Reinventing the Role of the Tier 1 SOC Analyst

Reinventing the Role of the Tier 1 SOC Analyst

The role of the Tier 1 Security Operations Center (SOC) Analyst varies across organizations, but almost always includes activities such as monitoring security dashboards to view events and alerts of potential threats, intrusions and indicators of compromise.  The Tier 1 analyst also typically performs initial analysis and investigation into potentially malicious activity.

This is a tedious job since as a Demisto survey reveals, “alerts are on the rise leaving today’s security teams bombarded with an average of 174,000 per week” and that “45% of respondents stated that their security tools generated too many alerts.” This sense of being overwhelmed by the sheer volume of alerts contributes to alert fatigue, loss of morale, and ultimately turnover. A Dark Reading article describes the Tier 1 SOC Analyst job in the following way:

“It’s one of the least glamorous and most tedious information security gigs: sitting all day in front of a computer screen, manually clicking through the thousands of raw alerts generated by firewalls, IDS/IPS, SIEM, and endpoint protection tools, and either ignoring or escalating them.”

This tedium has a negative impact on analyst retention. In a CRITICALSTART survey of more than 50 SOC professionals across enterprises, Managed Security Services Providers and Managed Detection and Response providers, more than a third had lost a quarter or more of their SOC analysts in less than 12 months.  Nearly one-third of the analysts surveyed in the “Voice of the Analyst” study were actively seeking a different job.   

This turnover is happening amidst a global gap of nearly 3 million cybersecurity positions according to (ISC)2.  Given the enormous security talent shortage, constantly trying to replace SOC analysts isn’t sustainable and is bound to force change.  Dark Reading, for example, predicts that security automation, analytics and orchestration and SOC outsourcing service options will eliminate the manual aspects of the Tier 1 role. 

We agree with the Dark Reading prediction. In fact, Lastline is one of the pioneers in automating the time-consuming aspects of Tier 1 SOC Analysts’ work with its network detection and response (NDR) platform powered by artificial intelligence (AI). This solution, Lastline Defender, reduces thousands of alerts down to just a handful of real threats so that analysts can focus their time on solving incidents and protecting their organization. Our prioritized event correlation includes context and actionable intelligence to help besieged SOC teams separate the signals from the noise.

Lastline Defender provides detection you can act on. You can rely on Lastline Defender’s high-fidelity insights to automate response and eliminate time-consuming manual investigations of unknown objects and anomalous activity:

  • Deploy Lastline Sensors in blocking mode to stop malicious content and communication at the perimeter or internally, in both on-premises and cloud environments
  • Integrate Lastline Defender with your third-party products such as SIEM, SOAR, endpoint protection, firewalls, custom applications, and incident response workflows

With Lastline Defender’s automation, your Tier 1 analysts can start to function more like Tier 2 analysts. 

Watch how Aflac does just this using Lastline Defender!


This article originally appeared in InfoSecurity.

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson