A SOC is not a Security Helpdesk!

There is too much shade being thrown at people who work in SOCS! If you have enough information security or cyber security experience you understand how important it is to have a great SOC or outsource to a great SOC. There is a difference between a strict playbook/runbook MSS SOC and a SOC that empowers its analyst to analyze alerts and escalate based on their discretion.

If you don’t know what a SOC is, SOC stands for Security Operations Center. Your SOC is your first line of defense of handling threats in your network. There is a running joke that a SOC is the Security helpdesk, and that’s not true. We get that bad rap because a SOC is a 24x7 operation, and business segments like to funnel things to us. There is a distinction between helpdesk related task and SOC related task. They should only contact a SOC when there is a security matter or security incident that is happening. Despite what you’ve heard, a SOC Analyst isn’t necessarily an entry level role considering that an analyst should have a foundational knowledge of Security, Networking, IT fundamentals, etc. Most analyst that have this foundation can start strongly in SOC roles. Therefore, most Helpdesk professionals, SYS Admins, and NOC Analyst make some of the best SOC Analyst you will encounter.

One of the hardest things to determine working in a SOC is what is legitimate activity and what is malicious activity. The first day you get access to a SIEM, it’s like the wild wild west.

Everything is new and you can’t perceive what’s good or bad unless you have previous experience. For example, an endpoint tool can signal an alert related to svchost.exe, an inexperienced analyst may take this at face value and decide to block the hash in the environment. A seasoned professional pays attention to parent/child processes, file paths, host activity, etc. SOC teams are not always big, combined with the fact that thousands of alerts fire monthly, alert fatigued, communication issues, etc. The goal for us in information security is to keep the company’s private information safe, and we cannot accomplish this without having a great SOC in place.

When you have a below average security posture and a high-risk appetite, it’s not if but when you get breached. Most security breaches come from one or two things, either there was negligence or there is a lack of experience identifying threats in the environment. When there is a security breach, not only does it cost the organization money, but it also affects their reputation. Within the last 5 years, companies have bolstered their information security department because of the ongoing cyber attacks on their companies. In 2013 Target had their breach that happened because of a vulnerability in the HVAC system. I have not reviewed the play-by-play of what happened after the vulnerability happened, but we know they should’ve taken it seriously.

The recent Colonial ransomware attack could’ve been prevented if they had acted on their alerts sooner. Ransomware doesn’t just show up and work, there are a series of events that lead up to an organization getting hit by ransomware. They have not released yet the details on how the hackers got the ransomware into their environment, but I can bet that an alert came in months/weeks ago signifying some type of attack was on a host. The hackers received 5 million dollars(as of June 8th 2021 the government has recovered most of this money) to relinquish their files! Recently at work I caught an alert related to Cobaltstrike activity on a host early enough that it could not do widespread damage in the environment. If an alert like that is not properly triaged(this is a fancy word for investigation), it could’ve potentially made everyone’s week even harder.

I’m sorry for rambling but they can avoid the examples I brought up when your company has a good SOC, great security procedures, and direction. Working in a SOC is like a digital hybrid of being a police officer and firefighter. You know that you always have to expect the unexpected in this line of work. New threats are emerging daily and there is not always documentation on how to handle these threats. This is when your discretion can make or break your company. I know what it’s like to get that notification that something has gone down in the network and you need to get on your laptop ASAP. This situation can last for a short time or a longtime, you don’t know until they assess the impact of the event. The next time you think to down-talk a SOC Analyst,

I want you to remember how vital their role is to the ENTIRE organization!

If you need help searching for a SOC Analyst role then check out this video:

If you would like to schedule a consultation with me then click here: