Security Reference Architecture – People
Many organizations struggle identifying, hiring, and retaining qualified security personnel. Because of this challenge, we often see organizations reducing their standards, leading to individuals who are ill-suited for their responsibilities or trapped with no opportunity for career progression. Because so many organizations are seeking the same types of skillsets, adding too many requirements to the position can limit your search. In addition, promoting from within and from the wrong skillsets can pigeonhole you and your staff for years to come. In some scenarios, your talent pool can become insufficient and unbalanced: heavy in some skill areas, light in others, and lacking critical skills for organizational success.
Staffing challenges in the SOC create severe risk for the organization. High turnover, especially in early-career staff, creates problems with organizational continuity. The organization experiences tremendous loss of institutional knowledge from any individual who chooses to leave, no matter their contribution or effectiveness. Backfilling a departure will increase your workload exponentially. In addition to your own lost productivity while you try to get someone up to speed, your team will become equally ineffective while they impart their experience and wisdom on your new hire. What does one do with this horrible conundrum?
In this post, we will focus on a couple of key organizational aspects to build a successful SOC. We will also introduce the requisite knowledge, skills, and abilities you need support each staff position. We will also establish a clear path for progression within each role and how that will play into your strategy for managing churn.
Sample SOC Organizational Chart
Our experience has shown that successful SOCs create a teamwork-focused, communication- heavy culture that values skill progression and knowledge transfer. These core values set the expectation that all staff take responsibility for developing their skills, as well as making their teammates’ work environment a learning environment. Focusing on knowledge sharing and reuse ensures your staff are constantly engaged in learning, not only through formal training classes, but also through each other with every analysis they conduct and adjudication they make.
Effective communication within the SOC leads to shared understanding and learning as an organization. Managers and Supervisors must commit to developing knowledge as an institution, rather than just incenting individual staff development. Visible commitment to organizational learning from Management partially mitigates the risk of exits and bolsters cultural values, and it also provides an example to guide the aspirations of your succession pipeline.
Management does not have sole responsibility for organizational learning. Staff must learn “followership”1 2 to
enable your management team to identify systematic failures from
resource constraints, ineffective processes, and bottlenecks.
 Flin, R., & O’Connor, P. (2017). Safety at the sharp end: a guide to non-technical skills. CRC Press.
 Hollander, Edwin P., and L. R. Offermann. “The balance of leadership and followership.” (1997).
This is especially important in fast-paced/high-stress environments like a SOC, where staff must feel free to assertively communicate personal and organizational failures with precision and professionalism, and without fear of sanction. Furthermore, developing a professional (and emotionally safe) style of open communication fosters team cohesiveness, creates loyalty, and increases retention; making it less likely that the next head hunter that calls them will be able to woo them for something as cheap as a few measly dollars.
If you have interest in understanding these types of team dynamics in high-stress jobs, I would strongly recommend “Safety at the Sharp End” by Rhona Flin and Paul O’Connor. In it, you can read (in excruciating detail) about successful practices in Nursing, Commercial Airlines, Firefighting and other safety-critical workplaces that translate directly to the SOC, where every decision has consequences.
Our overview post referenced having an explicitly defined mission to provide guidance in ambiguous decisions. Clearly articulated missions also underpin Management’s ability to enage in Transformational Leadership.
 Burns, J. M. (1978). leadership. NY.
Many more authoritative sources have given expansive treatment on developing mission statements. However, we have observed that few managers/supervisors stress their importance in regular SOC decision making. This is unfortunate, because many opportunities for “teachable moments” arise, at least in the Reference Processes. Every escalation caused by ambiguous information (rather than a transfer of authority) creates an opportunity to evaluate the uncertainty within the framework of a mission statement:
- What is the right thing to do for the customer/owner/responsible party?
- What effect does taking action have on business Goals and Objectives? How does this change with inaction? What are the consequences of acting with incomplete information?
- Do we risk the opportunity to learn or improve from the experience by not digging deeper? Can we ensure that we will collect relevant decision-making facts for similar situations in the future?
