CYBERSECURITY

ALL
ABOUT
SECURITY
OPERATION
CENTER
(SOC)
INTRODUCTION

The SOC is responsible for monitoring, investigating, and remediating security events. Their scope of
responsibility depends on who is staffing the SOC. As previously discussed, SOCs can be internal to the
company or outsourced to an MSSP. Internal SOCs typically have higher privileges to take remedial
actions during an incident, where Managed Security Services Providers (MSSPs) usually must report
the incident to a customer’s information technology (IT) team. The key benefit to an internal SOC vs.
an MSSP is the ability of the internal SOC to learn the details of a single network. MSSPs have multiple
customers and must monitor several enterprise networks at once. This leaves the SOC analysts at a
disadvantage as they never truly learn the granular details of a customer’s enterprise.

SOC JOB ROLES

Security Analyst
The security analyst role evaluates various types of data and plans and implements security measures
to protect computer systems, networks, and data. Reviewing data can mean evaluating live network
traffic or a copy of evidence such as event logs generated by security and network tools. Regarding a
security operations center, SOC analyst can be responsible for reviewing security logs and responding
to events based on the services offered by the SOC.

Responsibilities Skills Certifications

Evaluate security measures Penetration and vulnerability CEH: Certified Ethical Hacker
and controls for vulnerabilities testing, information security OSCP and PEN-200 from
knowledge offensive security
CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
GPEN: GIAC Certified
Penetration Tester
CISM: Certified Information
Security Manager
Establish plans and protocols Host security tools (antivirus, ECSA: EC-Council Certified
to protect digital files and anti-malware, VPN), data Security Analyst
information systems against loss prevention technologies, Vendor NAC certification
unauthorized access, encryption concepts, identity Vendor Data Loss certification
modification, or destruction management, access control Identity Management
certification (e.g., Microsoft
Active Directory)
Maintain data and monitor TCP/IP, computer networking, GSEC: GIAC Security Essentials
security access routing and switching GCIH: GIAC Certified Incident
Handler
GCIA: GIAC Certified Intrusion
Analyst
CISM: Certified Information
Security Manager
Perform security assessments Firewall and intrusion CISSP: Certified Information
and recommend security detection/prevention Systems Security Professional
controls protocols Vendor product certifications
Anticipate security alerts, Windows, UNIX, macOS, and Operating system certifications
 incidents, and disasters and Linux operating systems
reduce their likelihood
Manage network and security Network protocols and packet Vendor network certification
systems analysis tools. Windows, (e.g., Cisco CCNA/CCNP/CCIE)
UNIX, macOS, and Linux Operating system certifications
operating systems
Analyze security breaches to Digital forensics and threat EC Council Computer Hacking
determine their root cause and hunting Forensic Investigator
impacted parties certification
Recommend and install tools Understand industry ISC2 CISSP
and countermeasures frameworks, security tools, CompTIA CySA+
and security process
Provide training to employees Developing training programs SANS Security Awareness
in security awareness and Professional (SSAP)
procedures

Penetration Tester
The penetration tester role is focused on identifying vulnerabilities and testing those vulnerabilities in
a similar manner to how an adversary would. Assessment officers and others that are responsible for
identifying vulnerabilities tend to leverage automated tools and focus on identifying potential
vulnerabilities but do not validate how realistic the vulnerability may or may not be. Penetration testers
invest additional time validating that vulnerabilities exist using the same tools used by adversaries.

Responsibilities Skills Certifications

Perform penetration tests and Exploitation, assessment, CEH: Certified Ethical Hacker
assessments of web-based and audit skillsets; technical OSCP and PEN-200 from
applications, networks, and writing; legal and compliance offensive security
computer systems understanding CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
GPEN: GIAC Certified
Penetration Tester
Conduct physical security Vulnerability and physical A+ and other hardware
assessments of servers, security assessment certifications
systems, and networks capabilities Lock picking
Design and create new tools Network servers, OSCP and PEN-200 from
and tests for penetration networking tools, security offensive security
testing and assessments tools and products CEPT: Certified Expert
Penetration Tester
Probe targets and pinpoint Computer hardware GPEN: GIAC Certified
methods that attackers could and software systems; Penetration Tester
use to exploit weaknesses and vulnerability management CEH: Certified Ethical Hacker
logic flaws and exploitation tactics OSCP and PEN-200 from
offensive security
CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
 Employ social engineering to Web-based applications OSCP: Offensive Security
uncover security holes and behavior science Certified Professional
Incorporate business goals into Security frameworks CISSP: Certified Information
security strategies and (e.g., ISO 27001/27002, Systems Security Professional
policy development NIST cybersecurity framework, CISM: Certified Information
etc.) Security Manager
Research, document, and Vulnerability analysis and CCFE: Certified Computer
review security findings with reverse engineering Forensics Examiner
management and IT teams
Improve security services, Security frameworks CISSP: Certified Information
including the continuous (e.g., ISO 27001/27002, Systems Security Professional
enhancement of existing NIST cybersecurity framework,
methodology material and etc.)
supporting assets
Provide feedback, support, Communication and writing College degree
and verification as an
organization fixes security
issues.

Assessment Officer
An assessment officer is responsible for identifying potential vulnerabilities or gaps in corporate policy,
compliance requirements, or general security best practices as defined in popular frameworks. Unlike
a penetration tester, an assessment officer works within specific scopes as defined by policies,
compliance, or frameworks, meaning he or she must be aware of the latest requirements and
continuously validate the organization is meeting those requirements. Any vulnerabilities out of scope
of such.

Responsibilities Skills Certifications

Incorporate business goals into Security frameworks (e.g., CISSP: Certified Information
security strategies and policy ISO 27001/27002, NIST Systems Security Professional
development cybersecurity framework, etc.) CISM: Certified Information
Security Manager
Conduct physical security Vulnerability and physical GPEN: GIAC Certified
assessments of servers, security assessment Penetration Tester
systems, and networks capabilities; lock picking CEH: Certified Ethical Hacker
OSCP and PEN-200 from
offensive security
CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
Interview employees, obtain Management and strong College degree or special
technical information, and communication skills communication skills training
assess audit results CISM: Certified Information
Security Manager
Understand industry data Understand HIPAA, PCI DSS, Specific industry data security
security regulations etc. certification and experience
Develop and execute tests Critical-thinking skills College degree and/or
based on regulations being programming certification
audited
 Research, document, and Critical-thinking skills College degree and/or
review security findings with programming certification
management and IT teams
Understand organization Critical-thinking skills and College degree
policies and procedures experience with SOC policies
and procedures
Provide feedback, support, Critical-thinking, project College degree
and verification as an management, and
organization fixes security communication skills
issues

Incident Responder
An incident responder is a cyber first-responder or a higher-tier resource responsible for responding
to a security incident. This role involves providing rapid initial response to IT security threats, incidents,
and cyberattacks on the organization. The role can also include some penetration and vulnerability
testing, network management, intrusion detection, security audits, network forensics, and
maintenance of IT security systems. The primary responsibility may be monitoring traffic for any
unusual activity or unauthorized access attempts and initiating the appropriate response when a
potential event is identified. The response can include patching systems, initiating segmentation,
isolating systems, alerting all associated parties, and assisting with returning impacted systems back
to an operational state.

