WatchGuard Blog

Modern SOC and MDR Series V: The Different Roles within a Modern SOC

Modern SOCs are highly specialized security operations centers whose objective is to detect attackers who have gained access to an organization's device or network. Built around complex environments, a team of cybersecurity experts who have been assigned different roles coordinate operations at SOCs. These professionals execute a sequence of specific processes supported by tools capable of processing a large volume of data in real time to detect, analyze and respond to attacks as quickly as possible. 

The main roles in a modern SOC  

Cybercriminals are always active every day of the year. They lurk in the system, ready to attack as soon as organizations are careless about security. This means SOCs, and more specifically modern SOCs, have to operate 24 hours a day, 365 days a year at the same intensity and ensure the coverage provided by their teams and roles is sufficient to keep malicious activity under control. The key roles working in a modern SOC include: 

1- Security Analyst: there are three tiers for security analysts with different responsibilities assigned to each level.  

Tier 1 security analysts are tasked with proactively monitoring and classifying alerts, as well as detecting anomalies or indicators of attack and then identifying the root cause and recommending remediation. Tier 1 analysts filter out false positive alerts from real incidents, so efficiency is critical. They are also responsible for configuring security and monitoring tools.  

Tier 2 analysts are known as investigators and work closely with the response team. They are responsible for investigating the security incident and determining what has happened, which systems are affected, which techniques have been used, when and why. Then they need to work with the response team to develop response and remediation measures to prevent similar attacks in the future. Tier 2 analysts review any weaknesses found in an organization’s preventive measures aiming to strengthen its resilience.  

Finally, Tier 3 analysts are regarded as the expert analysts within the SOC team. They assist Tier 2 whenever complex incidents require new behavioral data analysis and security intelligence.  

2- Threat Hunter:

The approach adopted by threat hunters centers on professional knowledge of key attacker techniques and behaviors more than on detection technologies. Their job is to locate unknown and sophisticated threats that have managed to circumvent existing controls.  Seeking to identify and respond to threats quickly, they assess the security of the organization from a proactive point of view, enabling them to reduce the dwell time of a threat.  

3- The response team:

Tasked with developing and deploying containment, mitigation and eradication strategies. Sometimes, the response is carried out by a third team, the internal IT or security function at the company, guided by the response team that identifies which actions are needed to ensure a 100% effective response to eradicate the attacker’s presence in all affected systems.  

4- SOC Manager:

In charge of leading the team by performing management and operational tasks rather than specific technical tasks. This role carries out management responsibilities such as budgeting, defining strategies, managing SOC members, coordinating operations, achieving the objectives set by the company's management, purchasing solutions and tools for the SOC, reviewing incident reports and generating reports on the SOC's activities to present to the company's management and the client's Central Information Security Officers (CISO).  

5- Architecture team:

Responsible for creating and maintaining the architecture of the SOC's infrastructure and applications through testing, evaluating and suggesting the appropriate tools for the SOC's complex processes. In close collaboration with the other teams and experts, they suggest, assess, develop and test new tools and processes that improve efficiency in detecting sophisticated threats, are faster in triage and investigation, and more agile in providing a coordinated and multi-domain response. This ensures that the attacker has nowhere to hide and no chance to attack again once the response team decides to eradicate the threat from the organization. They are also sometimes tasked with ensuring security compliance, which involves documenting, adhering to and constantly updating security practices against internal and industry frameworks.  

Defining tasks for optimal performance 

As we mentioned above, a modern SOC team should have an organizational structure that helps deploy optimized and well-trained work processes, where each member of the team knows what their role is so that attackers lurking inside the network can be detected and dealt with as soon as possible.  

When building an efficient modern SOC, the team, processes and technological tools deployed are key factors and you can find all the information needed to start the process of modernizing a security operations team in the e-book Modern SOCs and MDR services: what they are and why they matter

If you would like to learn more about modern security operations centers, don't miss our series of articles: