E-Book, Englisch, 600 Seiten
Kent, Kyler SOC Analyst Career Guide
1. Auflage 2025
ISBN: 978-1-83546-593-6
Verlag: De Gruyter
Format: EPUB
Kopierschutz: 0 - No protection
Become highly skilled in security tools, tactics, and techniques to jumpstart your SOC analyst career
E-Book, Englisch, 600 Seiten
ISBN: 978-1-83546-593-6
Verlag: De Gruyter
Format: EPUB
Kopierschutz: 0 - No protection
As cyberattacks continue to disrupt modern enterprises, organizations urgently need vigilant security operations center (SOC) analysts who can detect and stop threats fast. With modern SIEMs and ingestion strategies, much of the necessary data is already within easy reach. This book provides you with the daily tactics, techniques, and procedures of a SOC analyst and shows how to exceed expectations in a modern SOC.
The book builds a solid foundation in security operations, preparing you for the SOC analyst role and other positions within the SOC. With this base in place, you'll advance into key SOC roles and blue team principles, such as detection and engineering. You'll be able to clearly articulate your future as a SOC analyst in an interview as well as talk about your career path to impress prospective employers. You'll get to grips with advanced threat actors, including advanced persistent threats (APTs) that wield considerable resources in campaigning against an organization. The chapters cover important concepts, such as governance, risk, and compliance (GRC), blue and red team tools, network security, web app security, and job search skills.
By the end of this book, you'll be able to demonstrate competency and acquire a SOC analyst position with an additional career outlook moving forward.
Autoren/Hrsg.
Weitere Infos & Material
1
Introduction to Security Operations
It’s Monday morning, and you’re driving to the office during your regular commute. You anticipate an average workday, with plenty of time to tune the security information and event management (SIEM) and study for your upcoming certification exam. Suddenly, your manager calls you and asks how far away you are. You are only 12 minutes away, but your manager is making you feel like that’s not enough. he says, emphasizing and . You arrive to find incident responders all poring over the SOC’s large display screens in tandem with SOC analysts, the SOC manager, senior leadership, and the CISO. An attacker successfully deployed a web shell on an email server, and the SOC is on high alert, counting on you to detect further activity such as lateral movement! This is just one example of the countless incidents you may work on as a SOC analyst.
As a SOC analyst, you will respond to many incidents and perform many other important tasks. This chapter emphasizes the importance of a security operations center (SOC) analyst in security operations, using real-world examples to illustrate the value of SOC teams in threat management. You will also examine SOC architecture, operational workflows, career paths, and the governance, risk management, and compliance (GRC) framework that governs contemporary security operations. By the end of the chapter, you will gain a thorough overview of SOC operations, their impact on organizational goals, and how this information will make job interviews easier and enhance career growth.
In this chapter, you’re going to cover the following main topics:
- Discovering security operations
- Exploring the SOC career outlook
- Understanding security operations in the modern enterprise
- Discovering GRC issues in the modern SOC
- Introducing the blue team, detection, and engineering
By the end of the chapter, you will gain a comprehensive understanding of security operations, the core of a SOC analyst. You will be able to go into a job interview and explain the basics of security operations to a senior leader and how it may fit into the overall picture within their organization, including potential GRC requirements. Failing to have a proper understanding of security operations can lead to a lack of context and a breakdown in expectations and goals. This can lead to a failed job interview or even a failed tenure at an organization due to a lack of understanding.
Free Benefits with Your BookYour purchase includes a free PDF copy of this book along with other exclusive benefits. Check the section in the Preface to unlock them instantly and maximize your learning experience. |
Discovering security operations
Referring to the previous example, imagine yourself as a SOC analyst arriving at the scene of a compromised web server. Next, visualize the incident responders performing analysis and forensics of the host. A SOC manager oversees these activities, coordinating them and ensuring the current incident has coverage while the new alerts generated by the SIEM are attended to. Threat hunters are then working with incident responders to extract threat intel and look for exploitation elsewhere in the organization. Many feedback loops exist both during active incidents and business as usual (BAU). These loops provide information and recovery actions that harden organizations as a result of incidents, share indicators with other organizations (intelligence sharing), and focus on preparing for the next incident. Security operations defined describes this entire cyclical process with numerous feedback loops all aimed towards securing an organization’s digital ecosystem. Physical security is also an often-forgotten component of security operations in that it provides the elements of touch to digital worlds. After all, if someone can walk into a room with the company’s most prized secrets and simply remove them and leave, digital security measures may offer little protection against offline attack methods.
Security operations is the process of securing an organization or enterprise. It is the machine of the organization’s security function and represents a constant dynamic of security among IT operations, data centers, infrastructure, business processes, industry-specific departments, and the rest of the organization. Security involves protecting both the physical and digital layers within an organization. Without either, an organization can quickly fall prey to an unsophisticated attack.
Physical security operations may involve perimeter security, building security, badge security (a form of identity and access management (IAM)), asset management, two-factor authentication including biometrics, access control, fencing, CCTV or recorded and live monitoring, etc. Physical security operations can also involve unarmed or armed guards who can provide continuous patrols and presence in target areas within an organization. Finally, robots and autonomous security vehicles are fulfilling key security guard roles, providing patrols and continuous live, remote monitoring of important areas. It involves all the elements necessary to physically secure a location or several locations for an organization.
Remote work is also changing the face of physical security operations as employees work online while being distant from their work campus. This is especially true after the global coronavirus pandemic of 2019 (COVID-19). Employees no longer need to badge into an office, be checked by a security guard, or face video-monitored access-controlled doors. Corporate liability for security changes while employees may be under the presumption that their homestead is secure for the purposes of their remote work. Employers may no longer need to ensure corporate campuses have impenetrable security measures, robust access control procedures, and adequate security command presence. Thus, employer physical security controls may be relaxed post-COVID-19. The protection shifts from a strong physical security element to solely digital security as employees log in from potentially insecure home networks, appliances, and infrastructure. Employers must account for these insecure boundary changes and adapt to survive.
Understanding the SOC
The SOC is the epicenter of cybersecurity within an organization. Most of the security tools intersect within the SOC, such as within the security information event manager, despite potentially being managed by other teams or support groups.
Firewalls are another great example of interdepartmental tools. A network security team may be the primary manager of a network-based firewall system. However, the SOC will frequently send requests or even provide a level of management or oversight with the firewall, such as querying (i.e., read-and-write) capability. Such functionality allows the SOC insight into what network traffic is entering and exiting the organization and also what is being blocked when it is attempting to enter or leave. This information can provide extremely valuable investigative information to allow a SOC to determine if, for example, malware (i.e., the payload) was successfully downloaded from a malicious email attachment onto the victim’s computer.
Sometimes, these investigations may have to pivot to other tools, such as endpoint detection and response (EDR) tools. These tools, again, can be managed by other teams, such as the endpoint protection team, or can be fully managed by the SOC (which is usually the case). Through these tools, a team can see if a process was blocked, quarantined, or allowed to execute and what subsequent child processes and actions took place, including network connections and potential outbound traffic.
Thus, through an entire investigation’s lifecycle, numerous departments can be consulted, or their tools can be used to aid in an investigation. These teams work synergistically with the SOC, both directly and indirectly, to provide information to the SOC. This is why other roles, such as SOC engineers, are critical for the SIEM’s health and the SOC’s visibility. Without these cooperating teams, processes, and engineers, an incident can take over entire business units of an organization and result in devastating losses.
It is important to note that the SOC can also house the physical security operations for an organization. For this book, you will focus primarily on cybersecurity within the SOC. However, physical security operations will also be covered.
Fitting the SOC into the modern enterprise
Business and technology operations for the average enterprise include application support, sales and customer relations management (CRM) suites, database operations, application programming interfaces (APIs) and integrations, business intelligence platforms, cloud systems, and email systems. These systems empower business operations, sales, marketing, revenue, and communication. The...