Responsibilities Skills Certifications

Actively monitor systems and Windows, UNIX, macOS, and Operating system certifications
networks for intrusions Linux operating systems CompTIA CySA+
Identify security flaws and Computer hardware and GPEN: GIAC Certified
vulnerabilities software systems; vulnerability Penetration Tester
management and exploitation CEH: Certified Ethical Hacker
tactics OSCP and PEN-200 from
offensive security
CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
Perform security audits, risk Exploitation, assessment GCFE: GIAC Certified Forensic
analysis, network forensics, and audit skillsets; technical Examiner
and penetration testing writing; legal and compliance GPEN: GIAC Certified
understanding; TCP/IP-based Penetration Tester
network communication CEH: Certified Ethical Hacker
OSCP and PEN-200 from
offensive security
CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
Perform desktop security Computer hardware and CISSP: Certified Information
assessments and update/patch software systems; vulnerability Systems Security Professional
potential vulnerabilities assessments CISM: Certified Information
Security Manager
Develop a procedural set of Operating system installation, Operating system certifications
 responses to security problems patching, and configuration
Establish protocols for Critical-thinking, project College degree
communication within an management, and
organization and dealing with communication skills
law enforcement during
security incidents
Create a program development Security frameworks (e.g., ISO CISSP: Certified Information
plan that includes security gap 27001/27002, NIST Systems Security Professional
assessments, policies, cybersecurity framework, etc.); College degree
procedures, playbooks, Critical thinking, project
training, and tabletop testing management, and
communication skills
Produce detailed incident Critical-thinking, project College degree
reports and technical briefs for management, and
management, administrators, communication skills
and end users
Liaison with other cyberthreat Critical-thinking, project College degree
analysis entities management, and
communication skills
Handle case management Case management experience CompTIA CySA+
duties of an incident and be and tools CISM: Certified Information
involved with lessons-learned Security Manager
post incident meetings College degree

Systems Analyst
A systems analyst is responsible for monitoring and interpreting different forms of data. Data can
include logs from security tools, alerts from networking equipment, or other event data. A systems
analyst might also be responsible for analyzing various types of artifacts, including files and programs,
the goal being to determine whether there is any potential risk to the organization and discover the
purpose of the artifact (meaning why it was created). For example, a word document might have a
rootkit included, so the purpose of the document is to trick a user into running it and installing the
rootkit.

Responsibilities Skills Certifications

Actively monitor systems and Windows, UNIX, macOS, CCE: Certified Computer
networks for intrusions and Linux operating systems Examiner
Identify security flaws and Computer hardware and GPEN: GIAC Certified
vulnerabilities software systems; vulnerability Penetration Tester
management and exploitation CEH: Certified Ethical Hacker
tactics OSCP and PEN-200 from
offensive security
CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
Perform security audits, Computer hardware GPEN: GIAC Certified
risk analysis, network and software systems; Penetration Tester
forensics, and penetration vulnerability management CEH: Certified Ethical Hacker
testing and exploitation tactics OSCP and PEN-200 from
TCP/IP-based network offensive security
 communications CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
Perform malware analysis and Computer hardware and GCFA: GIAC Certified Forensic
reverse engineering software systems Analyst
Experience working with SIEM DevOps and playbooks skills Certification in DevOps
and SOAR orchestration and
automation
Reverse engineer/ disassemble Disassemblers, debuggers, GIAC Reverse Engineering
malware and other artifacts and other static-analysis tools Malware (GREM)
Develop sandboxes and Sandboxes and other GIAC Reverse Engineering
analyze software behavior dynamic analysis tools Malware (GREM)
Analyze logs and other data Security tool logs (firewall, CCNA Cyber Ops, CompTIA
sources IDS/IPS, etc.), SIEMs, and SOAR Cybersecurity Analyst (CySA+)
Liaison with other Forensic software applications CREA: Certified Reverse
cyberthreat analysis entities (e.g., EnCase, FTK, Helix, Engineering Analyst
Cellebrite, XRY, etc.)
Understand assembly language IDA Pro, Ghidra, RAM/ROM GIAC Reverse Engineering
and how computer systems dumps Malware (GREM)
operate (RAM, ROM, storage,
etc.)

Security Administrator
A security administrator is responsible for managing IT-related security and safety issues within a
company. Tasks can include developing policies and procedures as well as overseeing that policies are
followed by employees. Security administrators also oversee the implementation of solutions that
prevent cyberthreats and protect data’s confidentiality, integrity, and availability. Tasks include
administering security controls to reduce the risk associated with potential vulnerabilities.

Responsibilities Skills Certifications

Protect systems against Windows, UNIX, and Linux CompTIA Security+ (popular
unauthorized access, operating systems; system base-level security
modification, and/or security capabilities certification)
destruction
Perform vulnerability and Computer hardware and CCNA: Cisco Certified Network
networking scanning software systems; vulnerability Associate
management and exploitation CEH: Certified Ethical Hacker
tactics TCP/IP-based network
communications
Monitor network traffic for Strong understanding of ECSA: EC-Council Certified
unusual or malicious activity firewall technologies Security Analyst
CompTIA CySA+
Configure and support security TCP/IP, computer networking, CISSP: Certified Information
tools such as firewalls, routing and switching Systems Security Professional
antivirus software, and patch
management system
Implement network security Network protocols and packet CISM: Certified Information
policies, application security, analysis tools Security Manager
CISSP: Certified Information
 access control, and corporate Systems Security Professional
data safeguards
Train employees in security Critical-thinking, project College degree
awareness and procedures management, and
communication skills
Perform security audits and Intermediate to expert IDS/IPS CISSP: Certified Information
make policy recommendations knowledge; vulnerability Systems Security Professional
determine their root cause and evaluation; security College degree
impacted parties frameworks (e.g., ISO
27001/27002, NIST
cybersecurity framework,
etc.).
Develop and update business Security frameworks (e.g., ISO College degree
continuity and disaster 27001/27002, NIST
recovery protocols cybersecurity framework, etc.);
critical-thinking, project
management, and
communication skills

Security Engineer
This role is similar to a security analyst, with responsibilities of performing security monitoring, security
and data/log analysis, and forensic analysis. The goal of this role is to detect security incidents and
launch a response. A security engineer can also have responsibilities for identifying which security
technologies are used by an organization, maintenance of existing security technologies, development
and maintenance of security policy, and developing methods to improve policies.

