Has cyber security as a career ever crossed your mind? If not, you may be overlooking an excellent career choice. According to Cyber Crime Magazine, cyber crime is expected to reach an all-time high of 10.5 trillion dollars in losses by the year 2025. At the same time, there is a staggering number of unfilled vacancies for cyber security positions. This in turn means that cyber security professionals are in high demand. Robert Herjavec, founder and CEO of the Herjavec Group and one of the Sharks on ABC’s highly popular Shark Tank television show, described the situation as follows:

The cyber security field offers a host of different types of job opportunities ranging from highly technical specialist roles to management and business operations as well as roles focusing on security awareness and training. One of the common entry-level positions is that of a Cyber Security Analyst or a SOC Analyst. Hired to work in a Security Operations Center, Cyber Security Analysts are part of an operative team that handles alerts and incidents. Security Operations Centers often use a tier model that separates Cyber Security Analysts into three different levels depending on their qualifications, experience and skills. In this article we will focus on the roles and responsibilities of the Tier 1 and Tier 2 Cyber Security Analysts.

The primary responsibility of the Tier 1 Junior Cyber Security Analyst is to perform an initial investigation (Triage) when an incident or alert is triggered. Triage is actually a medical term used for prioritizing treatment in situations where urgent care is needed, and a quick but accurate assessment must be made about which patients need treatment most urgently. In the context of a Security Operations Center, triage is an initial investigation that separates incidents into those that require further analysis, and those that do not. Triage is also used for prioritizing incidents based on the potential harm they may cause. Typically, incidents are given a priority classification such as informational, low, medium, high, critical, major or catastrophic. A key concept to understand is the difference between anomalous and malicious activity. An anomaly is a deviation from what is normal. In other words, the Cyber Security Analyst needs to determine whether the detected activity is normal or abnormal. Please note that not all anomalous activity is malicious. However, any activity that is malicious, is also by definition anomalous.

Having performed the triage, the Junior Cyber Security Analyst is responsible for writing a clear and concise summary of the incident. Communication is vital in this role, because incidents are transferred from one tier to the next much like a runner passes a baton to the next runner. The summary should provide answers to the following questions:

Additionally, the summary should contain the relevant technical information such as:

Tier 2 Cyber Security Analysts are responsible for evaluating and investigating incidents escalated by Tier 1. Based on the incident data and the summary provided by Tier 1, the incident will be re-evaluated. The goal is to confirm whether Tier 1 reached a correct conclusion.

If the incident merits further attention, Tier 2 will continue to investigate the incident further. This often requires accessing additional data sources or performing advanced query searches to uncover details that were not present on the alert. Moreover, open source intelligence can be leveraged to supplement the existing data. The key responsibility of Tier 2 is to determine whether the incident is a True Positive, Benign Positive or False Positive.

If the incident is a True Positive, the Cyber Security Analyst must take the appropriate measures to contain the incident. Additionally, an assessment should be made of the potential damage that has been caused, and which entities have been affected.

When a major incident occurs, Tier 2 will typically escalate the incident to Tier 3, a team of Senior Cyber Security Analysts and Incident Responders. Incidents that require assistance from Tier 3 often involve specialized investigative measures such as a forensic analysis, post incident threat hunting, reverse engineering and malware analysis. It is imperative that the incident is escalated with a report containing detailed information about the incident investigation and the remediation actions that have already been performed. Furthermore, the report should state what actions are expected from Tier 3.

If the Security Operations Center service is provided to a client corporation, Tier 2 may escalate the incident directly to the client corporation’s security team or a third party IT Help Desk or Service Desk.

Remediation actions are performed when it is clear that an incident is a true positive, or when an incident has strong indicators of malicious activity. The responsibility placed on the shoulders of Cyber Security Analysts is tremendous. Not only do they have to decide whether remediation actions need to be performed, but also what actions should be taken, and what potential repercussion they might have.

The following are some of the most common remediation actions that are performed.

Security Operations Centers that provide services to corporate clients face an added challenge when it comes to remediation actions. Cyber Security Analysts have to take into account the fact that different organizations have different types of IT environments, and this may dictate what kind of actions can be performed. As an example, a small retail store selling physical goods to consumers will likely suffer only minor business disruptions if a production server is isolated from the network. However, for a hospital the same procedure could be a matter of life and death! As if this were not enough, Cyber Security Analysts must also consider the adverse effects of not performing remediation actions at all, or performing them too late. The results could be equally bad, or even worse. Breaches and other cyber attacks nearly always cause reputational damage to organizations. Additionally, they may have to pay fines or sanctions due to non-compliance regarding data protection legislation. If any of the victims decide to sue the organization, they may have to deal with the added cost of litigation fees.

Even though this level of mental fortitude is not required for most incident investigations, it is important that Cyber Security Analysts take their role and responsibility seriously. The stakes are high, and many organizations are willing to pay large sums of money for their security. In return they expect quality service and professionalism. Therefore, always do your best. If you make a mistake, as all of us do, use it to your advantage by learning from it.

During incident investigations a Cyber Security Analyst will come across benign objects such as approved files or applications that are triggering alerts unnecessarily. These can be filtered either in the Managed Detection & Response (MDR) solution or in the Security Information & Event Management (SIEM) solution. Tier 1 and Tier 2 typically make a note of these cases, and make a formal request that Alert Prevention Policies be applied to these cases. Not all requests get approved as each case is subject to discretion. Depending on the structure and size of the Security Operations Center, Tier 3 or the Development Team will make the final decision regarding the requested change.

It goes without saying that the role of a Cyber Security Analyst is one of great importance and responsibility. When you understand the plight that organizations and individuals are facing with the ever increasing surge of cyber crime, the work becomes highly meaningful. Additionally, cyber security jobs pay well. As rewarding as the work can be, it also requires great deal of patience, resilience and a desire to keep learning. As new threats emerge and threat actors become increasingly sophisticated, there is always something new to read about. All in all, the role of a Cyber Security Analyst is an excellent way to begin your career!