top of page

SOC Responsibilities

SOC tier 1 Triage

SOC tier 2 Incident Responder

SOC tier 3 Threat Hunter

 

SOC Tier 1 - Triage:

​

  • This tier involves initial alert monitoring, triaging, and basic analysis of security events. Analysts investigate potential security incidents and escalate them if needed.

​

 SOC Tier 2 - Incident Responder:

​

  • Tier 2 analysts dive deeper into alerts escalated by Tier 1, performing in-depth investigations and responding to security incidents.

​

SOC Tier 3 - Threat Hunter:

​

  • Threat hunters proactively search for signs of advanced threats in the network that may not trigger traditional security alerts, focusing on identifying and neutralizing advanced persistent threats (APTs).

 

As a Junior Security Analyst, staying informed about current cyber security threats is vital. You'll detect and hunt threats, develop a security roadmap, and prepare for worst-case scenarios. Prevention involves gathering intelligence on the latest threats and TTPs (Tactics, Techniques, and Procedures) while maintaining systems through tasks like patching vulnerabilities and updating firewall signatures.

​

SOC teams use tools like SIEM and EDR to monitor suspicious activity. You’ll prioritise alerts from Critical to Low, ensuring the most severe threats are addressed first. Investigation involves triaging alerts, understanding attacks, and using logs and open-source tools to find answers.

​

Once an incident is investigated, the SOC team isolates compromised hosts, terminates malicious processes, and remediates threats. Being on the front line can be challenging, but the reward of successfully handling incidents is immense. Monitoring network traffic and using open-source intelligence are key tasks, with Incident Response potentially lasting from hours to weeks.

 

 

 

 

 

​​

A typical daily routine for each tier in a SOC team:

SOC Tier 1 - Triage

​

  • Morning: Start by reviewing alerts from the SIEM system, investigating and triaging them based on severity (Low, Medium, High, Critical).

  • Midday: Handle low-level incidents, document findings, and escalate more complex alerts to Tier 2.

  • Afternoon: Continue monitoring network traffic and logs, responding to new alerts and ensuring all issues are properly recorded and escalated.

  • End of day: Prepare daily reports, hand over ongoing investigations to the next shift, and ensure all tickets are updated.

 

SOC Tier 2 - Incident Responder

​

  • Morning: Receive escalated alerts from Tier 1, start deeper investigations into potential incidents, and assess damage or risk.

  • Midday: Perform incident response tasks like isolating compromised systems, terminating malicious processes, and analysing log data.

  • Afternoon: Collaborate with other teams (e.g. network, IT) to implement mitigations and ensure systems are restored safely.

  • End of day: Document incidents, update playbooks, and create reports for senior management.

​

SOC Tier 3 - Threat Hunter

​

  • Morning: Begin by analysing threat intelligence reports and conducting proactive searches for advanced threats (e.g. APTs) across the network.

  • Midday: Investigate anomalies that bypassed standard detection methods, using advanced tools to hunt for hidden threats.

  • Afternoon: Research new TTPs used by threat actors and develop hypotheses for potential attack vectors within the organisation’s environment.

  • End of day: Document findings, share results with other SOC tiers, and recommend adjustments to detection rules or security controls.

A Security Operations Centre (SOC)

Empower Your Cyber Security Journey 

Cyber Security / Information Security

  • LinkedIn
bottom of page