🎉 Exciting news! Coalition has acquired Wirespeed to accelerate cybersecurity for all.

Read more
Cover for Life of a SOC Analyst
Tim MalcomVetter avatar

Tim MalcomVetter

Co-Founder / CEO

[Note: images are AI generated, content is organic human generated!]

Life of a SOC Analyst

In my twenty-something years of cybersecurity, I’ve gotten to work just about every type of role there is in the field, and have appreciation for all of them, but I probably have the MOST respect for anyone who has lived the SOC Analyst’s life. There aren’t enough words to convey how important–and how overlooked their contributions to cybersecurity are.

#What SOC Analysts Enable Us To Do…

While you’re enjoying the holiday break with your family, a SOC Analyst is still on-shift, vigilantly guarding the digital castle.

While you’re checking out online or in a store, a SOC Analyst somewhere is triaging a suspicious event that might disrupt your ability to buy what you have in your cart, or worse.

When your loved one is in a hospital, prepping for an important surgical procedure, a SOC Analyst is making sure ransomware doesn’t prevent that procedure from taking place.

Want your flight to take off on time (or at all)? A SOC Analyst is defending all of the ticketing & logistics systems, so they can stay online.

The SOC Analyst Lets Your Life Go On.

The best part? They’re willing to do this work EVERY SINGLE DAY without acknowledgment. When is the last time you thought about a SOC Analyst as you go about your everyday life?

#Dealing with Reality

Unlike other specialties in cybersecurity, SOC Analysts are grounded to reality.

They don’t get to say:

  • “Oh, we’ll just fix security in the next release.”
  • “That’s a legacy system, just upgrade or turn it off.”
  • “Just write a detection rule for this” in a pentest report.
  • “I don’t understand how that works, go ask someone else.”
  • “That’s not a problem.”

They are dealing with the cards that have been dealt to them, right now!

Security Engineering gets the luxury of project timelines and the ability to fix things later, but the SOC Analyst doesn’t. They’re dealing with production now. And staging, test, and development, because you put them all on the internet, thankyouverymuch!

Armchair pundits can simply wave their hands and dismiss the Windows XP workstations that are still running critical legacy business processes, and declare keeping them to be a dumb management decision, but the SOC Analyst has to defend them right now, because they just saw an alert for MS08-067. Again. The SOC Analysts’ gallows humor is displayed in a “What year is it?” meme as they swoop in and save the day, again.

Pentesters and Red Teamers who have never had the shared experience of maintaining a well-oiled SOC at scale might simply add the phrase “write a detection rule for this” because their boss wanted them to put something with the finding in their report, but the SOC analyst knows better. They know that Kerberoasting detection will fire hundreds of times per hour, making it impossible to review them all. They know it’s a non-starter, as they read the pentest report. They may be “nice,” too, and not complain about the shortsightedness.

SOC Analysts are firefighters. They can’t take the alert in front of them and toss it to someone else, saying “I don’t know what this is, you figure it out.” There’s usually no one else, so they start reading and becoming a SME (subject matter expert) on the fly, to find out whether this alert is nothing or a business killer.

SOC Analysts have no choice but to take ownership. The alert fired. It’s their job to work the alert. There is no room to say “it’s not my problem.” It’s 100% their problem to address head-on.

#Stress

I often compare the SOC Analyst’s role with an Air Traffic Controller due to the stress on them to make great decisions. Swipe left on the wrong alert and the organization just had a beach-head event for ransomware. Swipe right too often, and your teammates outside the SOC will think you’re Chicken Little.

Being a SOC Analyst is like being an Air Traffic Controller.

This is why big, well-run SOCs have processes in place from Day 1 of the SOC Analyst’s employment to address their burn-out. A certain large SOC I’m acquainted with does it like this:

  • New hires begin a 60 day training program, assuming each new batch of SOC Analysts will need supplemental training they didn’t get from a university or prior employer.
  • They then go into another 60 day period where they shadow a more senior SOC Analyst.
  • After those 120 days, they’re ready to begin working cases themselves, but for the next 60 days, the Senior Analyst is shadowing them.
  • By this point (180 days, roughly 6 months in), the SOC Analyst is finally released to fly solo, working cases on their own, with the safety net of peers and leaders, of course.
  • About 6 months later, roughly the 1 year anniversary, they sit the SOC Analyst down for their first annual performance review, asking them what other aspects of cybersecurity the Analyst may want to work on one day.
  • They then setup occasional job shadowing for the SOC Analyst.
  • 6 months later (the 18 month mark), they begin planning the logistics to off-board the SOC Analyst into a non-SOC role based on the job shadowing experience.
  • By the 2 year mark, SOC Analysts who are still excited about the SOC are typically promoted to being a Shift Leader, while the other Analysts from that cohort have moved on to new cybersecurity roles within the organization.

