I’ve been a SOC Analyst for four years now and was a desktop support engineer before that. When I first started as a SOC Analyst it was an exciting change. I was going to help protect the company and resolve suspicious incidents before they turned into breaches. The reality of my day-to-day was not quite as exciting. In the beginning I did a lot of Click>Validate>Close on alert after alert.
However, as the SOC team evolved with new tools and threat intelligence, we filtered out the noise of low fidelity alerts and found ourselves able to contribute more to our company’s security posture. Eventually I was spending more time processing threat intelligence and coming up with ways to apply it to our environment than I was dealing with alerts.
It is from this perspective that I can look at the SOC Analyst role and see it changing to better serve the security needs of companies in the years to come. But before I postulate on how the SOC Analyst role will change in the future, I find it helpful to first consider where the role started and how it has evolved.
The Origin of the SOC Analyst Role
Security Operations Centers (SOCs) started coming into existence in the early 2000’s typically after an organization experienced a breach. The concept was to create a simple set of controls and “watchers” for securing the organization’s networks and data. While phishing, trojans and malware attacks were commonplace (see historical timeline in this report), companies often didn’t recognize the importance of security until a data breach occurred.
Admittedly, we didn’t create our SOC until we were breached in 2012. We were very open and communicative about what happened and the security we put in place to prevent it from happening again. A big part of that was the SOC and a handful of SOC Analysts. The Analysts were the frontline in taking the alerts from basic security monitoring tools and validating them as harmless or suspicious. If suspicious, the alert would be escalated to incident response specialists within the SOC.
As tools matured and attack volume increased, the SOC Analyst role scaled accordingly. Small SOC Analysts teams doubled and tripled in size over the past 10 years. While many companies still recruit SOC Analysts as an entry-level position out of college, most hold multiple industry standard certifications.
Why the SOC Analyst Role is Changing
The SOC Analyst history sounds great so many may think that it should stay as is. But I firmly believe that doing that will only serve to kill the role. When the SOC Analyst role is held stagnant in alert-filtering mode, companies see high turnover – some more than 25%. This is not sustainable as resources in cybersecurity are hard to come by.
If companies are continuing to improve their security solutions and processes, then SOC Analysts should be ready to be developed in new responsibilities. As low fidelity alerts are filtered, there is more time to start being proactive in creating new alerts for new threats. Growing the role from reactive to proactive will keep these precious resources engaged.
A New Name to Align with New Responsibilities
Good SOC Analysts have what I call a “security mindset”. It’s a curiosity combined with a passion for problem solving. This is an incredibly valuable skill and when mixed with the understanding of your environment gained during SOC Analyst work, I believe SOC Analysts are ready to evolve into a new role. The role is Threat Hunter.
A Threat Hunter is proactively looking for threats and adding defenses to their environment to protect against them. The SOC Analyst can continue to investigate those higher quality alerts that remain, but can spend more time reviewing threat intelligence and applying it to your systems. They can also take on strategic project work like creating playbooks for threat analysis.
At VMware Carbon Black, we have already made this change. Where I was once called a SOC Analyst, now I’m a Threat Analyst. The SOC was also renamed to
TORC—Threat Operations & Response Center. I’ve been a SOC/Threat Analyst for four years and still love it because the roles and responsibilities have evolved alongside the growth of my skills and experiences.