Responsibilities Skills Certifications

Configure and install firewalls IDS/IPS, penetration testing, CISM: Certified Information
and intrusion detection/ and vulnerability testing Security Manager
prevention systems CISSP: Certified Information
Systems
Security Professional
CEH: Certified Ethical Hacker
Perform vulnerability testing, Firewall and intrusion CCNP Security: Cisco Certified
risk analyses, and security detection/prevention Network Professional Security
assessments protocols CEH: Certified Ethical Hacker
Develop or work with Secure coding practices, GSEC: Security Essentials
automation scripts to handle ethical hacking, and threat GCIH: GIAC Certified Incident
and track incidents modeling Handler
GCIA: GIAC Certified Intrusion
Analyst
Investigate intrusion incidents, Windows, UNIX, macOS, and CISSP: Certified Information
conduct forensic Linux operating systems Systems Security Professional
investigations, and launch CompTIA CySA+
incident responses CCFE: Certified Computer
Forensics Examiner
Collaborate with colleagues on Critical-thinking, project Systems Security Professional
authentication, authorization, management, and College degree
and encryption solutions communication skills;
encryption technology concept
 Evaluate new technologies and Critical-thinking, project College degree
processes that enhance management, and
security capabilities communication skills
Deliver technical reports and Communication and technical College degree
formal papers on test findings writing skills
Supervise changes in software, Critical-thinking, project College degree
hardware, facilities, management, and
telecommunications, and user communication skills
needs
Define, implement, and Security frameworks (e.g., ISO CISSP: Certified Information
maintain corporate security 27001/27002, NIST College degree
policies cybersecurity framework, etc.);
critical thinking, project
management, and
communication skills
Analyze and advise on new Critical-thinking, project College degree
security technologies and management, and
program conformance communication skills
Recommend modifications in Security frameworks (e.g., ISO CISSP: Certified Information
legal, technical, and regulatory 27001/27002, NIST CISM: Certified Information
areas that affect IT security cybersecurity framework, etc.); Security Manager Systems
critical thinking, project Security Professional College
management, and degree
communication skills

Security Trainer
A security trainer is responsible for implementing standardized training programs based on the
organization’s policies and the current threat landscape. Security trainers develop and schedule
training needs based on feedback from interviewing leadership and employees. Responsibilities
include developing the training material, coordinating and monitoring enrollment, schedules, costs,
and equipment, and delivering training metrics to leadership. Other duties include researching
industry training concepts, training people to deliver training content, and updating content as
needed.

Responsibilities Skills Certifications

Develop a schedule to assess Experience with technologies Certification from talent and
training needs and best practices for training associations
instructional manuals and
teaching platforms
Ensure strict adherence to Understanding policies, CISSP: Certified
company philosophy/mission procedures, and industry Information Systems
statement/sales goals guidelines, standards, and Security Professional
frameworks
Deliver training to customers Excellent verbal and written College degree
or other trainers communication skills
Manage security awareness Strong project management College degree
program based on threat skills with the ability to
research supervise multiple projects
Deliver technical reports and Identity and access College degree
formal papers on test findings management principles
 Test and review created Critical-thinking, project College degree
materials management, and
communication skills
Maintain a database of all Basic database and program College degree
training materials management skills

Security Architect
A security architect oversees the implementation of network and computer security for an
organization. This role is typically a senior-level employee responsible for creating security structures,
defenses, and responses to security incidents. Additional responsibilities may include providing
technical guidance, assessing costs and risks, and establishing security policies and procedures for the
organization.

Responsibilities Skills Certifications

Plan, research, and design Risk assessment procedures, CISSP: Certified Information
robust security architectures policy formation, role-based Systems Security Professional
for any IT project authorization methodologies,
authentication technologies,
and security attack concepts
Perform vulnerability testing, Computer hardware and GPEN: GIAC Certified
risk analyses, and security software systems; vulnerability Penetration Tester
assessments management and exploitation CEH: Certified Ethical Hacker
tactics OSCP and PEN-200 from
offensive security
CPT: Certified Penetration
Tester
CEPT: Certified Expert
Penetration Tester
Research security standards, Security frameworks (e.g., ISO CISM: Certified Information
security systems, and 27001/27002, NIST Security Manager
authentication protocols cybersecurity framework, etc.); CISSP: Certified Information
critical-thinking, project Systems Security Professional
management, and
communication skills
Develop requirements for Security controls such as CISM: Certified Information
LANs, WANs, VPNs, routers, firewall, IDS/IPS, network Security Manager
firewalls, and related network access control, and network
devices segmentation
Design public key Security and encryption CISM: Certified Information
infrastructures (PKIs), including technologies Security Manager
use of certification authorities EC-Council Certified Encryption
(CAs) and digital signatures Specialist (ECES)
Review and approve Security concepts related to GSEC: GIAC Security
installation of firewall, VPN, DNS, routing, authentication, Essentials
routers, IDS/IPS scanning VPN, proxy services, and DDOS GCIH: GIAC Certified Incident
technologies, and servers mitigation technologies Handler
GCIA: GIAC Certified Intrusion
Analyst
Provide technical supervision Critical-thinking and College degree
for security team(s) communication skills
 Define, implement, and Critical-thinking and CISSP: Certified Information
maintain corporate security communication skills Systems Security Professional
policies and procedures College degree
Oversee security awareness Developing training programs College degree
programs and educational
efforts
Update and upgrade security Windows, UNIX, macOS, and A+ Security
systems as needed Linux operating systems CISSP: Certified Information
Systems Security Professional

Cryptographer/Cryptologist
A SOC that uses encryption to secure information or to build a system will assign these requirements
to a cryptologist. A cryptologist researches and develops stronger encryption algorithms. A cryptologist
may also be responsible for analyzing encrypted information from malicious software to determine
the purpose and functions of the software.

