How to become a SOC analyst: Training, certifications and other resources
SOC analyst skills are in demand due to cyber threats becoming more common, complex and sophisticated than ever before. Companies rely on teams of highly skilled frontline professionals who can leverage their analytical abilities and deliver innovative IT solutions by using various security measures to prevent or mitigate future attacks and protect the organization’s assets.
Whether it is a dedicated on-site IT team or a contracted provider with a remote 24/7 unit, SOCs monitor the network, are in charge of security and threat analysis, and ensure that the company’s network activity and digital assets are safe from unauthorized intrusions and breaches.
What’s the role of SOC analysts?
SOC analyst is a job that works effectively in collaboration with other members of a team under the supervision of the CIO. These analysts are the first line of defense, actively monitoring the network for malicious activity and identifying threats and vulnerabilities that can pose severe risks to the organization’s IT infrastructure. They also resolve security events from various log sources.
SOC team members have analytical and critical thinking skills to examine security flaws, as well as experience in using the latest tools and techniques, including security information and event management (SIEM) and endpoint detection and response (EDR).
Learn more about what a SOC Analyst does at our dedicated SOC Analyst career hub.
SOC analyst career progression
For a professional, a SOC is a great opportunity to embark on a career that allows for progression from a junior role as analyst to a senior position up to SOC manager and cybersecurity engineer.
- A SOC analyst monitors network activities and logs to detect cybersecurity-related events and incidents in real-time; determines the origin and tactics of a threat; and advises on how to remediate and on how to further strengthen network defenses.
- A SOC manager oversees and coordinates the information sharing between a team of analysts and engineers during incident response and investigation to ensure they use the best methods to address all events of interest per established cybersecurity policies, standards, compliance and best practices.
- A cybersecurity engineer not only determines the severity of incidents and the response required but also recommends using new IT tools to improve the defense capabilities of the organization.
Now, let’s look at what SOC analysts do in their day-to-day activities and what is expected of them at various stages of their careers.
Tier 1 SOC analyst
To begin their careers, SOC analysts typically monitor threat activity for every event logged so that SOCs can implement additional security measures when required.
Scanning employment sites for job opportunities reveals that junior analysts are often required to have one to two years of experience in incident handling or in cybersecurity in general. Some positions might require a formal university degree but most list it only as a desirable qualification, along with a number of certifications, including Security+, Network+, the certified ethical hacking (CEH) or certified SOC analyst (CSA) certifications, PenTest+ or digital forensics and incident response (DFIR).
Highly recommended are knowledge and experience using one or more tools related to SIEM, phishing, endpoint logging, firewalls, intrusion detection and prevention systems, and network security managers. Specific tools include Splunk, Tanium, FireEye, CrowdStrike Security, Barracuda, WireShark, Bluecoat, FTK, Onion, Snort, Powershell and Python.
A number of skills are important for these positions, including analytical and critical thinking, multitasking and strong teamworking abilities, as well as the willingness (and availability) to work in shifts as most SOCs are manned 24/7. Good writing skills are also required.
How to land a Tier 1 job in a SOC
A good way to stand out from other candidates is to have a certification that shows an employer you have the required knowledge and skills and the willingness to keep updated in the field. Cybersecurity analyst certifications that help at this career stage include the entry-level CompTIA Security+, an obvious choice, coupled with an EC-Council Certified Ethical Hacker (CEH) credential because its practical, hands-on focus complements knowledge by covering the latest hacking tools and methodologies. (ISC)² SSCP is also an option with its coverage of operational security.
Professionals should gain a good knowledge of network traffic analysis using tools like Wireshark, as well as of different security controls like EDR, IDPS, proxies, and firewalls, but also familiarize themselves with the role of SOCs and how it is evolving.
Free resources can help, including YouTube videos, MOOCs, focused cybersecurity analyst training courses, podcasts and forums where you can interact with those who are already working as analysts in SOCs. Concentrate on currently available tools and latest trends, but also on basic skills like time management, organization and team communication.
Tier 2 SOC analyst
These professionals employ the latest techniques and tools to detect, engage, and neutralize cyberattacks. In a SOC, tier 2 analysts respond to every incident and handle events by trying to determine the origin of the attack, which systems were affected and the extent of damage. They are also expected to provide suitable solutions to organizations to remediate threats.
Most job announcements list desirable requirements, including a college degree or a combination of job experience and security and network certifications, including CySA+, CISSP, CISM, CISA, CEH and CCNA.
Required experience normally includes work in vulnerability assessment, risk mitigation, access control, application security, firewall management, routers /switches management, web-filtering, advanced threat protection, endpoint protection, data loss prevention and more. Some job opportunities actually include a project management component with preference given to candidates with certifications like the project management professional (PMP) and years of related work experience.
Applicants are also req uired to have security skills related to firewalls, client/server, LAN and TCP/IP and they need to be comfortable working with active directories, PKI, cloud solutions, multiple OS and proxy servers and scripting.
Again, availability for working in shifts is a must and communication (verbal and written) skills are needed for properly reporting all incidents.
How to land a Tier 2 job in a SOC
When you are ready to transition to a higher-level position, you can prepare by studying and earning a certification like CySA+ that suits intermediate-level professionals, who not only need to know how to detect and respond to issues but also need to be well versed in automation, threat hunting and IT regulatory compliance.
