SOC Analysts - 4 Things to Consider - Scary Stories To Tell in the SOC

Have you ever wondered why you shouldn't become a SOC analyst? Have you heard nothing but amazing things about the salary, the Infosec conferences, the clout of such a role? Well, it's all pretty much true, but writing only amazing things about a job I think is very fulfilling for the right people does a disservice to those who are truly trying to analyze whether becoming a SOC analyst is the right play. There are a ton of other roles on the Information Security team up for grabs, so today, I wanted to write a bit about why you shouldn't become a SOC analyst (or at least some things to consider and watch out for).

So, why shouldn't you become a SOC analyst? Consider the following:

1. Everything is Urgent

2. Unpredictable Working Hours

3. Ticket Hell

4. Data Overload

Oh, and I'll also include why perhaps a "scary thing" would be considered a good thing. After all, I love working in Security Operations. Also, I hate writing negative stuff, so have to input some positivity am I right?

Everything is Urgent

Are you the type of person that loves to set your mind to one or two goals and chug away until they are complete? Or maybe you just don't do well with multitasking? Consider this important point. In the SOC, you must prioritize the most critical alert or event that is currently taking place.

It will be a part of your job to look at a set of data or facts and make a determination on what is the priority. For example, you could be working on the SIEM fine tuning some analytics/searches when an alert fires off that requires your immediate attention.

The not-so-scary part:

If you enjoy running toward the fires, this is a positive thing and you would likely be fulfilled in a SOC position.

Unpredictable Working Hours

Working in a SOC, or any incident response related role, is not known for the nine to five stable working hours. In fact, there's a legitimate argument to be made that you should be "always on". It's taxing and it's why this specific job type has a fairly high turnover rate.

The reason for this is because things like on-call rotations and working shifts exist. Again, this will vary greatly depending on where you work, but one thing is certain; you will be asked to respond to something outside of your designated working hours.

The not-so-scary part:

This type of chaos can be very rewarding for those who want to make an impact at an organization. When there is an emergency that requires off-hours assistance, people notice those who are there to help. With this negative, should come recognition and vast learning opportunities (and pay).

Ticket Hell

I'm sorry. but becoming a SOC analyst isn't always that sexy. At the foundation of every SOC, there are core metrics and SLA's that must be maintained and that means tickets!

A typical workday, especially when you are just starting out in your career, might consist of anywhere between 25-100% of processing "alert" tickets. Unfortunately in most environments, a majority of these will be false-positives (which can lead to alert-fatigue).

As you are working your way through ticket hell, it's also going to be important that you are consistent and thorough with your documentation; even when a majority of tickets are false positives. This can be tedious, but it's part of the job.

The Not-So-Scary Part

Triaging and resolving tickets are the cornerstone of how a SOC analyst learns new things. Mastering the monotony of the ticket queue can result in specific cyber tool skill sets, increased understanding of cyber attacks, and even promotions. It's also a fairly relaxing and easy way to just crank out some work.

Data Overload

When you first join any organization, you will be presented with an entire network of data. Depending on the size of the company and the business vertical, this can mean a metric sh*t ton of data. That data comes in the form of logs, business logic, inventory, and more.

A good SOC analyst will be able to take in this data and eventually apply understanding to improve the effectiveness of alert triage, speed of containment, and improved application of a specific event's risk to the organization.

The Not-So-Scary Part

Getting access to this type of data is not something that can be replicated in a lab environment without incurring a massive bill each month. For that reason, the only way to learn certain enterprise level SOC skills such as large scale automation, custom analytic creation, and EDR deployment, is to get thrown into the data deep end.

Final Thoughts

In any role you take, thinking about whether it is right fit is super important. I didn't write this post to deter people, I actually wrote it to help ensure expectations are realistic. This has been my particular experience as I've worked my way from tier-1 soc analyst to a leader of security operations. Leave a comment with your thoughts on what I missed or if you disagree!

If you have any questions or need direction as you consider a career in Cyber Security, feel free to contact me.