Responsibilities Skills Certifications

Protect information from Computer architecture, data The cryptologist field is new
interception, copying, structures, and algorithms and only has programs in
modification and/or deletion universities and special
learning programs.
Certification programs include
cryptology aspects, but
dedicated certifications are not
available now.
Evaluate, analyze, and target Linear/matrix algebra and/or EC-Council Certified Encryption
weaknesses in cryptographic discrete mathematics Specialist (ECES)
security systems and
algorithms
Develop statistical and Probability theory, information EC-Council Certified Encryption
mathematical models to theory, complexity theory, and Specialist (ECES)
analyze data and solve security number theory College degree in math and
problems cryptologist certification
Investigate, research, and test Principles of symmetric EC-Council Certified Encryption
new cryptology theories and cryptography and asymmetric Specialist (ECES)
applications cryptography College degree in math and
cryptologist certification
Probe for weaknesses in Principles of symmetric EC-Council Certified Encryption
communication lines cryptography and asymmetric Specialist (ECES)
cryptography College degree in math and
cryptologist certification
Ensure financial data is Network Access Control Operating system certifications
securely encrypted and Concepts Vendor security certifications
accessible only to authorized Data loss prevention Authentication vendor
users technologies, encryption certifications
concepts, identity
management, access control
Ensure message transmission Principles of symmetric EC-Council Certified Encryption
data is not illegally accessed or cryptography and asymmetric Specialist (ECES)
altered in transit cryptography College degree in math and
 cryptologist certification
Decode cryptic messages and Principles of symmetric EC Council Computer
coding systems for military, cryptography and asymmetric Hacking Forensic Investigator
political, and/or law cryptography Certification
enforcement College degree in math and
agencies cryptologist certification
Advise colleagues and research Principles of symmetric College degree in math and
staff on cryptical/mathematical cryptography and asymmetric cryptologist certification
methods and applications cryptography

Forensic Engineer
Digital forensics is the art of collecting evidence regarding a security incident. Evidence can be used
for legal actions, to remediate the vulnerability used to cause the breach, or as part of a lessons-
learned exercise. Forensic engineers require specific skillsets focused on collecting data without
creating changes to what they are collecting. These engineers may also have legal knowledge to assist
with investigations that lead to legal actions.

Responsibilities Skills Certifications

Conduct data breach and Network skills, including CCE: Certified Computer
security incident investigations TCP/IP-based network Examiner
communications
Recover and examine data Windows, UNIX, and Linux CEH: Certified Ethical
from computers and electronic operating systems Hacker
storage devices
Dismantle and rebuild Windows, UNIX, macOS, and EnCE: EnCase Certified
damaged systems to retrieve Linux operating systems; digital Examiner
lost data forensics concepts
Identify systems/networks Computer hardware and GCFE: GIAC Certified
compromised by cyberattacks software systems Forensic Examiner
Compile evidence for legal Operating system installation, GCFA: GIAC Certified
cases patching, and configuration Forensic Analyst
Draft technical reports, write Backup and archiving GCIH: GIAC Certified
declarations, and prepare technologies; technical writing Incident Handler
evidence for trial
Give expert counsel to Cryptography principles; legal CCFE: Certified Computer
attorneys about electronic experience; digital forensics Forensics Examiner
evidence in a case experience; strong
communication skills
Advise law enforcement on the eDiscovery tools; strong CPT: Certified Penetration
credibility of acquired data communication skills Tester
Stay proficient in forensic, Data processing skills in CCFE: Certified Computer
response, and reverse electronic disclosure Forensics Examiner
engineering environments College degree

Chief Information Security Officer

Part of high-level management and is positioned as the person responsible for the entire information
security division of an organization. A CISO is responsible for all assurance activities related to the
availability, integrity, and confidentiality of customers, business partner, employee, and business
information in compliance with the organization’s information security policies. A CISO works with
executive management to determine acceptable levels of risk for the organization.
 Responsibilities Skills Certifications
Appoint and guide a team of IT Practices and methods of IT CISA: Certified Information
security experts strategy, enterprise Systems Auditor
architecture, and security
architecture
Create strategic plan for the Security concepts; critical- CISM: Certified Information
deployment of information thinking and communication Security Manager
security technologies and skills
program enhancements
Supervise development of ISO 27002, ITIL, and COBIT GSLC: GIAC Security
corporate security policies, frameworks Leadership
standards, and procedures College degree
Integrate IT systems PCI DSS, HIPAA, NIST, GLBA, CCISO: Certified Chief
development with security and SOX compliance Information Security Officer
policies and information assessments
protection strategies
Collaborate with key Network security architecture CGEIT: Certified in the
stakeholders to establish an development and definition Governance of Enterprise IT
IT security risk management
program
Anticipate new security threat Knowledge of third-party CISSP: Certified Information
sand stay up to date with auditing and cloud risk Systems Security Professional
evolving infrastructures assessment methodologies
Develop strategies to handle Critical-thinking and CISSP-ISSMP: CISSP
security incidents and communication skills Information Systems Security
coordinate investigative Management Professional
activities
Act as a focal point for IT Critical-thinking and CISSP: Certified Information
security investigations communication skills Systems Security Professional
College degree
Prioritize and allocate security Critical-thinking and College degree
resources correctly and communication skills
efficiently
Prepare financial forecasts for Critical-thinking and College degree
security operations and proper communication skills; contract
maintenance coverage for experience
security assets
Work with senior management Security frameworks (e.g., ISO College degree
to ensure IT security 27001/27002, NIST
protection policies are being cybersecurity framework, etc.);
implemented, reviewed, critical-thinking, project
maintained, and governed management, and
effectively communication skills

SOC SERVICES AND ASSOCIATED JOB ROLES

The roles and job skill requirements for your SOC will depend on the different services the SOC is
responsible for delivering to its customers.

Risk Management Service

The risk management service is responsible for managing all aspects of risk to the organization. This
includes analyzing risk, calculating the potential impact of risk, and making decisions based on the
organization’s risk appetite. Employees responsible for risk management must have great
communication skills, enabling them not only to ensure that everybody in the organization
understands any significant risk but also to explain the organization’s risk management strategy.
Working for the risk management service also requires a solid understanding of business, because
decisions of the service will impact various internal and external elements of the organization.
Successful employees responsible for risk management are skilled at negotiation and diplomacy. They
can work under pressure and are able to modify strategies as various factors change the current state
of the organization’s risk status.

Possible job titles include chief information manager, chief information security officer, security officer,
risk management analyst, and analyst.

Vulnerability Management Service

Successful employees responsible for vulnerability management have experience in and
understanding of network and computer security. They can analyze hardware, software, networks, and
communication to discover and address vulnerabilities. SOC members involved with vulnerability
management have solid communication skills so they can explain identified vulnerabilities as well as
work with various parties to validate findings, including third-party vendors and other external experts.
Employees responsible for vulnerability management are detail-oriented, have strong problem-solving
skills, and can adapt methods used to manage vulnerabilities based on the ever-changing threat
landscape.

Possible job titles include penetration tester, vulnerability engineer, ethical hacker, red team tester,
security analyst, and security engineer.

