Anyone work in a SOC?

ArabianKnight

I am trying to get a better idea of the functions of the different tier levels in a typical Security Operations Center from tier 1-3 or higher if there are any higher tiers. What would be a typical day of a tier 1? Much downtime or are you constantly starring at logs?

Really trying to get a good picture and see if this is something I want to pursue, or more of a network security engineer type position.

ArabianKnight

bump???

dmoore44

Yes - I do. I work at Tier 2, which means I perform advanced event analysis and perform incident handling responsibilities. Essentially, a lot of my day revolves around looking at events in a SIEM and attempting to divine if something bad is happening. I also perform a lot of IDS/IPS/event log source tuning (either at the actual log source, or as part of the aggregation/correlation rules).

ArabianKnight

dmoore44 wrote: »

Yes - I do. I work at Tier 2, which means I perform advanced event analysis and perform incident handling responsibilities. Essentially, a lot of my day revolves around looking at events in a SIEM and attempting to divine if something bad is happening. I also perform a lot of IDS/IPS/event log source tuning (either at the actual log source, or as part of the aggregation/correlation rules).

Cool....what do your Tier one personnel do? I have been getting calls for entry level SOC positions and am trying to get some insight into daily activities beyond the generic job description.

E Double U

I was tier I in a SOC and I monitored events (mostly false positive). I also performed change requests - proxy (Blue Coat) and firewall (Cisco, Check Point).