Every role within the Reference Architecture has an implicit skill progression baked in. Successful security careers arise from the initiative to constantly increase knowledge and improve skills. You should expect that exceptional talent will excel and leave your organization for the right opportunity. Even becoming a “farm team” for other businesses with deeper pockets can not only give you bragging rights, but it can also attract talent. To excel at SOC work demands relentless improvement and showing your organization’s capability for improving careers provides as much motivation to stay as it does to seek further opportunities. To underscore this point, we have set a timeline on some of the positions so that you can plan rotations, benchmark career advancement, and forecast talent needs.
Position – Analyst I
Should be able to:
- Articulate the general abstractions, representations, and mechanisms that generate a specific alert.
- Understand the sufficiency of available data to either make an adjudication or escalate
- Research product-specific events to understand their significance for adjudicating alerts
- Relate directly identifiable contextual event data to support adjudications
- Act on alerts using predefined workflows and automated tool-chains
- Know when to tune automated analytics to categorically suppress future alerts
- Communicate necessary details and level of urgency for colleagues to continue analysis
- Support on-call rotations by gathering data and executing procedures as directed during a call out
Turnover: 12-18 Months
Position – Analyst II
Should be able to show competency in all Level I tasks, plus:
- Find supporting evidence of secondary and tertiary effects from a hostile event in systems not directly involved or targeted in the alert
- Confidently make adjudications on escalated alerts
- Communicate the relevant facts and significance of security alerts to Supervisors and Managers
- Define requirements for automated analytics, implement them, and test in a development environment
- Have domain-specific knowledge of monitored networks, endpoints, and applications
- Extract IOCs from forensic samples using automated tools
- Take primary responsibility in regular on-call rotations
- Identify engineering issues across the Baseline Architecture
- Maintain lines of communication with technical staff outside of the SOC
Turnover: 2-3 years
Position – Analyst III
Should be able to show mastery in all Level I and Level II tasks, plus:
- Have deep domain-specific knowledge of monitored networks, endpoints, and applications
- Develop custom signature content for source detection systems
- Perform basic forensic analysis of samples and artifacts and manually extract IOCs of interest
- Maintain awareness of TTPs used by known Threat Actor groups likely to target the organization’s systems
- Develop in a modern scripting language to support maintenance of internal toolchains
- Create custom-built analytical packages for events using domain-specific logic and business rules
- Analyze large datasets to determine the effectiveness of production analytics and quality of source data
- Provide in-person briefings to technical Supervisors and Managers throughout the organization
- Define strategic requirements for investments in technology and staffing
Turnover: 3+ years
Position – Shift Supervisor
Shift Supervisors should have careers equivalent to NCOs, meaning they have risen through the ranks and understand task-level details with expertise. Although management should not expect Supervisors to substitute for senior analysts, they should possess meet many requirements for an Analyst, plus:
- Excel in one or more areas of technical competence
- Demonstrate management traits valued by organizational culture
- Communicate and coordinate effectively with senior and executive management
- Balance task-level workload to provide development opportunities for subordinates and colleagues
- Research and compile necessary decision-making data for strategic efforts
- Develop strategic plans from available data, operational experience, and management objectives
- Possess good Judgement for their own performance, as well as that of their staff
Position – Intelligence / Threat Analyst I
Professionalism in Intelligence is a new domain for cybersecurity. Career security professionals have only recently begun to study its usefulness for SOC operations. Some organizations may only have partial needs for an intelligence capability, but that capability provides the only way for a task-focused SOC to see “over the horizon”. If the practice of Intelligence is something new for your organization, or you have had trouble developing useful applications of that capability, I would suggest some formal training for your Management and Supervisory corps. Further studies on intelligence, counterintelligence, tradecraft, and analysis are also useful, but that level of depth should be reserved for organizations that face threats from motivated and nation state actors with substantial resources.
Cyber threats are not impersonal. Another human being goes to work every day on the other end of the keyboard. Above all, your Threat/Intel Analyst needs to understand that fact and apply that knowledge towards increasing operational effectiveness.