Incident Management Service

SOC employees responsible for incident management actively monitor systems and networks for
intrusions. The incident management team develops a procedural set of responses to security
problems and oversees their execution. This team is also responsible for restoring services back to a
normal state following an incident as quickly as possible while minimizing the impact to business
operations. Communication and diplomacy skills are required to produce incident reports and provide
technical briefings to various parties about incidents in a diplomatic fashion. Employees are required
to be able to work under pressure while coordinating all activities required to perform, monitor, and
report on the incident management process.

Possible job titles include incident responder, security analyst, computer network defense, IT network
defense, incident analyst, intrusion detection specialist, and network intrusion analyst.

Analysis Service
A security analyst is responsible for detecting and preventing cyberthreats to an organization.
Members of the analysis team review security logs from various types of devices and work with the
team responsible for incident management when a threat is confirmed. In addition to dealing with
real-time threats, the analysis team analyzes and responds to undisclosed hardware and software
vulnerabilities when a dedicated vulnerability management team isn’t present. The analysis team can
also take on responsibilities as a security advisor and develop security strategy based on data captured
and analyzed. Members of the analysis team must be analytical and detail-oriented with specific skills
in understanding how devices generate logs and how to work with network and security tools that
generate logs. Analysis engineers can also be responsible for analyzing and reverse engineering various
types of artifacts, requiring a different set of analytical and technical skills than an analyst that works
with security logs. Analysis engineers are technical, detail-oriented, and specialized in the types of data
they are responsible for analyzing.

Possible job titles include security analyst, security engineer, security administrator, security specialist,
security consultant, network engineer, operations analyst, business intelligence analyst, and data
analyst.

Compliance Service
The most fundamental skill for employees responsible for compliance is the ability to deal with risk
and conflict management. A compliance officer uses specific factors for scoring risk, which will be
based on the requirements for the type of compliance being enforced. A compliance officer will
encounter situations requiring explaining and defending their point of view to internal employees as
well as external agencies such as regulators. Communication and analytical thinking are critical for this
role as well as a willingness to learn, as the world of compliance is continuously changing. Other skills
associated with successful members of the compliance team are being detailed-oriented, being
capable of interpreting data, and having strong problem-solving skills.

Possible job titles include compliance officer, assessment officer, policy officer, and infosec officer.

Digital Forensics Service

Roles in digital forensics are technology-focused, requiring a desire to learn, deep analytical skills, and
the ability to work with various technologies ranging from desktop computers to mobile devices.
Digital forensics requires acute attention to details and a comprehension of cybersecurity
fundamentals. Communication skills and an understanding of law and criminal investigation are
important because the results from a forensic investigation might be used in court, in which case the
investigator will be required to defend his or her work. Digital forensics requires working with different
groups, from legal to technical, as well as tolerance for disturbing material that might be discovered
during an investigation. Successful digital forensic engineers have experience in both legal and
technical matters related to cybersecurity.

Possible job titles include forensic engineer, forensic scientist, forensic consultant, and digital forensic
engineer.

Situational and Security Awareness Service

The key purpose of this service is to address the human element of security. The goal of the work
performed by the situational and security awareness team is to change the behavior of employees so
that they operate with security in mind, reducing their risk to the organization. Duties include
everything regarding security awareness and developing an education program. Roles responsible for
situational and security awareness require strong written and verbal communication skills. Members
in this role must be able to interpret all industry regulations, standards, and compliance requirements
as well as ensure that everybody understands the organization’s risk management strategy. Successful
situational and security awareness officers can accomplish these goals using a positive and engaging
approach, which includes creating a metrics framework that can effectively measure results of the
program.
Possible job titles include security trainer, training instructor, information assurance analyst, training
analyst, security service training manager, and development manager.

Research and Development Service

SOC members of the research and development service are responsible for researching, planning, and
implementing new programs and protocols for the organization. Duties include market research,
tracking costs related to the creation of new programs and protocols, and making decisions on which
projects are worth investing in. This group also validates if current programs, procedures, and
technology being used are up to date with current and advanced industry standards. Members in this
role have project management experience, are able to manage a budget, and are detail-oriented and
creative.

Possible job titles include researcher, threat researcher, threat analyst, analyst, security analyst,
programmer, software developer, and DevOps engineer.

NICE CYBERSECURITY WORKFORCE FRAMEWORK

Nice Framework Components

• Seven categories representing a high-level grouping of common cybersecurity functions

• Thirty-three Specialty Areas representing distinct areas of cybersecurity work
• Fifty-two Work Roles representing the most detailed groupings of cybersecurity work and
composed of specific knowledge, skills, and abilities (KSAs) required to perform tasks in a
Work Role
 For better understanding, I shared about Protect and Defend category (Cyber Defense
Analysis & Incident Response) below:

Cyber Defense Analysis

Cyber Defense Analyst
(PR-CDA-001)

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network
tra ic logs) to analyze events that occur within their environments for the purposes of
mitigating threats.

Abilities

A0010: Ability to analyze malware.

A0015: Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
A0066: Ability to accurately and completely source all data used in intelligence, assessment
and/or planning products.
A0123: Ability to apply cybersecurity and privacy principles to organizational requirements
(relevant to confidentiality, integrity, availability, authentication, non-repudiation).
A0128: Ability to apply techniques for detecting host and network-based intrusions using
intrusion detection technologies.
A0159: Ability to interpret the information collected by network tools (e.g. Nslookup, Ping, and
Traceroute).

