DEV Community

Cover image for Gaps in SOC Operator and Analyst Skillsets
Alex Vakulov
Alex Vakulov

Posted on

Gaps in SOC Operator and Analyst Skillsets

Despite the growing importance of SOC (Security Operations Center) operators and analysts, many applicants often lack critical knowledge and skills, which can significantly hinder their ability to perform tasks effectively. Let's explore the common deficiencies in their skill sets.

Candidates for SOC operator positions frequently lack a foundational understanding of IT technologies. They often have minimal hands-on experience with information security systems and are unfamiliar with typical network attacks and attacker tactics. This lack of basic knowledge and practical experience leaves them ill-equipped to handle the complex challenges they will face on the job.

For SOC analysts, even those with experience in corporate SOCs, the gaps can be just as significant. Many analysts lack the ability to write effective correlation rules and have a limited understanding of attack vectors or the MITRE ATT&CK framework. Their experience might be limited to basic, off-the-shelf content, without the depth required to investigate real incidents thoroughly.

To improve these skills, it is essential for SOC employees to focus on practice. Engaging in cyber exercises and competitions can significantly enhance their hard skills. Novice specialists, if they have a solid foundation of knowledge, can be quickly trained in SOC-specific skills and adapted to the companyโ€™s technologies, processes, and techniques.

However, the challenges faced by SOC employees go beyond just a lack of experience with security systems. Many have only modest experience in operating information security systems, often limited to one or two SIEMs (Security Information and Event Management systems). Additionally, their knowledge of modern regulatory requirements in information security is often insufficient. Communication skills can also be a significant issue, with many lacking the ability to effectively interact with customers and colleagues.

Practical experience is crucial for SOC employees. Many applicants struggle to understand what real attacks look like in practice, as opposed to theoretical descriptions from books and magazines. They also often lack the practical experience needed to respond to and investigate incidents effectively. Soft skills are equally important; tolerance for uncertainty, effective communication, and the ability to convey oneโ€™s position convincingly are often missing.

Real-world experience is invaluable and often more important than theoretical knowledge. In commercial SOCs, where analysts and experts work with multiple customers and encounter incidents more frequently, knowledge and experience grow much faster compared to in-house SOCs. Sharing experiences within a team is crucial, yet applicants often lack the desire to gain this kind of real-world experience.

The most common knowledge gaps include fundamental IT knowledge, such as understanding network operating systems (Windows, Linux, Mac), network technologies (at least CCNA level), and classic attacker techniques like fixation, lateral movement, and network protocol attacks. Additionally, basic knowledge of DFIR (Digital Forensics and Incident Response) is often lacking, including what forensic artifacts to collect in different scenarios and how to respond to typical attacks.

Addressing these gaps through focused training, practical experience, and the development of both hard and soft skills will better prepare applicants for successful roles as SOC operators and analysts.

Top comments (0)