Roles in the Security Operation Center (SOC)

Cyber security Csaba Krasznay todayFebruary 29, 2024 209

Background
share close

Based on the framework published by the European Union Agency for Cybersecurity, we show the complexity of the knowledge required to run a good SOC.

 

SOC_roles_image

 

If you regularly read cybersecurity job ads, you may have noticed that most companies are looking for true supermen, who understand every little aspect of cybersecurity. The reality is, of course, that this field is becoming increasingly specialised. There are so many different tasks that need to be performed to ensure a secure operation that assembling a good security team based on soft and hard skills is becoming more and more like organizing a sports team. They need to have the right people in the right positions and function more as a team under the leadership of the chief information security officer, rather than having the most outstanding professionals in each position individually.

There have already been several attempts to describe cybersecurity roles, perhaps the most famous being the NICE Framework published by the US government, which lists hundreds of pages of skills and competencies. In 2022, the European Cybersecurity Skills Framework (ECSF) by the European Union Agency for Cybersecurity (ENISA) was published, which summarised what you can do in this field in 12 roles. In a SOC such as the one White Hat IT Security operates, three of these dozen roles are directly involved in providing the highest possible level of customer service, while four others are indirectly involved.

Let’s start with those who are in direct contact with customers! In the ECSF, they are called Cyber Incident Responders and their role is described as: monitor the organisation’s cybersecurity state, handle incidents during cyber-attacks and assure the continued operations of ICT systems. They are the colleagues who monitor incoming alerts around the clock and try to dig out the needle from the haystack, i.e. to identify among the many security events those that could become cyber incidents, and to catch and neutralise incidents at their earliest stages.

In the background, their work is supported by Cyber Threat Intelligence Specialists, who are defined as “Collect, process, analyse data and information to produce actionable intelligence reports and disseminate them to target stakeholders.”. Their expertise is essential to better understand an incident and to help not only customers, but the entire cyber security community to prevent attackers from succeeding elsewhere.

In some cases, where trouble has already happened and external parties such as the police need to be involved in resolving the incident, the Digital Forensics Investigator role steps in to”Ensure the cybercriminal investigation reveals all digital evidence to prove the malicious activity.” This specific job allows the smallest digital clue to be unearthed from the huge pile of evidence generated by the incident and the perpetrators to be tracked down.

We often forget that it is not only the customers’ IT infrastructure that needs to be protected that is huge, but also the tools used for incident management that make up a complex system, even if it is a Microsoft Copilot for Security or a Microsoft Unified Security Operations Platform solution. This is where the role of the Cybersecurity Architect becomes important, who “Plans and designs security-by-design solutions (infrastructures, systems, assets, software, hardware and services) and cybersecurity controls.” This is a highly valued role, as a well-designed security service means significant resource savings for all.

Of course, the infrastructure also needs to be operated, which is the job of the Cybersecurity Implementer, who “Develop, deploy and operate cybersecurity solutions (systems, assets, software, controls and services) on infrastructures and products.” The nature of cybersecurity is that it presents new challenges every day, which would not be possible to address without continuous fine-tuning of systems, and the operational engineers are therefore as important a part of the SOC as those who deal directly with incidents.

So are the colleagues who, in their role as Penetration Testers, simulate these new challenges within the SOC and, at the customer’s request, also in the protected infrastructure. Their job description is “Plans, designs, implements and executes penetration testing activities and attack scenarios to evaluate the effectiveness of deployed or planned security measures. Identifies vulnerabilities or failures on technical and organisational controls that affect the confidentiality, integrity and availability of ICT products (e.g. systems, hardware, software and services).”

Incident management is usually deployed by organisations because of some external compliance pressure, in addition to their own perceived interest. One such requirement is NIS2, which places a strong emphasis on incident management, even as an outsourced service. It is therefore important for the SOC operator to be aware of the compliance requirements that apply to both the customer and itself, given that NIS2 also imposes responsibilities on managed security service providers. The role of Cyber Legal, Policy & Compliance Officer will help in this.

Therefore, the SOC is really a team where expertise is needed from all areas of cyber security. That’s why it matters so much how this team performs. As evidenced by industry accolades such as Microsoft’s in-depth review, White Hat IT Security is among the best at this, which would be unthinkable without colleagues in a variety of roles.

Written by: Csaba Krasznay

Rate it
Previous post

Similar posts