Knowledge
K0001: Knowledge of computer networking concepts and protocols, and network security
methodologies.
K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating
risk).
K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and
privacy.
K0004: Knowledge of cybersecurity and privacy principles.
K0005: Knowledge of cyber threats and vulnerabilities.
K0006: Knowledge of specific operational impacts of cybersecurity lapses.
K0007: Knowledge of authentication, authorization, and access control methods.
K0013: Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
K0015: Knowledge of computer algorithms.
K0001: Knowledge of computer networking concepts and protocols, and network security
methodologies.
K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating
risk).
K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and
privacy.
K0004: Knowledge of cybersecurity and privacy principles.
K0005: Knowledge of cyber threats and vulnerabilities.
K0006: Knowledge of specific operational impacts of cybersecurity lapses.
K0007: Knowledge of authentication, authorization, and access control methods.
K0013: Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
K0015: Knowledge of computer algorithms.
K0018: Knowledge of encryption algorithms
K0019: Knowledge of cryptography and cryptographic key management concepts
K0024: Knowledge of database systems.
K0033: Knowledge of host/network access control mechanisms (e.g., access control list,
capabilities lists).
K0040: Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories,
errata, and bulletins).
K0042: Knowledge of incident response and handling methodologies.
K0044: Knowledge of cybersecurity and privacy principles and organizational requirements
(relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0046: Knowledge of intrusion detection methodologies and techniques for detecting host and
network-based intrusions.
K0049: Knowledge of information technology (IT) security principles and methods (e.g., firewalls,
demilitarized zones, encryption).
K0056: Knowledge of network access, identity, and access management (e.g., public key
infrastructure, Oauth, OpenID, SAML, SPML).
K0058: Knowledge of network tra ic analysis methods.
K0059: Knowledge of new and emerging information technology (IT) and cybersecurity
technologies.
K0060: Knowledge of operating systems.
K0061: Knowledge of how tra ic flows across the network (e.g., Transmission Control Protocol
[TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information
Technology Infrastructure Library, current version [ITIL]).
K0065: Knowledge of policy-based and risk adaptive access controls.
K0070: Knowledge of system and application security threats and vulnerabilities (e.g., bu er
overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language
[PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious
code).
K0074: Knowledge of key concepts in security management (e.g., Release Management, Patch
Management).
K0075: Knowledge of security system design tools, methods, and techniques.
K0093: Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link
Budgeting, Spectral e iciency, Multiplexing).
K0098: Knowledge of the cyber defense Service Provider reporting structure and processes within
one’s own organization.
K0104: Knowledge of Virtual Private Network (VPN) security.
K0106: Knowledge of what constitutes a network attack and a network attack’s relationship to
both threats and vulnerabilities.
K0107: Knowledge of Insider Threat investigations, reporting, investigative tools and
laws/regulations.
K0110: Knowledge of adversarial tactics, techniques, and procedures.
K0111: Knowledge of network tools (e.g., ping, traceroute, nslookup)
K0112: Knowledge of defense-in-depth principles and network security architecture.
K0113: Knowledge of di erent types of network communication (e.g., LAN, WAN, MAN, WLAN,
WWAN).
K0116: Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).
K0139: Knowledge of interpreted and compiled computer languages.
K0142: Knowledge of collection management processes, capabilities, and limitations.
K0143: Knowledge of front-end collection systems, including tra ic collection, filtering, and
selection.
K0157: Knowledge of cyber defense and information security policies, procedures, and
regulations.
K0160: Knowledge of the common attack vectors on the network layer.
K0161: Knowledge of di erent classes of attacks (e.g., passive, active, insider, close-in,
distribution attacks).
K0162: Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state
sponsored, and nation sponsored).
K0167: Knowledge of system administration, network, and operating system hardening
techniques.
K0168: Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code),
Presidential Directives, executive branch guidelines, and/or administrative/criminal legal
guidelines and procedures.
K0177: Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining
access, escalation of privileges, maintaining access, network exploitation, covering tracks).
K0179: Knowledge of network security architecture concepts including topology, protocols,
components, and principles (e.g., application of defense-in-depth).
K0180: Knowledge of network systems management principles, models, methods (e.g., end-to-
end systems performance monitoring), and tools.
K0190: Knowledge of encryption methodologies.
K0191: Signature implementation impact for viruses, malware, and attacks.
K0192: Knowledge of Windows/Unix ports and services.
K0203: Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-
Wilson integrity model).
K0221: Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
K0222: Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to
cyber defense activities.
K0260: Knowledge of Personally Identifiable Information (PII) data security standards.
K0261: Knowledge of Payment Card Industry (PCI) data security standards.
K0262: Knowledge of Personal Health Information (PHI) data security standards.
K0290: Knowledge of systems security testing and evaluation methods.
K0297: Knowledge of countermeasure design for identified security risks.
K0300: Knowledge of network mapping and recreating network topologies.
K0301: Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
K0303: Knowledge of the use of sub-netting tools.
K0318: Knowledge of operating system command-line tools.
K0322: Knowledge of embedded systems.
K0324: Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools
and applications.
K0332: Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain
Name System (DNS), and directory services.
K0339: Knowledge of how to use network analysis tools to identify vulnerabilities.
K0342: Knowledge of penetration testing principles, tools, and techniques.
K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top
10 list)

Skills
S0020: Skill in developing and deploying signatures.
S0025: Skill in detecting host and network based intrusions via intrusion detection technologies
(e.g., Snort).
S0027: Skill in determining how a security system should work (including its resilience and
dependability capabilities) and how changes in conditions, operations, or the environment will
a ect these outcomes.
S0036: Skill in evaluating the adequacy of security designs.
S0054: Skill in using incident handling methodologies.
S0057: Skill in using protocol analyzers.
S0063: Skill in collecting data from a variety of cyber defense resources.
S0078: Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
S0096: Skill in reading and interpreting signatures (e.g., snort).
S0147: Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS
CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
S0156: Skill in performing packet-level analysis.
S0167: Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance
scanning).
S0169: Skill in conducting trend analysis.
S0367: Skill to apply cybersecurity and privacy principles to organizational requirements (relevant
to confidentiality, integrity, availability, authentication, non-repudiation).
S0370: Skill to use cyber defense Service Provider reporting structure and processes within one’s
own organization.
Tasks

T0020: Develop content for cyber defense tools.

T0023: Characterize and analyze network tra ic to identify anomalous activity and potential
threats to network resources.
T0043: Coordinate with enterprise-wide cyber defense sta to validate network alerts.
T0088: Ensure that cybersecurity-enabled products or other compensating security control
technologies reduce identified risk to an acceptable level.
T0155: Document and escalate incidents (including event's history, status, and potential impact
for further action) that may cause ongoing and immediate impact to the environment.
T0164: Perform cyber defense trend analysis and reporting.
T0166: Perform event correlation using information gathered from a variety of sources within the
enterprise to gain situational awareness and determine the e ectiveness of an observed attack.
T0178: Perform security reviews and identify security gaps in security architecture resulting in
recommendations for inclusion in the risk mitigation strategy.
T0187: Plan and recommend modifications or adjustments based on exercise results or system
environment.
T0198: Provide daily summary reports of network events and activity relevant to cyber defense
practices.
T0214: Receive and analyze network alerts from various sources within the enterprise and
determine possible causes of such alerts.
T0258: Provide timely detection, identification, and alerting of possible attacks/intrusions,
anomalous activities, and misuse activities and distinguish these incidents and events from
benign activities.
T0259: Use cyber defense tools for continual monitoring and analysis of system activity to identify
malicious activity.
T0260: Analyze identified malicious activity to determine weaknesses exploited, exploitation
methods, e ects on system and information.
T0290: Determine tactics, techniques, and procedures (TTPs) for intrusion sets.
T0291: Examine network topologies to understand data flows through the network.
T0292: Recommend computing environment vulnerability corrections.
T0293: Identify and analyze anomalies in network tra ic using metadata (e.g., CENTAUR).
T0294: Conduct research, analysis, and correlation across a wide variety of all source data sets
(indications and warnings).
T0295: Validate intrusion detection system (IDS) alerts against network tra ic using packet
analysis tools..
T0296: Isolate and remove malware.
T0297: Identify applications and operating systems of a network device based on network tra ic.
T0298: Reconstruct a malicious attack or activity based o network tra ic.
T0299: Identify network mapping and operating system (OS) fingerprinting activities.
T0310: Assist in the construction of signatures which can be implemented on cyber defense
network tools in response to new or observed threats within the network environment or enclave.
T0332: Notify designated managers, cyber incident responders, and cybersecurity service
provider team members of suspected cyber incidents and articulate the event's history, status,
and potential impact for further action in accordance with the organization's cyber incident
response plan.
T0469: Analyze and report organizational security posture trends.
T0470: Analyze and report system security posture trends.
T0475: Assess adequate access controls based on principles of least privilege and need-to-know.
T0503: Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency
Response Teams, Security Focus) to maintain currency of cyber defense threat condition and
determine which security issues may have an impact on the enterprise.
T0504: Assess and monitor cybersecurity related to system implementation and testing practices.
T0526: Provides cybersecurity recommendations to leadership based on significant threats and
vulnerabilities.
T0545: Work with stakeholders to resolve computer security incidents and vulnerability
compliance.
T0548: Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations
Plans.
Incident Response
Cyber Defense Incident Responder
(PR-CIR-001)

