You Don’t Have SOC Analysts, You Have SOC Synthesists

For all my nearly 20 years in the Security Operations field being a “SOC Analyst”, building SOCs, evolving SOCs and everything in between, I’ve been calling my team members by the wrong title.  Worse yet, none of my colleagues ever corrected me, mostly because they didn’t know. Hard to believe, but I suspect it’s because we all never really thought much about what the “SOC Analyst” really does for a living.

The word “analyst” means a person who conducts an analysis.  “Analysis” has its roots in the Greek word “analyein” which translates “to break up”. This implies breaking the problem into pieces.

It begins…

“SOC Analysts” typically come into work at the start of their long shifts and sit down in front of a console to look at alerts of some kind.  These alerts have data points from a single security product telemetry like an IDS sensor. These alerts do not usually have enough information alone to make a decision on whether they are dealing with a security incident or threat.

Now what?

The “Analyst” would then want to know more information so they go collect data points from other sources to piece together (combine corroborating pieces of evidence) to form an as complete a picture as possible regarding what is going on in their environment, and what is the likelihood it is malicious.

Then what?

Now it’s decision time.  Does the picture paint a portrait of something nefarious going on and we need to get Security Incident Responders engaged or is it just a misconfigured company application running amok and should they need to notify a server admin?

Finally.

The decision is made and it’s on to the next alert.  Wash, rinse, repeat for the next 11+ hours.

What we just walked through was an individual taking one piece of evidence and trying to add more evidence to create a whole picture.  So let’s look at the definition of “analysis” below from dictionary.com:

Analysis

noun, plural a·nal·y·ses [uhnaluh-seez].

1. The separating of any material or abstract entity into its constituent elements (as opposed to synthesis).

2. This process as a method of studying the nature of something or of determining its essential features and their relations.

“The separating”?  Wait, what now? We just walked through how a Security Analysts is combining things, not breaking them apart!

Now let’s look at the definition of the word Synthesis, again from dictionary.com:

Synthesis

noun, plural syn·the·ses [sin-thuh-seez].

1. The combining of the constituent elements of separate material or abstract entities into a single or unified entity (opposed to analysis).

2. A complex whole formed by combining.

This definition fits what our “SOC Analysts” do every day much better than analysis now doesn’t it?

Wouldn’t it be great if your “SOC Analysts” had the time to synthesize all the contextual evidence they could collect around an initial alert to formulate a hypothesis?  THEN had even more time to turn around and breakdown all the possible permutations of the evidence to test the hypothesis and reaffirm or change their mind on each decision they made?  Yes, that would be awesome to have the time to do both!

The Respond Analyst: Doing synthesis AND analysis before making its decision to alert your Incident Responders, or just letting them sleep another hour…