Should you Take That SOC Role?
There are many places where pen test professionals might ply their trade but their natural home is probably the security operations center.
The problem with SOCs is that, in such a messy industry, they can come in many shapes and sizes. After all, put two cybersecurity professionals in a room together with a few industry tools and what’s to stop you calling it an SOC?
The good news is that the analytical mind of a good pen tester can be put to good use when sussing out a potential employer.
This article looks at four different types of SOC, how you can identify them and whether you are likely to thrive there. These offer a way to simplify your choice when it comes to whether to respond to a job advertisement.
But first, why do SOCs vary so much in the first place?
Why do SOCs vary so much?
The SOC comes in many different guises depending on factors such as company size, business strategy, IT infrastructure, security tools and personnel. Take these two hypothetical extremes:
Company A is a world famous global corporation with a real understanding of the risks of cybersecurity breaches (perhaps they have suffered a security incident in the past!). The executive team includes information security as a central part of the overall business strategy and the CFO and CTO work closely together to ensure the SOC is properly resourced. Only the most up-to-date security tools and best practices are considered and HR is tasked with head hunting the most talented cybersecurity professionals or outsourcing to the best service providers. The job descriptions are detailed, role-specific and carry above average salaries.
Company B on the other hand is an unknown firm which serves a small city in a very competitive industry. The stressed IT team have fought a few cybersecurity fires and have been constantly at the door of the executive team, demanding a dedicated SOC. To keep them quiet, the CEO has asked the CTO to set up an SOC but has only allocated a small, non-negotiable budget. HR have been asked to outsource as much as they can and bring in one or two security analysts to run everything. The job description is vague, contains a broad range of general IT tasks and the salary is average at best.
Although both of the above will be advertising for security analysts or similar roles, the opportunities for development and conditions of employment will be vastly different.
Here are three different categories of SOC that can arise as a result of these differences:
SOC Type 1: The basic security center
Most SOCs will fit into this category. There should be sufficiently advanced tools available for monitoring and investigating threats and, crucially, a team of at least 4 to 5 people, each with their own specific tasks. Overlap should only occur when information is passed from one analyst to another for further investigation.
A team of five might include:
• Two Security analysts performing triage roles. As well as sysadmin and programming experience and skills, these specialists should have an industry-recognized cybersecurity analyst certification (e.g. CompTIA CYSA+). For a comparison between different kinds of certification, see the linked post). These analysts will focus on reviewing alerts and creating tickets based on relevance and urgency.
• Security analyst performing a first responder role. This person will be similarly qualified but will often be more experienced with a determination to get to the root cause of an incident and the ability to remain calm under pressure.
• Expert security analyst performing a threat hunter role. This is where a pen test professional would be best placed. They will need all of the qualifications and attributes above plus in-depth knowledge of data visualization and pen test tools and techniques. They will focus on identifying stealth threats and improving tool configuration to better refine alerts.
• SOC manager. The COO of the security operations center, the manager will have all of the above plus strong leadership and communication skills. They are likely to have a top cybersecurity management certification (e.g. CISSP).
Your role and place in the team should be clear from the job description.
SOC Type 2: The shoestring security center
This type of SOC is based around getting the most out of limited resources. As such, you will often find that the security team comprises only one or two analysts and the SOC manager. Some functions may be outsourced and you may be required to liaise with third parties to provide the service.
On top of threat analysis and pen testing, you might be expected to share monitoring, prioritizing and responding responsibilities. If you like to be very busy and can handle the pressure and accountability, this role may appeal.
SOC Type 3: The evolving security center
This type of SOC will be actively developing a proactive method to identify threat agents’ TTPs and working closely with other centers and the wider community. In addition to the roles above, there will be a developed threat intelligence function with much of the basic data analysis automated.
It is within such an SOC that you are most likely to come across a ‘pure’ pen test role. This is a role that will appeal to those cybersecurity professionals who live and breathe pen testing and want to focus only on this discipline.
A word of warning though. A company of this type could be actively looking at cloud migration solutions and might be tempted to save money by taking all of their security provision into the cloud by using a managed security center.
SOC Type 4: The managed security center (SOCaaS)
Instead of setting up their own ‘traditional’ SOCs above, many businesses are now opting for a completely managed security center – the ‘Security Center as a service’ or SOCaaS. This trend is likely to continue so getting involved now is a good career move for pen test professionals. SOCaaS providers know that businesses are looking for battle-hardened competencies in perimeter and end-point protection, malware exfiltration, pen testing and a proven prowess against zero-day exploits. Therefore, pen testers are likely to be in demand and able to command a decent salary.
What’s more, with businesses finding security increasingly hard to navigate, risks going up, costs coming down and consultants promoting cloud management solutions, those with onsite SOCs are likely to turn to outsourcing anyway. A traditional role could be very short-lived!
So next time you come across a job posting for a security analyst or pen testing role, do your due diligence and consider whether the SOC is likely to offer you the role, environment and job security you need. Decent SOCaaS providers are likely to offer the most security and best development opportunities of all.