Security operations, or SecOps, has had a direct, if increasingly challenging, mandate since the dawn of enterprise networking: detect, respond to, predict and prevent cyberattacks. But SecOps roles and responsibilities are shifting to accommodate growing interest in an offensive, rather than defensive, approach to cybersecurity. By staying ahead of threats and anticipating bad actors' next moves, security leaders aim to thwart attacks before they happen.
Security operations centers (SOCs) are also changing and becoming more prevalent. Traditionally, only the largest enterprises have had dedicated SOCs to collect, filter and act upon security data. But, according to research from Gartner, a growing number of organizations of all sizes now have some type of SOC function, with the ability to choose from several models:
- Virtual SOC. Internal or third-party SecOps professionals operate entirely online, often part-time but possibly 24/7.
- Multifunction SOC. An internal team works in a dedicated physical space, performing SecOps functions in addition to other IT tasks, part-time or 24/7.
- Hybrid SOC. Internal employees, third-party contractors or a mix of both perform SecOps tasks, either part-time or 24/7. They may operate in a virtual space, a dedicated physical facility or a combination of both.
- Dedicated SOC. A fully in-house team is available 24/7, working in a dedicated physical space and focusing exclusively on SecOps responsibilities.
Gartner predicted the percentage of organizations with internal SOCs will increase from 10% in 2020 to 25% in 2024, as security leaders increasingly shift from a reactive mindset to a more proactive one, complementing longstanding threat prevention activities with new advanced detection initiatives.
Cygilant, a cybersecurity software firm based in Burlington, Mass., recently built a new internal SOC from the ground up in Belfast in Northern Ireland. Jonny Milliken, director of security research and SOC at Cygilant, said his team made a deliberate decision to move beyond reactive, event-based security measures.
"In a modern SOC, significant investment needs to be placed in proactive value delivery, like threat hunting, new detection coverage, data deep dives and internal threat intelligence gathering," Milliken said. He added that these kinds of new SOC initiatives better serve enterprise needs, while also creating more interesting SecOps roles and responsibilities for analysts, promising to increase job satisfaction and improve employee retention.
7 common SecOps team roles
On the ground, SecOps roles and responsibilities naturally vary across organizations, with the largest, most sophisticated enterprises tending to have multi-tiered, more clearly differentiated job descriptions than their smaller counterparts, where hierarchies are often flatter and might include just two or three positions.
"Start with the basics: a strong leader and a team of frontline analysts," suggested Matt Radolec, director of security architecture and incident response at data security software maker Varonis. "Then, layer on cybersecurity specialists as your team grows in maturity and effectiveness. Don't rush."
Brandon HoffmanCISO, NetEnrich
According to Gartner, a fully staffed, 24/7 SOC requires eight to 12 full-time employees at a minimum. In a March 2020 survey of 315 SecOps leaders, Forrester Consulting found that, on average, large organizations had 14 full-time SecOps analysts, while smaller companies had 11.
Organizations should aim to have a combination of security generalists and specialists, advised Brandon Hoffman, CISO at intelligence software company NetEnrich. "There has to be a balance between folks on the team that are absolute laser-focused ninjas on a single topic and folks that know enough to work across multiple domains," he said.
For organizations that have the luxury of a full battalion, Charlie Weinberg, cybersecurity senior manager at IT consulting firm BCG Platinion, identified seven SecOps roles and responsibilities:
- SecOps manager. A SecOps manager oversees an organization's entire SOC or, if it has no SOC, its SecOps team. The person in this role -- alternatively known as the SecOps lead, security manager, security director or SOC manager -- typically reports directly to the CISO or CIO and is responsible for managing resources and enacting high-level security strategies on the ground. Radolec called this the "crucial ingredient" for a successful security operations program, recommending that an organization look to hire someone with immense hands-on experience using the existing security stack.
- Security analyst. A February 2020 survey by Forrester Consulting, commissioned by Palo Alto Networks, found that almost all organizations with in-house SOCs had a multi-tiered hierarchy of security analysts, with SecOps roles and responsibilities varying depending on their seniority and titles. In these settings, Tier 1 SOC analysts act like foot soldiers, monitoring, investigating and performing triage on a flood of daily security alerts.
The Tier 1 security analyst position tends to be particularly difficult to fill, according to Weinberg. "It is a relatively junior role with a lot of burnout," he said, adding that recent graduates often accept it only to realize they can readily find more lucrative, rewarding work elsewhere. As a result, organizations frequently end up outsourcing this position.
- Threat vulnerability manager. This SecOps role scans enterprise assets for new threats, reports vulnerabilities and supports mitigation efforts as necessary.
- Security incident handler. Also known as an investigator, this Tier 2 analyst responds to immediate security incidents, as flagged by Tier 1 security analysts, assessing the impact of threats and coordinating strategies for containing, mitigating and eradicating them.
- Security intelligence analyst. A senior role, the Tier 3 SecOps analyst position monitors and reviews the organization's overall security posture, recommending revisions to SOC policies and conducting advanced threat hunting. The latter, according to Gartner analyst John Collins, is the practice of uncovering suspicious activity that routine detection methods, such as behavioral analytics, might miss.