#Nights & Weekends …

Most cybersecurity professionals work traditional office hours in their local timezone, i.e. Monday through Friday, 9 to 5. SOC Analysts are typically assigned shifts, sometimes rotating to nights and weekends, and it’s typically required, especially for new people joining the team, to have to take the less desirable shifts more often to earn your place.

While some engineering roles will occasionally have off-hours support calls or projects that require after-hours deployments, the rest of us mostly get to enjoy our nights and weekends doing personal things, not thinking about work (as much as the SOC Analysts do anyway).

I’ll tell you one way NOT to show gratitude to those working the overnight shifts, and it’s a true story, too:

Once upon a time, I saw a SOC Shift Lead introduce himself to his CEO. The CEO greeted him and asked him what he did for the company. “I lead the night shift in our SOC,” he told the CEO. “Oooh, that sucks…” replied the CEO, who apparently didn’t get proper brain nutrition that day to realize how harmful that interaction was. Don’t be that CEO.

#Moods, Distractions, and Bathroom Breaks …

When the software developer’s child is up sick the night before, the code project they’re working on today may take a dip in productivity, but their employer won’t end up in the news about that. Same for the security engineer going through a break-up or loss of a family member.

But the SOC Analyst in those situations may very well … understandably … make horrible triage decisions that day.

When the SOC Analyst has a response time goal to hit and their numbers are below quota, they might just dismiss that ransomware beach-head to reach a performance metric that will seem ridiculous in this context.

The pressure is on.

Your Mood Affects Your Performance.

#Success Goes Unnoticed…

It’s super common for pentesters and red teamers to talk openly about their successes at work. To the unacquainted outsider, this might give the impression that hacking is easy and defending is hard. In reality, the majority of pentesters and red teamers are in consulting roles, so the “failures” of their clients can be laundered in the pile of logos their firm services.

SOC Analysts, however, including today when you read this, will take amazing virtual back-flips to quickly contain an adversary’s motion … AND NOBODY WILL EVER KNOW ABOUT IT. They can’t blog about it. They can maybe tell friends under Chatham House Rules, but that’s about it. Their employers staple their lips and prevent them from sharing, because of the perception that an adversary who gains and then loses a foothold, is still a foothold that never should have happened.

#Introverts

It’s not a given that a SOC Analyst must be an introvert, of course, but in my experience there are more introverts than extroverts. This matters tremendously when it comes time to get context around an alert; the analyst needs to talk to a human. Which team member will do it? The one who is slightly less introverted than the others.

There’s the old joke about engineers, that we’ll borrow for our SOC Analyst friends:

The extroverted SOC Analyst is the one who will look at your shoes and not just at his own.

When that suspicious login event happens, can the SOC Analyst muster up enough courage to call the affected victim user and ask if they just logged in from somewhere new? Will they have enough rapport within their organization to even recognize the victim’s voice? Is it even them? Why are we expecting them to even work these alerts?

Or will their introversion take over? Will they default to sending an email or DM to the victim instead, despite the fact that an adversary may have taken over the account and the response the SOC Analyst gets back is an adversary Jedi Mind Trick? “These are not the droids you’re looking for.”

#Rite of Passage?

Ask some senior cybersecurity professionals how a recent college graduate should break into cybersecurity, and they might just suggest “get a job in a SOC.”

But should working in the SOC be a Rite of Passage?

Should being a SOC Analyst be a Rite of Passage to other cybersecurity roles?

Are we doing favors to ourselves, the organizations we protect, and their customers, whose data carries the risk of exposure, by putting someone so new into a position so difficult?

It’s hard to say.

I’ve met many talented professionals whose careers were bolstered by their time in the trenches. I’ve also met many who I wish would have spent at least a couple weeks just shadowing someone in a SOC, so they’d appreciate the hard work.

SOC Analysts, you have my admiration. I look forward to your off-the-record war stories and shaking my head in solidarity over the reality of dumb decisions other people made that gave you a bad day and another crazy story.

We’ve thrown new people into those grueling SOC roles for years because that’s all we had as options.

Until now.

Until Wirespeed.

Wirespeed

Want to know more about Wirespeed? Follow us on LinkedIn / X or join our mailing list.