Threat/Intelligence Analysts should possess skills comparable to a Level II or III Analyst, plus:
- Experience conducting extensive research and large analytical projects
- Deep technical knowledge of forensic artifact analysis, both manually and with automated tooling
- Communicate complex ideas in plain language and create written analytical products for management
- Develop Threat Actor Profiles from research projects, SOC adjudications, and incident investigations
- Maintain knowledge of relevant standards to automate exchange of Indicators and Warnings for cyber observables
- Effectively take management direction and lead all phases of an intelligence cycle project (requirements, collection, analysis, and production/reporting)
- Foster professional relationships and lines of communication with outside organizations to share information on threats and tradecraft
- Counterintelligence background highly desirable
Position – Intelligence / Threat Analyst II
Senior Intelligence Analysts should demonstrate proficiency in all areas of Threat/Intel Analyst I, plus:
- Maintain an active clearance, participate in classified briefings,
and provide classified briefings on behalf of your organization
- OR: Maintain active membership in a professional threat information sharing organization within your industry
- Advocate on your organization’s behalf in policymaking discussions at a national and industry level
- Provide regular strategic threat forecasts and articulate their impact on business Goals and Objectives
- Support front-line and executive management planning with a threat-informed perspective on cyber risks
Position – Security Engineer
Good SOC engineers have many of the same qualifications as a mid-level System Administrator, but they should also have a generous amount of depth in security. This depth can come from a background working in heavily-regulated industries, commercial software security, or Armed Forces. SOC Engineers may not start out with the same skillsets as analysts, but they should have the capacity to absorb them. This type of task-specific understanding helps Engineers to develop appropriate instrumentation and identify opportunities to automate repetitive and error-prone work. In the Reference Architecture, your Engineers lead the effort to incorporate new data sources and map events into your taxonomy, so they must demonstrate enough proficiency to assess the value of an event for analysis and investigation.
More senior SOC engineers should also have substantial experience designing, developing, and supporting task-focused automation and data integration in a complex distributed environment.
Talent Requirements – SOC Engineer I
- Lead complex implementation and integration projects for all Baseline Infrastructure components
- Independently provide front-line support, execute controlled change, and perform required maintenance for all SOC systems
- Identify useful events in new data sources that can contribute to adjudicating, investigating, and analyzing your event flows
- Design and implement distributed systems that comprise your SOC’s critical technical functions
- Develop automated tests and produce governance artifacts for controlling changes
- Instrument critical systems and dataflows to maintain situation awareness for SOC business functions
- Automate manual tasks
Talent Requirements – SOC Engineer II
- Own CI/CD pipeline
- Supply requirements for large IT projects to implement the SOC’s strategies for visibility and control
- A good talent pipeline advances the careers of your staff, attracts talent, and increases retention
- Talent pipelines provide a buffer against disruption from staff exits
- Your career ladder and candidate sourcing practices should reinforce the cultural values and skill requirements of your talent pipeline
- Size your staffing needs to your organization’s exposure to Threats rather than Risks
We have published the framework in high level detail on our Blog, and hope to engage you in a collaborative discussion of the challenges you are experiencing and the solutions we have developed. Please contact us to continue the dialog.
- SRA – Solution: https://www.theta-point.com/solutions/security-reference-architecture/
- SRA – Blog Series: https://www.theta-point.com/blog/category/security-reference-architecture/
- SRA – IOTA in Action Blog Series: https://www.theta-point.com/blog/category/security-reference-architecture/iota-in-action/
About ThetaPoint, Inc.
ThetaPoint is a leading provider of strategic consulting and managed security services. We help clients plan, build and run successful SIEM and Log Management platforms and work with the leading technology providers to properly align capabilities to client’s needs. Recognized for our unique technical experience, in addition to our ability to quickly and rapidly solve complex customer challenges, ThetaPoint partners with some of the largest and most demanding clients in the commercial and public sector. For more information, visit www.theta-point.com or follow us on Twitter or Linked-In.