Skills and knowledge in vulnerability assessment and penetration testing can make a candidate for these positions stand out, which is why ISACA CISA and EC-Council incident handler (E|CIH) certifications are good choices. The latter, in particular, covers all stages of incident handling with a real-life scenario/hands-on approach that also covers fundamentals of computer forensics, recovery and post-incident activities.
In addition to technical preparation, it is important to focus on more advanced verbal and written communication skills, as well as project management topics. Again, free resources are easily available on the Web through MOOCs, videos and podcasts. This is also a good time to start acquiring supervision and guidance skills in order to prepare for more senior roles.
Tier 3 SOC analyst
Senior SOC analysts conduct in-depth analysis to detect and defend against cyber threats and develop threat-hunting capabilities; they analyze threat intelligence sources and get team analysts to investigate and respond to the most complex, immediate threats.
Normally, tier 3 analysts are required to have five or more years of work in the information security/cybersecurity domain with a focus on security operations, incident response, cyber technical analysis, threat hunting and threat attribution assessment. Many positions also list experience in a management and leadership role as desirable.
In addition, these professionals are expected to have higher college degrees or related certifications such as CISSP, CASP+, CEH, GCIA, GCIH, CHFI, CTIA, CISM or OSCP.
Candidates for these positions should also have advanced knowledge of endpoint security, data loss prevention, identity and access management (IAM) solutions, PKI, database activity monitoring (DAM), strong authentication, network protocols and, in some cases, related industry standards such as PCI or HIPAA.
They are also asked to have advanced communication skills to interact with stakeholders at all levels, as well as mentoring skills to provide SOC analyst training and guidance to other team members. Strong troubleshooting, analytical reasoning, and problem-solving skills are also obvious required traits, together with great organizational skills and the ability to work under pressure.
How to land a Tier 3 job in a SOC
Securing a senior role involves proven managerial skills, as well as experience and advanced technical abilities. Certifications that help you stand out from the competition include CASP+, which covers both security architecture and engineering and how to implement solutions within policies and frameworks, and CISM which is designed for information security managers and covers topics like governance, incident management operations and information security program management. Another option is the GIAC security operations manager (GSOM) credential, which focuses on designing, planning and managing effective SOC programs.
Technical and analytical skills at this point of the career are at advanced levels, with professionals well versed in topics like advanced intrusion detection or enterprise security risk management. Senior analysts can enhance their chances of getting hired by coupling their work experience with training in business communication, leadership, organizational and even training skills so as to be able to monitor and provide instruction to junior members of the team.
Top SOC analyst certifications
Let’s take a quick look at some of the SOC analyst certifications that can enhance your chances of starting (or improving) a career in a security operations center (SOC) team.
CompTIA’s Security+ credential is ideal for any cybersecurity role, including a Tier 1 SOC analyst, to verify the successful candidate has the knowledge and skills required to identify, analyze and respond to security events and incidents.
EC Council’s certified SOC analyst (C|SA) credential is engineered for current and aspiring Tier I and Tier II SOC analysts to show proficiency in performing entry-level and intermediate-level security operations.
CompTIA’s cybersecurity analyst (CySA+) credential suits Tier II SOC analysts because it focuses on security analytics, intrusion detection and response and advanced persistent threats.
EC-Council’s computer hacking forensic investigator (CHFI) credential benefits Tier III SOC analysts whose duties include analysis and reporting of digital forensic evidence.
EC-Council’s certified threat intelligence analyst (CTIA) credential is a comprehensive, specialist-level program for those whose responsibilities include building an effective threat intelligence.
The GIAC security operations manager (GSOM) certification is for senior security analysts asked to design an effective SOC program. The credential is essential in “formalizing and recognizing the unique combination of management skills, leadership traits, process frameworks, and tools required to field an effective security operations team” and focuses on topics such as metrics and long-term strategies to improve SOC operations and align security operations with business functions.
The CompTIA advanced security practitioner (CASP+) credential is geared toward a SOC manager or SOC engineer. It addresses advanced threat management, vulnerability management, risk mitigation, incident response tactics and digital forensics analysis.
Average SOC analyst salary
The pay you can expect from a job in a SOC can vary significantly. For a security operations center analyst, the average is $75,000 a year (ranging from $48k to $168k), according to PayScale. A senior security analyst’s average pay is $95,190.
According to Salary.com, the average SOC salary in the United States is $69,560 as of May 27, 2022, with pay typically between $63,400 and $76,238.
Obviously, pay is influenced by a number of factors, including location, industry, specific role within the company, unique job requirements and personal qualifications. Visit PayPal’s career path planner to research potential career paths for junior SOC analysts or senior SOC analysts and see related pay potentials.
- CySA+, CompTIA
- CSA, EC-Council
- Your Next Move: Cybersecurity Analyst, CompTIA
- Your Next Move: Security Operations Center (SOC) Analyst, CompTIA
- Why Should You Get Certified in Security Operations Center (SOC) Analysis?, EC-Council
- Cyber Security Analyst Job Descriptionjo9bjobdescriptionandresumeexamples.com
- SOC analyst job description, salary, and certification, CSO
- Average Security Operations Center Analyst Salary, PayScale
- Security Operations Center Analyst Salary in the United States, Salary.com
- Top 5 Skills Every SOC Analyst Needs to Have, CISOMAG
- Soc Interview Questions and Answers – Cyber Security Analyst, Soc Investigation