A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents.
The practice of defense against unauthorized activity within computer networks, including monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.
Computer Security Incident Response Team (CSIT) ?
Computer Incident Response Team (CIRT) ?
Computer Incident Response Center (or Capability) (CIRC) ?
Computer Security Incident Response Center (or Capability) (CSIRC) ?
Security Operations Center (SOC) ?
Cybersecurity Operations Center (CSOC)
?Computer Emergency Response Team(CERT)
Computer Incident Response Team (CIRT) ?
Computer Incident Response Center (or Capability) (CIRC) ?
Computer Security Incident Response Center (or Capability) (CSIRC) ?
Security Operations Center (SOC) ?
Cybersecurity Operations Center (CSOC)
?Computer Emergency Response Team(CERT)
Tier Level:
Tier 1
Tier 2
Tier 3
Soc Manager
Tier 1
Tier 2
Tier 3
Soc Manager
Tier 1: Alert Analyst
Duties
Continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work.
Duties
Continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work.
Required Training
Alert triage procedures; intrusion detection; network, security information and event management (SIEM) and hostbased investigative training; and other tool-specific training. Certifications could include SANS SEC401: Security Essentials Bootcamp Style.
Alert triage procedures; intrusion detection; network, security information and event management (SIEM) and hostbased investigative training; and other tool-specific training. Certifications could include SANS SEC401: Security Essentials Bootcamp Style.
Tier 2: Incident Responder
Duties
Performs deep-dive incident analysis by correlating data from various sources; determines if a critical system or data set has been impacted; advises on remediation; provides support for new analytic methods for detecting threats.
Duties
Performs deep-dive incident analysis by correlating data from various sources; determines if a critical system or data set has been impacted; advises on remediation; provides support for new analytic methods for detecting threats.
Required Training
Advanced network forensics, host-based forensics, incident response procedures, log reviews, basic malware assessment, network forensics and threat intelligence. Certifications could include SANS SEC501: Advanced Security Essentials – Enterprise Defender; SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.
Advanced network forensics, host-based forensics, incident response procedures, log reviews, basic malware assessment, network forensics and threat intelligence. Certifications could include SANS SEC501: Advanced Security Essentials – Enterprise Defender; SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling.
Tier 3 Subject Matter Expert/ Hunter
Duties
Possesses in-depth knowledge on network, endpoint, threat intelligence, forensics and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; acts as an incident “hunter,” not waiting for escalated incidents; closely involved in developing, tuning and implementing threat detection analytics.
Duties
Possesses in-depth knowledge on network, endpoint, threat intelligence, forensics and malware reverse engineering, as well as the functioning of specific applications or underlying IT infrastructure; acts as an incident “hunter,” not waiting for escalated incidents; closely involved in developing, tuning and implementing threat detection analytics.
Required Training
Advanced training on anomalydetection; tool-specific training for data aggregation and analysis and threat intelligence. Certifications could include SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling; SANS SEC561: Intense Hands-on Pen Testing Skill Development; SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.
Advanced training on anomalydetection; tool-specific training for data aggregation and analysis and threat intelligence. Certifications could include SANS SEC503: Intrusion Detection In-Depth; SANS SEC504: Hacker Tools, Techniques, Exploits and Incident Handling; SANS SEC561: Intense Hands-on Pen Testing Skill Development; SANS FOR610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques.
SOC Manager
Duties
Manages resources to include personnel, budget, shift scheduling and technology strategy to meet SLAs; communicates with management; serves as organizational point person for business-critical incidents; provides overall direction for the SOC and input to the overall security strategy
Duties
Manages resources to include personnel, budget, shift scheduling and technology strategy to meet SLAs; communicates with management; serves as organizational point person for business-critical incidents; provides overall direction for the SOC and input to the overall security strategy
Required Training
Project management, incident response management training, general people management skills. Certifications include CISSP, CISA, CISM or CGEIT.
Project management, incident response management training, general people management skills. Certifications include CISSP, CISA, CISM or CGEIT.