SOC Analyst: The Experience
When I ask people how they feel about the idea of working in a SOC, I get a lot of mixed feelings. Depending on what kind of SOC they worked in, they had different experiences that ranged from horror stories to the best decision ever.
I’m not going to lie, there were some aspects of the job that I disliked such as the shift work, but most of it was wonderful and I learnt a great deal of skills: network security, application security, vulnerability assessment, good analysis habits, scripting and reporting— also, the people made all the difference. I sometimes get asked about my experience as a SOC analyst and asked if I’d ever go back, so here it is.
Office Space (not the movie)
The “office” I worked in was in the basement of a data center. Think dark, cold, recycled air, and no windows, but we had a solid canteen and kitchen. This was fine on hot summer days, but once 2am rolled around, and you had a steady breeze of cold air hitting your face from the vented tile floors, it got cold really quick. It was hard to stay comfortable. Not every SOC is in a basement, but mine was.
Our team was responsible for the health of each application supported by the agency and their environments (physical and virtual), the networks (physical and virtual) extending nationally, data confidentiality, integrity and availability, and the physical security of the data center.
I was doing 12 hour shifts (6am to 6pm for 2 weeks, and then flipped to 6pm to 6am for another 2 weeks); the nights were the easiest shifts as most of the time we didn’t have changes to watch for (except for that odd unplanned one), we could complete some evergreening, and wrap up anything the day crew couldn’t complete before the shift change. It was quiet and I got to know a lot of my team; we ordered food together, listened to music, played boardgames, worked out at the gym onsite, and completed courses together.
The day shift was the hardest — knowing the sun was out and having nothing but an LCD screen displaying cameras of the outside sunshine was awful for my mental health. It was bustling for most of the day with changes being scheduled, teams implementing new applications (sometimes deploying to prod — which was a nightmare), and escorting others around the data center. We spent our days going over playbooks, and ensuring that each new system was well supported. We tested our environments and alert systems, updated documentation, assisted with 2nd level support for ongoing application issues, and maintained our work relationships with other teams (LINUX support, Windows support, network security, Threat Intel, Investigators, etc).
Our team went through a few managers which didn’t help with the team’s moral, but we finally landed on one manager who seemed to care about our wellbeing. Thanks to that manager, I was able to grasp the following mindset that I hope to share with you:
- A SOC is a transitionary role for most people; Make sure you learn as much as you can about the areas that interest you the most: deployments, threat hunting, pentesting, architecture, app security, policies, etc. Learn a little bit about everything, and focus on what you really enjoy (don’t forget about the subsidiary disciplines: architecture = netsec, threat hunting = endpoint). It’s an entry level position.
- Have a short-term and a long-term plan; If at the end of 6 months working on things that can easily be automated and a monkey can do, leave. You aren’t learning anything new and never will. If you’re still working in a SOC after 3 years, ask yourself why. Hint: you shouldn’t be unless you got promoted to management.
- Speaking of promotions, learn from those who get promoted but haven’t been there long; You want to learn from them, and rise along with them out of SOC. Learn from those who make positive changes at the SOC and strive to be better.
- Take advantage of any training your employer is willing to pay for; while on night shift and the nights are slow, take courses, watch videos (if you’re allowed to), read books, learn a new skill, ask questions and poke that team member of yours about any knowledge they’d be willing to share.
- Document your achievements; it’s highly useful when it comes to evaluations by your manager. It’s also very helpful when you’ll be asking for that promotion out of the SOC.
- While on documentation, make sure you write well; make sure your documentation is consistent, comprehensible, and clean.
If you are planning to take a job at a SOC, my tip for ensuring you’re making a good choice on which SOC would be to arrive to the interview 15 minutes early, and sit there. Listen to your surroundings, and watch how others work together. If it’s chaotic, others running around, no pleasantries exchanged and the place is a mess, then maybe it’s not the right SOC. Keep in mind, a quiet SOC doesn’t mean nothing is happening, just means that they have things under control which is what you want.
The SOC isn’t a place for everyone; it should be the starting but not the end of your IT security or Cyber Security career. It can teach you a lot about the non technical skills (softskills) that are needed to be successful outside of the SOC: communication, empathy, patience, and teamwork. Just remember, the end goal should be to improve your future.