Investigates, analyzes, and responds to cyber incidents within the network environment or
enclave.

Abilities

A0121: Ability to design incident response for cloud service models.

A0128: Ability to apply techniques for detecting host and network-based intrusions using
intrusion detection technologies.

Knowledge

K0001: Knowledge of computer networking concepts and protocols, and network security
methodologies.
K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating
risk).
K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and
privacy.
K0004: Knowledge of cybersecurity and privacy principles.
K0005: Knowledge of cyber threats and vulnerabilities.
K0006: Knowledge of specific operational impacts of cybersecurity lapses.
K0021: Knowledge of data backup and recovery.
K0026: Knowledge of business continuity and disaster recovery continuity of operations plans.
K0033: Knowledge of host/network access control mechanisms (e.g., access control list,
capabilities lists).
K0034: Knowledge of network services and protocols interactions that provide network
communications.
K0041: Knowledge of incident categories, incident responses, and timelines for responses.
K0042: Knowledge of incident response and handling methodologies.
K0046: Knowledge of intrusion detection methodologies and techniques for detecting host and
network-based intrusions.
K0058: Knowledge of network tra ic analysis methods.
K0062: Knowledge of packet-level analysis.
K0070: Knowledge of system and application security threats and vulnerabilities (e.g., bu er
overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language
[PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious
code).
K0106: Knowledge of what constitutes a network attack and a network attack’s relationship
toboth threats and vulnerabilities.
K0157: Knowledge of cyber defense and information security policies, procedures, and
regulations.
K0161: Knowledge of di erent classes of attacks (e.g., passive, active, insider, close-in,
distribution attacks).
K0162: Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state
sponsored, and nation sponsored).
K0167: Knowledge of system administration, network, and operating system hardening
techniques.
K0177: Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining
access, escalation of privileges, maintaining access, network exploitation, covering tracks).
K0179: Knowledge of network security architecture concepts including topology, protocols,
components, and principles (e.g., application of defense-in-depth).
K0221: Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
K0230: Knowledge of cloud service models and how those models can limit incident response.
K0259: Knowledge of malware analysis concepts and methodologies.
K0287: Knowledge of an organization's information classification program and procedures for
information compromise.
K0332: Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain
Name System (DNS), and directory services.
K0565: Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g.,
web, mail, DNS), and how they interact to provide network communications.
K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top
10 list)

Skills

S0003: Skill of identifying, capturing, containing, and reporting malware.

S0047: Skill in preserving evidence integrity according to standard operating procedures or
national standards.
S0077: Skill in securing network communications.
S0078: Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
S0079: Skill in protecting a network against malware. (e.g., NIPS, anti-malware, restrict/prevent
external devices, spam filters).
S0080: Skill in performing damage assessments.
S0173: Skill in using security event correlation tools.
S0365: Skill to design incident response for cloud service models.
Tasks

T0041: Coordinate and provide expert technical support to enterprise-wide cyber defense
technicians to resolve cyber defense incidents.
T0047: Correlate incident data to identify specific vulnerabilities and make recommendations that
enable expeditious remediation.
T0161: Perform analysis of log files from a variety of sources (e.g., individual host logs, network
tra ic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to
network security.
T0163: Perform cyber defense incident triage, to include determining scope, urgency, and
potential impact, identifying the specific vulnerability, and making recommendations that enable
expeditious remediation.
T0164: Perform cyber defense trend analysis and reporting.
T0170: Perform initial, forensically sound collection of images and inspect to discern possible
mitigation/remediation on enterprise systems.
T0175: Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion
correlation and tracking, threat analysis, and direct system remediation) tasks to support
deployable Incident Response Teams (IRTs).
T0214: Receive and analyze network alerts from various sources within the enterprise and
determine possible causes of such alerts.
T0233: Track and document cyber defense incidents from initial detection through final
resolution.
T0246: Write and publish cyber defense techniques, guidance, and reports on incident findings to
appropriate constituencies.
T0262: Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple
places, layered defenses, security robustness).
T0278: Collect intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to
enable mitigation of potential cyber defense incidents within the enterprise.
T0279: Serve as technical expert and liaison to law enforcement personnel and explain incident
details as required.
T0312: Coordinate with intelligence analysts to correlate threat assessment data.
T0395: Write and publish a er action reviews.
T0503: Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency
Response Teams, Security Focus) to maintain currency of cyber defense threat condition and
determine which security issues may have an impact on the enterprise.
T0510: Coordinate incident response functions.
ROLE TIERS
Tier/Level 1 (L1)
First-tier SOC analyst may be responsible for detecting, identifying, and troubleshooting security
events that come into the SOC. Often this is the tier that communicates with the affected party.
Responsibilities include detection, classification, and escalation of events.

Tier/Level 2 (L2)
A second-tier analyst may have mitigation responsibilities over any event escalated by a first-tier SOC
analyst. If the event requires even further support, a more experienced third-tier analyst may be
involved to remediate the situation.

Tier/Level 3 (L3)
The third-tier analyst might also build tools and processes to improve capabilities within the SOC,
including the processes followed by lower-tier analysts. Higher tier roles have higher compensation
but require deeper technical skills and experience.

