The security operations center (SOC) analyst is a cybersecurity expert responsible for monitoring and responding to threats to an organization’s IT infrastructure.
The main task of the Tier 1 SOC analyst is monitoring. He/she performs daily monitoring routines during working hours and examines alarms from security products. He/she provides feedback to the relevant team/engineer about the configurations of the safety monitoring products. For example, he/she may transmit malfunctions in the operation of the product. It is the analyst who first responds to attacks. He/she determines the nature of the alarm according to alarm levels and decides whether there is attack traffic. He/she determines the criticality level of the alarms, prioritizes them and examines the alarms that occur. If there is an alarm in the alarms that he/she cannot make sense of, he/she directs the Tier 2 analyst at the next level to make a detailed examination. This is generally shift work. It can be said that analysts work mostly irregular hours as they examine the alarms of the systems monitored 24 hours a day, 7 days a week.
He/she can acquire initial information by learning basic technical and theoretical information about the security products he/she may encounter in his/her working life. He/she can receive various trainings about the management of these security products or can read and follow the existing documentation. He/she can examine the specific usage features of security products, learn how to take action against SIEM alerts and perform practical applications. By installing open source SIEM products in virtual environments and seeing which alerts are generated together with attack simulation and what these alarms mean, you can gain practical experience of the actions to be taken. Can obtain theoretical and practical information about the frequently used attack detection system(IDs) and attack prevention system(IPS) tools.
If you want to become a SOC analyst and you have no degree, it’s not a big problem. You can still build a career in this industry, check this blog post: SOC Analyst Career without a Degree
The Tier 2 SOC analyst is responsible for the detailed investigation of the systems that raise alerts and those that are escalated by the Tier 1 SOC analyst. He/she examines the technical details in order to make sense of the alarm. The Tier 2 SOC analyst, who has much deeper and differing technical knowledge than the Tier 1 SOC analyst, is called an incident responder (only some institutions give them this title). A Tier 2 SOC Analyst is more experienced than the Tier 1 analyst and uses analytical and holistic perspectives when examining systems. He/she tries to determine whether an anomaly occurs under the influence of an attack by reconciling the technical details obtained from various sources of information. He/she determines whether critical systems and data are affected. He/she determines the measures to be taken by making recommendations for improvement. He/she may put forward new analytical methods when detecting threats. He/she creates a recovery plan. He/she competes against time and tries to find the indicators formed on the systems of threats as soon as possible.
Since he/she needs to have a technical background including a wide range of products and systems, it is necessary to learn how to analyze operating systems such as android, linux, windows, mac, ios and what security findings these systems have from a security perspective. He/she should learn which tools are used in the analysis processes. Analysis practices can be carried out in virtual environments with open source tools. Forensics challenge questions and competitions published by world-famous organizations online or offline can be solved and practical experience can be gained with real scenarios. Practical experience can also be gained in online educational environments.
The Tier 3 SOC Analyst is also known as a Threat Hunter. Tier 1 and Tier 2 have the experience and know-how of an analyst. In addition, they have different tasks. He/she examines cyber intelligence evaluations relative to the institution he/she works for and searches for undetected threats in the network. He/she has knowledge about advanced malware as well as network information, programming information, operating systems information, security products information. He/she masters malware detection methods in order to be aware of and follow different malware types and behaviors. He/she should neutralize the threat by ensuring that the effects of the detected malware are eliminated. He/she aims to prevent future threats by analyzing the disabled malware and making inferences about the necessary security hardening.
In order to improve reverse engineering capabilities, a preliminary study can be conducted to examine malware by analyzing binary files in various architectures in virtual environments. Published malware can be examined in an isolated analysis environment and detailed reports can be created and published. Analysis reports related to the companies regarding the APT groups can be read in order to learn more about the APT group’s current work. Various trainings can be taken on malware analysis.