Priorities Beyond Email: How SOC Analysts Spend Their Time

Originally published by Abnormal Security.

Written by Mick Leach.

In the cybersecurity world, Security Operations Center (SOC) analysts serve as watchful defenders, tasked with the critical mission of fortifying systems against malicious intrusions and swiftly responding to emerging threats. Central to their effectiveness is the mastery of time management, as the fast-paced nature of cybersecurity demands rapid decision-making and efficient allocation of resources. Beyond the routine task of email management, SOC analysts must adeptly prioritize an array of responsibilities, from analyzing complex security alerts to proactively hunting for potential vulnerabilities, ensuring that the most pressing threats are swiftly identified and neutralized.

Here, we’ll delve into the specific tasks that occupy the time of SOC analysts, highlighting the strategic importance of their efforts in maintaining cyber resilience.

Understanding the SOC Analyst Workflow

As the first line of defense against cyber threats, SOC analysts play a vital role. Their efforts can mean the difference between quickly detecting and preventing an attack or a major, extended compromise of internal systems and data. Working in SOC requires a broad set of deep technical skills, refined soft skills, insatiable curiosity, undivided focus, and relentless determination.

SOC analysts are responsible for monitoring an array of security systems to identify irregularities that can lead to potential threats. They must quickly respond to security alerts to determine their validity, scope, and impact in order to assess the severity and priority of each one, then kick off the incident response process as appropriate. Due to the number of events that SOC analysts receive and must evaluate, time management is a critical skill for SOC analysts.

Importance of Email Monitoring and Management

Email presents a unique challenge for SOC analysts because it represents the broadest attack surface at most companies and offers direct access to the weakest security link in any organization—its employees. Unfortunately, it’s also among the highest-volume solutions in use at most companies as well. Couple that with the fact that traditional email security solutions are simply not equipped to detect and protect against modern attack techniques, and you have the perfect recipe for trouble.

Task Prioritization Challenges

High-volume, low-value tasks like reviewing user-reported phishing messages can often fall to the bottom of the to-do list; however, for every 20 innocuous messages, there may be a truly malicious message that went out to several of the company’s users, and only one of whom found it concerning enough to report. This can make prioritizing email-related analysis difficult, particularly among alerts from tools that traditionally have higher efficacy, such as firewalls, IDS/IPS systems, and/or EDR/XDR systems.

Task Prioritization Beyond Email Management

As they’re sifting through a multitude of security alerts, SOC analysts must be able to quickly separate true positives from false positives and determine the severity of those true positive events, initiating an incident response process where necessary.

Incident Response and Triage

Once a security incident has been declared, the incident response process is initiated. Whether the company leverages NIST, SANS, or another incident response lifecycle, the steps are largely similar: the incident must be analyzed to determine the scope and impact, the incident must be contained—all traces of the incident eradicated, business operations restored to fully recover from the incident—and any post-incident activities should be completed to learn from the incident and improve going forward.

Security Tool Maintenance and Optimization

Many security tools require constant maintenance, tuning, and optimization in order to improve the efficacy of their detection capabilities. This work is both critical to the proper functionality of most security tools, and requires significant time and effort to do appropriately. Larger companies may have whole teams devoted to this; however, many smaller organizations combine this activity with a SOC analyst's other monitoring duties.

Collaboration with Other Teams

As a “Jack of all trades, master of none,” SOC analysts must know a little about a lot, and they must also know when it’s time to call in the experts in a particular area. From network and infrastructure to architecture and development, SOC analysts must collaborate with specialists throughout the company to understand the context and implications of the alerts they investigate. This requires the ability to speak many different technical languages and understand the business better than many executives.

Continuous Learning and Skill Development

In order to stay current with emerging technologies, as well as attacker tactics, techniques, and procedures (TTPs), SOC analysts must spend a good deal of time on continuing professional education and personal development activities. In fact, this work is so important that most certifications require their certified professionals to document a certain number of hours spent on continuing professional education each year.