SKILLS REQUIREMENTS

Networking
It will be helpful to know the various common port numbers and the difference between TCP and
UDP. TCP relies on an established connection called a three-way handshake and the UDP protocol.
Think of UDP as the “Unreliable Dang Protocol” because the UDP protocol just sends messages and
doesn’t care if they get them there or not, whereas in the TCP connection if a piece of data is missed
in transit, it will resend the missed packet and then put them back together in order. UDP services are
mainly used for things such as video streaming where a glitch in the movie because of dropped packets
wouldn’t matter a lot. TCP connections are used when every bit of data needs to arrive at the
destination, such as in a file transfer. If you are transferring a file, if all bits and bytes do not get to the
destination, the file will not be able to be run.

Next is the TCP three-way handshake process. This is important because this three-way handshake
process establishes a connection between two hosts for a TCP connection.

Network Security
The basic tenets of security revolved around the concept of CIA Triad, not the Central Intelligence
Agency but confidentiality, integrity, and availability. All security can be broken down from these three
high-level categories. Confidentiality is the secrecy of the information, making sure that the
information can only be seen by the intended people, no more no less. Integrity revolves around the
correctness of the data, making sure that the information you are consuming is the data that you
intend to consume, complete and unaltered. Availability consists of making sure that the data can be
used when it needs to be used.

Cryptography
There are a few cryptography principles that you will need to know as well. The first is the difference
between encryption vs. hashing. Basically, encrypting is changing the data in a way that makes it
unreadable, but it is intended to be changed back in a way to make the message readable again.
Hashing is the process of taking a set of data and creating a unique fingerprint out of it. For instance,
if you had a thousand lines of code, you could save it to a file and hash that file to a 128-bit MD5 hash
that would look something similar to this:
97fbca75e134639d48bd83270ae9e045

The main difference between a hash and an encryption is that a hash is one way. There is not any viable
way to turn the string above back into the characters.

Endpoint Security
The front lines of the cybersecurity war are on your network endpoints. User laptops, smart phones,
and printers are only a few of the targeted devices that attackers can compromise. The difficulty with
endpoint security is the plethora of devices on the market. Most of all devices run on one of these
three operating system (OS) families: Windows, Unix, and MacOS.

TOOLS

SIEM
Other than collecting logs, the SIEM also normalizes logs, which means to put them into the correct
chronological order. Because of the varying time zones across the world configured in your devices,
the timestamps, or date and time, on each log need to be accounted for. Also in normalization, when
the logs are ingested into the SIEM platform, they must meet a certain standard and format.

Each SIEM has a proprietary technique that is used to take in billions of logs and picks out the things
that are suspicious, but at a basic level, either the vendor or the users (or both) create rules that if any
of the logs match a given criteria, it will sound the alarm.

Firewalls
Additional to SIEM and SOAR, you will likely come across firewalls. Firewall and firewall engineering is
a specialty all on its own, but it’s important jargon to understand the biggest players in the firewall
space are Cisco, Checkpoint, Fortinet, Palo Alto, Juniper, and SonicWall. As a security analyst, you might
be responsible for performing a firewall block on an IP address or requesting to have it done. What
this means is you have used the tools and techniques of a security analyst and determined that it was
bad, and you want to block that IP address from being communicated with from your internal network.

IDS/IPS
Intrusion detection systems can either be placed in line or through a network tap. Intrusion detection
systems are designed to detect and not take preventative measures. Tapping the network allows the
device to see the network traffic but not affect bandwidth. IDS placed through a tap cannot take
preventative action because they cannot control the flow of traffic.

The IPS has the ability to change the flow of traffic between the two devices because of the way it sits
on the network. Intrusion prevention systems must be placed. Placing an IPS in line allows it to control
the flow of traffic and take preventative actions to protect it.

IDS can be placed in line as well. Most modern IPS will have some rules set to “take action” and some
set to monitor only. These are called intrusion detection and prevention systems (IDPS).

Sandboxing
Quite a few endpoints detection software will detonate the file on your behalf so it can know whether
it is bad or not, but nothing comes as close as a good report from Cuckoo, Hybrid Analysis, or Joe
Sandbox. These tools are designed to twist every knob and press every button to squeeze as much
execution information as they can out of it. As a SOC analyst, you mainly use these tools to get out
indicators of compromise like hashes of files that it drops, or IP addresses and domains it contacts to
run these through your SIEM to see if there are any historical connections.

There are a few online sandbox tools but be wary to now execute proprietary files in a public sandbox
to be shared with the community. Other online tools to take note of are:
• Virustotal.com: VirusTotal is perhaps the most useful online tool for a SOC analyst. You visit
the website and punch in a URL or hash, and you will, most of the time, have a good idea if the
IoC is good or bad.
• Domain Tools: The whois tool at domain tools I always found very easy to use. While there are
plenty of very good online whois searches available, I always like to use domain tools.
• Talos Intelligence: Use this tool to conduct reputational checks on IP addresses and URLs.
• IPVoid: Use this tool to check blacklists for a particular IP address.
• URLVoid: Use this tool to check URLs for safety reputations.
• Threat Crowd: Use this tool as a search engine for threats. Threat Crowd is a system fo finding
and researching artifacts relating to cyber threats.
• TOR Exit Node List: Check to see if the IP address is on a TOR exit node.
• IBM X-Force Exchange: Check the IoC for information in X-Force Exchange.
• Search Engine: Always check a search engine when looking for suspicious items. Some gems
are more hidden!

COMMON DEFINITON IN SOC

As you go through your day as a SOC analyst, you will come across terms that aren’t always agreed on,
and the meanings are a bit vague. From the best of our combined experience, these are the best
definitions for these terms.
Security Logs
At the very base of a security program are security logs. These logs could be from anything and
everything and about anything and everything. Once they are ingested into a SIEM, they become a
security log. An example of important security logs that a SOC would want to capture are network flow
logs, Windows Event Logs, Unix Syslog’s, and firewall logs. Security events can string together many
security logs.

Security Event
Security events are the day-to-day routine security monitoring from the tooling. They are very
common, and almost all security tooling notifications start as a security event generated from security
logs, except for vulnerability scanners, and are escalated as needed. A security event must be escalated
to a security incident before becoming a breach. When a security event is escalated to become an
incident, the incident response process triggers, and an incident handler is assigned.

Incident
Security incidents are uncommon but happen more frequently than a security breach. An incident is
declared, and the incident response process starts if there is suspected loss of sensitive data.

What is not an incident: security events and vulnerabilities that have not been escalated.

Security Breaches
Security breaches are rare and contain a verified loss of data containing sensitive personal information.
In most cases to utter the words something is a breach; it requires the legal department and the CISO
to declare a breach. As a new analyst, it is good practice to not use this term anywhere unless told
otherwise. In most cases, breaches require a breach notification to clients and sometimes the public
and are handled with extra sensitivity. All breaches start as incidents.