The Makeup of a Cybersecurity Team: Key Roles and Responsibilities
To achieve the NIST Cybersecurity Framework, many SOCs are segmented into teams that best make use of each employee’s experience and field of experience, like the following:
#1: Security Analysts
Cybersecurity analysts are on-the-ground members of the security team that, more often than not, have their noses pressed firmly to the scent of security threats within a network.
But, given the quantity of network data, the range of systems that need securing, and the variable nature of alert levels, it’s common for the security analyst role to further be broken down into three or four key types.
Tier 1: Alert Handler
This is generally the least experienced but equally mission-critical role.
Tier 1 security analysts are responsible for monitoring security tools for alerts and misconfigurations. When new alerts come in, they’re the first ones to handle them, as they choose what is prioritized and how they’re triaged.
Tier 2: Responder
This tier receives the incidents identified by tier 1 analysts and begins a deeper analysis into their origin and wider implications. Because of the wide variety of alerts that are unique to any environment, the day-to-day specifics can shift dramatically. These in-depth investigators are skilled in complex analyses, and can spend greater time cross-referencing the alerts that come their way.
They form the bulk of an enterprise’s incident response capabilities, and thanks to their experience in the tier 1 position, they’re generally very familiar with the normal processes of an enterprise’s network.
This ability to rapidly and concisely understand a potential incident’s intricacies mean that tier 2 analysts are also well positioned to respond: they help build a security strategy for containment, remediation, and recovery.
Tier 3: Field Expert or Threat Hunter
Supporting the wide-ranging incident investigations of tier 2 analysts are their tier 3 counterparts: these are highly experienced analysts that have gone on to specialize within certain fields.
They can be either:
- Infrastructure specialists
- Cybersecurity technique specialists,
They are often tasked with the more proactive elements of cybersecurity, like threat hunting. When a penetration test is underway, it’s tiers 1 and 2 that act as the blue team, and tier 3s that generally act as faux attackers – allowing the organization’s entire security posture to benefit from their advanced experience.
No matter the tier, most analysts’ shifts start the same:
The first task on-hand is to assess the information gleaned from the previous shift, particularly in a 24/7 SOC, and start with a briefing about ongoing incidents or events that need further monitoring.
Tier 4 Analyst: SOC Manager
The SOC manager is responsible for the analysts; as they’re essentially the last evolution of the traditional analyst career, the role is sometimes referred to as tier 4 analyst. They direct SOC operations and are responsible for syncing analysts with wider DevOps and strategy through security policies.
This is how they build and help execute the cybersecurity strategy.
The day-to-day responsibilities of a SOC manager revolve around supporting the team and making sure it all runs smoothly, including:
- Providing training sessions
- Hiring new members
- Contracting external services and tools that the team needs
#2: Security Engineers
While not always an integral member to the SOC, security engineers deserve a mention due to their role in managing the organization’s risk. They usually have an extensive background in software or hardware, and are generally responsible for designing secure information systems.
This often means they have one foot in the SOC and another in the DevOps team; they also gain responsibility for the documentation of application security protocols.
#3: Director of Incident Response
The Incident Response Director takes charge of the entire incident response process – they coordinate and direct every facet of the response effort.
The IR Director assumes full responsibility for all roles within the response team, and is empowered to create and assign additional roles as needed to address the demands of an incident, like assigning multiple analysts to handle particular information streams.
This dynamic approach allows them to adapt the team’s structure in real time.
#4: CISO
One step above the SOC manager is the Chief Information Security Officer (CISO). Without the distractions of managing the individual analysts, they’re free to focus almost solely on strategic decisions that steer the organization away from industry-wide threats.
Reporting to the CEO, they balance security demands against wider business objectives and budgets.
Don’t Have a Full Inhouse Team? Check Point Can Help
When you’re relying on a lean team, or even a fully outsourced one, it can be hard to feel fully in-sync with your security posture. With a cloud-native security model, Check Point offers a fully centralized view of every component of the application infrastructure.
Across all traffic, configurations, and components, identify your assets and secure them with advanced features like macro and micro-segmentation, Next-Gen Firewall, API protection, and SSL\TLS inspection. This next-gen visibility forms the basis of the Check Point Infinity service – if you need a greater degree of hands-on protection, explore comprehensive managed services that put it to good use. This includes:
- Full stack monitoring
- Tight policy tuning
- Incident management
All of this nicely integrates seamlessly into your pre-existing IT and InfoSec operations. To learn more, explore the full range of Check Point Infinity services here.
反映意見