By Alan Zeichick and Mark Fox
Tier 1, Tier 2, Tier 3. Security analysts. Incident responders. Hunters. The industry tends to toss those terms around when describing the cybersecurity specialists that staff a Security Operations Center (SOC). What exactly do they mean? And how standardized are those descriptions?
The short answer is that the job tiers are fairly common across SOCs, but it’s by no means a standard.
A job posting I found at an employment site, for example, describes:
Security Operations Center Technician, Tier 1: The Tier 1 Security Operations Center Analyst will act as the first responder to account/system attacks to determine threat vectors and then provide initial remediation. The successful candidate will possess experience with network, forensics, malware reverse engineering, and underlying IT infrastructure. The ideal candidate will be results oriented and possess strong problem solving, communication, and organizational skills.
This is a combination of two levels of what AlienVault describes in its excellent post, “The SOC Team: Roles and Responsibilities”:
Tier 1 Security Analyst – Triage Specialist: Reviews the latest alerts to determine relevancy and urgency. Creates new trouble tickets for alerts that signal an incident and require Tier 2 / Incident Response review. Runs vulnerability scans and reviews vulnerability assessment reports. Manages and configures security monitoring tools.
Tier 2 Security Analyst – Incident Responder: Reviews trouble tickets generated by Tier 1 Analyst(s). Leverages emerging threat intelligence (IOCs, updated rules, etc.) to identify affected systems and the scope of the attack. Reviews and collects asset data (configs, running processes, etc.) on these systems for further investigation. Determines and directs remediation and recovery efforts.
And of course there are additional roles, described neatly by AlienVault:
Tier 3 Expert Security Analyst – Threat Hunter: Reviews asset discovery and vulnerability assessment data. Explores ways to identify stealthy threats that may have found their way inside your network, without your detection, using the latest threat intelligence. Conducts penetration tests on production systems to validate resiliency and identify areas of weakness to fix. Recommends how to optimize security monitoring tools based on threat hunting discoveries.
Tier 4 SOC Manager – Operations & Management: Supervises the activity of the SOC team. Recruits, hires, trains, and assesses the staff. Manages the escalation process and reviews incident reports. Develops and executes crisis communication plan to CISO and other stakeholders. Runs compliance reports and supports the audit process. Measures SOC performance metrics and communicates the value of security operations to business leaders.
Oracle recently posted a job for its Global Business Unit Security team that would fall into the operations and management category; note the similarity to the Tier 4 above:
Security Operations Center (SOC) – Tier 1: Oracle GBU Security operations is seeking a Supervisor for their 24x7x365 Security Operations Center (SOC). This role is to supervise a local team of Tier-I Security Analyst who provides dedicated “eyes on glass” monitoring and analysis capability for SOC operations. The SOC Supervisor will be responsible for the day to day functioning of the SOC including development of documentation such as operating procedures, event handlers, notification and escalation procedures, shift management, collection and reporting of metrics.
Offense vs. Defense
Walking around events like last week’s RSA Conference in San Francisco, you’ll hear many references to “hunters,” and training and tools for hunter teams. That’s the fun job, in my opinion: playing offense against the bad guys, instead of focusing on defense. Let the Tier 1 and Tier 2 analysts work to prevent attacks, detect attacks, and repel attacks, as well as conduct forensics investigations. The hunters believe that the best defense is to strike back.
Hunters aren’t new; Intel published a blog post, “Cyber Security Hunter Teams are the Next Advancement in Network Defense,” back in 2012, saying,
Hunter teams take a different approach and seek the root cause, namely the threat agent themselves, who are initiating one or more attacks. This may be internal or external to the organization. Not satisfied with simply undermining the latest infraction, they want to quell the problem at the source and eliminate future attacks from the same threat agent, whom may possess the ability to coordinate completely unique and unpredictable maneuvers.
History shows why this is important. Attackers maintain the combat initiative and determine where, when, and by what method an attack will occur. Defenders typically respond to attacker’s moves and evolve the defenses to protect against those newly understood methods.
Attackers therefore have an advantage. It takes time, effort, and resources for defenders to recognize they are being attacked, decipher how it is being done, then develop a means to isolate the ongoing breach and block future attacks, and then remediate the affected systems. A threat agent who is determined to attack a specific target can try a number of methods until they succeed. Without threat of themselves being in jeopardy, they can continue varying the assault until they find an approach which works. The only effective way to stop such a persistent threat agent is to dissuade or remove them from the equation. This is where the hunter teams come into play.
A great starter resource for anyone interested in threat hunting is a paper published by SANS Institute, “The Who, What, Where, When, Why and How of Effective Threat Hunting.”
While organizations should tailor their job responsibilities to best suit their structure and requirements, the SOC Tier 1, Tier 2, and Tier 3 analyst descriptions are a solid foundation, and are the best way to understand the professional hierarchy.