Becoming a SOC Analyst in 2024: A glimpse of my journey by Urvesh Thakkar

Urvesh Thakkar is one of Securzy's top cybersecurity instructors, and you can view all of his webinars at https://learn.securzy.io/instructor/urvesh. In this blog, he shares his experiences and guidance on how to build a career in SOC.

“SOC” – a polysemous vertical in the domain of cyber security. A lot of enthusiasts are fascinated by this ever-evolving world of SOC and are seeking resources or steps to understand the process of becoming a SOC Analyst. However, everyone’s journey is completely different from one another, yet in this blog I will share some of my key learnings based on my previous and current working experience in SOC.

The Basics

At a minimum, a SOC Analyst should know the basics of cyber security. This often overlaps with IT foundations, but networking is a good topic outside cyber security. You must understand cyber security fundamentals to become a SOC Analyst. Some jobs require hands-on training because you may use platforms you've never used, but the fundamentals remain constant. For instance, during an incident while analysis, you may be required to examine workstation and endpoint internet traffic. If you're unfamiliar with networking and how a machine interacts with the internet, you can't analyze those containing raw data. Not understanding ports/protocols is another example. Understanding these will help you analyze network traffic, which is part of your daily life. 

To get started, I highly recommend Professor Messer's Network+ playlist on his YouTube channel to gain networking fundamentals. Another treasure mine to look at is – TryHackMe/ LetsDefend; both offer cheap but fun paths. I'm not an affiliate, but overall, they have everything right from fundamentals and basics of networking to advanced topics such as Log Analysis, Network analysis, etc., that too with browser-based labs.

UNDERSTANDING THE ROLE

A Security Operations Center (SOC) analyst is an individual who collaborates with a team to actively monitor, analyze, and swiftly respond to security incidents. The objective of SOC analysts is to proactively combat security risks. They accomplish this by actively monitoring the network traffic, endpoint logs, OS logs etc. to identify indications of a potential attack. Upon detecting an attack, they proceed to investigate it alongside their team members.

Today, most of the SOC roles (including junior/ fresher ones) require knowledge and experience in SIEM. SIEM (Security Information Event Management) is considered SOC's first defense line. We see it like BSF – Border Security Force in traditional military defense levels. In layman's terms, consider SIEM as your manager and the employees, i.e., the endpoints (network devices, assets, cloud machines, clusters, etc.) they all report to the manager, i.e., the SIEM. Similarly, SIEM is a technology that collects, parses, indexes, and visualizes the raw logs received from multiple devices within the infrastructure. Now, there are tons of SIEM solutions available in the market, and each organization chooses an SIEM solution based on its budget, features, usage, etc. Despite having the same SIEM solution, the deployment process differs from org to org.

One can only learn some of the SIEM tools (it is not even possible to know all), but to start with, you can consider Wazuh (one of my favorites), Splunk, IBM QRadar, ELK Stack, etc., to name a few. Most SIEM vendors offer free training/ documentation on their official website. Yet, some of my recommendations include YouTube playlists of BlackPerl DFIR and Taylor Walton to help you easily understand the technicalities Moreover, in different organizations, SOC analysts may be titled Cyber Security Operations Center Analyst, Information Security Operations Center Analyst, Network Operations Center Analyst, SOC Threat Hunter, Incident Response Coordinator, Cyber Defense Analyst, IT Security Analyst, or Cyber Security Analyst etc.  Instead of getting overwhelmed by job titles, focus on the job description and responsibilities.

As a SOC analyst (even a fresher) monitoring the security alerts is one thing, but there are times when you will come across security solutions that are not correctly configured and are constantly sending out nonsense alerts that you ought to shut out...On the other hand, given that you are not an engineer, you will likely have to deal with that until it is eventually given the go-ahead to be configured correctly. The documentation and reporting that follows a SOC Analyst's day-to-day activities are the least favorite, but everyone has their own preferences. You will be expected to follow with comprehensive documentation of your process for almost everything you do or investigate. This is of utmost significance because, at some point, technical auditors will be tasked with reviewing your activity. The specifics of this task will vary depending on the size of your organization and the industry in which you work. Most of your day would look like viewing dashboards, monitoring logs, escalating the incidents to senior analysts, creating reports and charts, etc.

DIVE DEEP

Once you’ve gained a good amount of experience and knowledge in your initial role as a SOC analyst, it will be time to hone your skills and move your way up. Typically, there are 3 tiers in terms of diving the SOC analysts. Tier ones are freshers and new folks.

Tier 2 Security Operations Center (SOC) Analysts: Tier 2 analysts have more experience, knowledge, and additional training than Tier 1 analysts. Investigating security incidents, determining the underlying cause of incidents, and finding solutions to incidents are the responsibilities of these analysts. Additionally, Tier 2 analysts provide feedback for the purpose of further improvement.

 The senior analysts are the most experienced in the hierarchy – these are termed as Tier 3 SOC analysts. Typically, they are responsible for handling critical security issues that cannot be resolved by analysts at the tier 2 level. Additionally, this constitutes developing a security and risk management strategy, and it may involve accessing logs, conducting network forensics, and other similar activities. To scale up, you must equip yourself with multi-technical verticals such as Incident Response, Threat Hunting, Digital Forensics, Detection Engineering, etc. These skills are something where the fundamentals can be learned via resources, courses, etc., but here, the experience speaks. The more you gain experience, the better you get well-versed in the jargon of security associated with these roles.

Sharing my own experience, I started off my role where I used to only perform Vulnerability Management (VM) activities – such as sharing reports, creating Jira (IDMC) tickets, monitoring and creating dashboards, etc. Over time, with skills and practice, I transitioned deeper into SecOps – where I played a significant role in Incident Response and Threat Hunt verticals within my SOC Team. Handling alerts from SIEM and XDR, analyzing incidents, contacting stakeholders, logging reviews, etc., were some of my day-to-day chores. Once I got confident in these aspects, I started exploring the verticals of security engineering, where things began to fall deep regarding deployment and architectural levels. Developing automation, integrations, tools, leveraging APIs for automated security workflows, etc., became my routine.

SOFT SKILLS & WELLBEING

Who said SOC analysts are all about wearing big glasses and glancing at the screen constantly? I clearly recall the words of my manager (still tells me): "a major chunk of SOC analyst's salary is paid to him/her for effective communication. It's okay if you are not good at tech or tools, but you'd rather be considered of no worth if you can't communicate and explain things well". SOC analysts must collaborate with security teams, I.T. personnel, and executives. Clear, concise communication ensures everyone is on the same page during critical incidents. A single missed log entry or overlooked anomaly could be the difference between stopping a cyberattack and suffering a significant breach. Awareness and alertness are crucial. SOCs are operated 24/7 – which means you’d be expected to work in rotational shifts, and yes, these are extreme pressure environments – so most of the time, you’d be dangling from one task to another, one call to another and even would require performing multiple tasks at a time as there are deadlines associated with it. 

 All these factors do impact mental health in multiple ways. From my own personal experience, I feel that taking care of mental health should be one of the utmost priorities – especially for people in a high-pressure environment like SOC. Along with your technical duties, meditation, short breaks, sufficient sleep, etc., are some things to be taken care of. Eventually, “you can ensure security, when you yourself are sound and secure”.

CERTIFICATION MYTH BUSTING

Even I hold some titles under my profile, CHFI, CTIA, eTHP, ECIH, CCSE etc. to name a few. However, it is very important to realize that cyber security certifications aren’t cheap at all. Certainly, certifications in the field of cyber security are valuable assets. In addition to enhancing the credibility of your resume, they demonstrate to prospective employers that you have invested the time and effort to validate your knowledge in this technical field. However, remember that they are only a single piece of the puzzle. You will only be hired if you have a certification. The ability to adapt to a constantly shifting information technology environment is a skill employers seek in potential employees. The tools and methods that organizations use are continually evolving, and the only way to survive in this unpredictable environment is through continuous learning. In addition to that, the timing and the finances are also significant factors. Achieving one of these certifications demands a considerable expenditure of time and money. You must ensure that you are prepared in both a professional and financial sense. Obtaining certifications is an essential stage; however, the development of fundamental skills ought to be the primary focus.

Now, let's decide! Prioritize developing your fundamental ab

ilities. Instead of treating certifications as destinations, think of them as milestones. In addition, you should always continue learning fresh information. Most cyber security and analyst roles require IT experience, but you'll surely shine if you have good skills. You'll be the front line of defense investigating and defending IT resources, so recruiters and hiring managers expect some IT experience. For example, if you've never worked with Windows OS at a professional level, responding to security alerts in a Windows-based enterprise wouldn't make sense. One of my sentences yet remains constant: "it's not just the shine of certifications, but the strength of your skills and your commitment to continuous learning that will make you stand out in the cybersecurity field."

PERSONAL TAKEAWAYS - CHALLENGES AND LEARNINGS

While my entire SOC journey cannot be described in one blog, I would like to mention some generic learnings from my experience, which I am still applying to date. 

Ensure you read every day – new threats, vulnerabilities, research, etc., are released. The only way to stay ahead of the curve is to stay updated.

• Connect with like-minded individuals and professionals: As a personal practice, I prefer scrolling LinkedIn posts and connecting with people in the cybersecurity industry rather than diving into the draining pool of endless Instagram reels. Such tiny habits ensure that you're constantly learning and active.

• Follow cyber communities: Various offline and online cyber security communities are constantly conducting sessions, events, webinars, etc., for all levels of networking and learning. Again, a shoutout and honorable mention to Securzy – Securzy is a freemium cybersecurity education platform where experienced instructors can host webinars and boot camps, which can be attended by any interested folks for absolutely free of cost.

• Do have at least one coding language in your profile. Based on my experience, I faced multiple challenges for not knowing any programming language. I recommend Python – it is easy and free to learn (tons of resources available).

• Never choose your niche or domain in cybersecurity based on others' recommendations or observations. Just because I am into DFIR does not mean you must also go into DFIR – based on my profile, payout, etc. Rather than DFIR, maybe the Web App pen test fascinates you – choose that! Do not blindly invest in any course or certificate without finalizing your cyber-niche. Connect with professionals, read, research, practice, use free content, and try to identify which domain is best suited to your interests.

• Lastly, I would like to conclude by expressing the most essential takeaways --
  "Keep Smiling, Keep Learning and Follow Your Passion.”

Securzy.io is a crowdsourced cyber security training platform with users from 101 countries! If you want to stay up-to-date in cyber security, visit Securzy today.