Sadly, burnout and stress are par for the course in cybersecurity these days, and SOC analysts are unsung heroes, doing the hard work in the trenches. It is incumbent upon SOC leadership to minimize the burnout of their analysts,” said Rick Holland, CISO and vice president for strategy at security firm Digital Shadows.
SOC Analyst: How Can Technologists and Cybersecurity Pros Get Started?
Several experts noted that successful candidates for these SOC analyst positions need basic IT knowledge to get started. This includes knowing about operating systems, networking concepts and what role security systems, such as anti-virus software and firewalls, play in cybersecurity defense.
Candidates also need to demonstrate the ability to think through problems and explain how they arrive at possible solutions.
“As for the interview, when I was interviewing, I used to ask how a firewall works to screen out the candidates who would dismiss the question by saying, ‘I don’t know.’ I was searching for candidates with an open mind who tried to figure it out while answering,” Yogev Saban, Security Researcher at CardinalOps, told Dice.
The ability to learn and think creatively about tech problems is essential since many SOC analysts don’t have years of experience to draw from when applying for these positions. “A willingness to learn is essential to highlight in SOC analyst job interviews,” Holland told Dice. “These roles should be entry-level, so interviewers shouldn't expect candidates to ‘know all the SOC things.’ Willingness isn't enough; interview candidates should highlight their framework for learning and how they seek new knowledge and skills.”
For those looking to start, Holland suggests building a network on social media and attending major industry conferences such as DEF CON and BSides to take advantage of meeting people there who can help and offer advice. For those still in school, he points out that many colleges and universities have a help desk as well as a security operations center where students can work to gain the experience they need.
On the practical side, Holland added that Python knowledge is beneficial and so is knowing a bit about open source intelligence (OSINT) analysis.
“Entry-level SOC analysts are the ‘front line’ of defense for an organization. This role is designed to provide a human element to support the tooling and sensors leveraged by organizations to analyze activity from their environments and to triage alerting and potential threats appropriately,” Erika McDuffie, a senior director at consulting firm Coalfire, told Dice. “Due to the analytical nature of this job, critical thinking skills are essential for the success of a SOC analyst.”
SOC Analysts: What Skills and Certifications Can Make a Difference?
Glassdoor estimates that SOC analysts can expect an average total salary of $107,200, and there are numerous open positions. Compeition, however, is heavy, and industry experts noted that specific skills can help those looking to land their first position or to move into their next role.
During the interview process, for example, hiring managers typically require candidates to demonstrate knowledge of SIEM tools as well as the ability to effectively analyze security data, according to Darryl MacLeod, CISO at LARES Consulting.
“You should also be prepared to discuss your experience in incident response and threat hunting. Some employers may ask you to complete a written exercise or take a skills test to assess your analytical and problem-solving abilities,” MacLeod told Dice.
Matthew Warner, CTO and co-founder at security firm Blumira, also stressed that would-be SOC analysts must show tech fundamentals even if they lack specific security experience. “Building IT and information security fundamentals are crucial, as it can be difficult to contextually understand defensive and offensive techniques if the underlying technology is a mystery,” Warner told Dice. “That's not to say that you must be a sysadmin for ‘X’ years to work in cybersecurity… but you should have some background interest and skill sets in how the sausage is made.”
And while experts are split when it comes to whether certifications are needed, several industry insiders stressed that specific certs can help SOC analysts who are looking for their first jobs. Holland, for instance, recommends CompTIA’s Network+ and Security+ certifications as two ways to “help with some of the unfortunate HR gatekeeping that happens when recruiting.”
MacLeod of LARES Consulting also pointed to the CSX-P Cybersecurity certification from ISACA, and the Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance, as good entry-level starting points. He also noted that large companies such as Microsoft and IBM have SOC analyst certifications that they publish and promote.
Finally, Warner noted that he prefers the Offensive Security Certified Professional (OSCP) certification offered by Offensive Security, but that a good SOC analyst must be a self-starter.
“The ability to think creatively and solve problems on your own is paramount in cybersecurity,” Warner said. “When you grow your internal responsibilities through your own skill sets rather than waiting for it to be taught, you will realize job growth through it. Lastly, empathy and caring for end users, as well as each other, is a must.”