"Intuition and drawing conclusions from facts that cannot be scanned for to generate a hypothesis is still very much a human art form," Collins explained in a Gartner blog post. "Thankfully humans still provide value in security!" He added that he considers the point where threat hunting, detection and incident response intersect "the Pinnacle of SecOps Capability" today.
- SOC tools administrator. This position is responsible for implementing and maintaining SOC infrastructure and services from use cases and rules to data sources and executive dashboards.
- Security forensic analyst. This person deeply investigates breaches, picking apart computers or code to uncover "the smallest shreds of digital evidence related to threat activity," according to NetEnrich's Hoffman.
A forensic analyst also guards data integrity, following a chain of custody to ensure its admissibility in court, according to BCG Platinion's Weinberg. Many companies outsource this function to a third-party analyst on retainer, he added.
Enterprises have the option of outsourcing most SecOps roles and responsibilities above to outside providers. "Working with external vendors to help scale and level up an existing team can be a more effective way to improve than attempting to plan and extend organically," Jason Shockey, former CISO at a large, publicly traded company in New York and founder and CEO of career development site My Cyber Path, said. Then, he added, when the organization has a better handle on its internal needs, it can slowly transition responsibilities back to the in-house team if and when it makes strategic sense to do so.
The CISO's role in SecOps
The top SecOps position, chief information security officer, serves as the bridge between senior executives and the SecOps team, working to align an organization's cybersecurity posture with its business objectives. Traditionally, the CISO might report to an IT intermediary, such as the CIO or CTO. Many experts argue, however, that the CISO should answer directly to the CEO and board of directors, giving the CISO the free-floating authority and independence to advocate for security interests throughout the enterprise. But, whether a CISO sits nearer the trenches or the C-suite, the position is notoriously challenging and stressful, with responsibility for SecOps as a whole and within the context of the wider enterprise.
Annalea Ilg, CISO at IT service provider Involta, likened building a new SecOps team to starting and running a company. Security leaders should create a plan that outlines clear goals and outcomes and aligns budget, people, tools and processes with those objectives. "Then, the rubber meets the road, and the team must execute the plan throughout the organization," Ilg said.
Shockey added that it is critical for a SecOps team to have the backing and support of senior executives to do what they need to do to meet their goals. "You can have world-class SOC analysts and responders on your team, but if they [don't have the latitude] to do their jobs, the SOC won't be able to deliver the expected results," he said.
From brick-and-mortar to 'click-and-mortar'
Many experts note that COVID-19 has amplified existing challenges facing SecOps teams, with the sudden surge in remote work opening end users to new vulnerabilities and upending many traditional, physical SOC setups. Peter Tran, cyberdefense veteran, former Naval Criminal Investigative Service special agent and current CISO at cybersecurity consulting firm InferSight, said the pandemic has dramatically accelerated the shift from brick-and-mortar, physical SOCs to "click-and-mortar," virtual ones. Adjusting to remote SecOps work can prove difficult in the short term, as some teams suddenly find themselves working in a different threat landscape with unfamiliar tools and less visibility.
"It's like being a pilot and having no windows and fewer instruments to guide you -- that's their new reality," Tran said. "But what security professionals need to realize is there isn't too much of a difference between having 25 people staffing a 24/7 physical operations center and a federated, telepresence capability." A virtual SOC, he added, can actually scale faster and adapt more nimbly to changing global demand.
Greg Rattray, former JPMorgan Chase CISO, former White House director for cybersecurity, and current partner and founder of cybersecurity risk management firm Next Peak, added that the pandemic has also broadened attack surfaces, leaving many SecOps teams drowning in data.
"Large, unfiltered data lakes return high volumes of false positives when processed by monitoring tools, making it difficult for teams to find real threats," Rattray said. He advised organizations to invest in data pipeline technology to lighten the burden on security analysts.
Automation not an automatic panacea
Pandemic aside, Neil Daswani, co-director of Stanford University's Advanced Security Program, said he can summarize the state of security operations today in three words: "still too manual." He argued that, without heavy investments in SecOps automation tools, analysts have no hope of keeping pace with cybercriminals, who send more than 3 billion phishing emails and develop more than 300,000 malware variants daily, constantly innovating to sneak past existing prevention measures.
"We are not automating security operations fast enough or at a scale that can help defenders win the cybersecurity game yet," Daswani said. "Continued big breaches are clear evidence of that."
But Ray Rothrock, cybersecurity expert, author and executive chairman of the board at cyber risk modeling company RedSeal, cautioned that any security tool is only as effective as the analyst using it, making humans' SecOps roles and responsibilities as important as ever. "Who does what and when they do it are more important than which technology they use," he said. "Don't get me wrong -- technology is critical. But, without knowledgeable and well-trained personnel, it is useless."
Mark Orlando, certified SANS instructor and CEO of cybersecurity services vendor Bionic, agreed, saying a skilled SecOps analyst can identify most of the attacks in play today, with or without the latest and greatest tool set. He added that enterprise security leaders should cultivate their human talent as energetically as they do their technology stack.
"We must stop chasing AI-enabled, next-gen technology at the expense of fundamental best practices and empowered defenders," Orlando said. "The real power lies in harnessing the knowledge we already have and applying it at scale."