Ask Lesley: How Much Should SOC Work Suck?

“Dear Lesley,

I’ve been in a MSSP Security Operations Center (SOC) for a few months as my first cybersecurity job. The work is monotonous, I have access to only a few SIEM tools, and most of what I do is handle repetitive tickets for a ton of customers all by myself on awkward shifts. I don’t understand if this is bad or not, or if this is a ticket farm I should quit?

– Tired Ticket Farmer”

Dear Tired,

There is a temptation in every field for senior people to look back on our most negative experiences, and tell junior people to ‘suck it up’ because we went through the same thing. This is typically absurd and hurtful – we should always be trying to make life better for the next generation. SOC work today should be better than it was in the past. That said, there are upsides and downsides to an entry level SOC job, and there are bad and good work environments out there.

The point of an entry-level SOC job is to learn and grow your business and cybersecurity skills and exposure. There are definitely downsides to the low-level work that this entails – for instance, SOC work often requires odd shift and holiday work. It also can be quite repetitive even with good automation and processes in place, because as a junior person you have firm training wheels on in the form of processes and escalations. I’m not going to pretend that even in 2021 SOC work is routinely exciting and novel. It isn’t. It needs to be done, and in a lot of ways it is more engaging today than it was in the aughts, but it’s still monotonous sometimes.

What you should be getting out of your 1-3 years in a SOC is a lot of experience in what is normal and abnormal in cybersecurity monitoring, how processes work, and why they are in place. You should also be growing your skills through training and shadowing in preparation for moving to the next tier or niche.

This goes for everyone – but particularly junior people – you should have an idea of where you want to progress as a professional. A job in a SOC will hopefully give you a lot of exposure to a variety of security tasks and roles that senior people perform so that you can tune this plan even more. I wrote more about career planning in my blog About Cybersecurity Management and Expectations. The bottom line is that you should be asking yourself if you are on track to achieve your goals through the formal and informal training and mentorship you are receiving in your current role.

What if you’re not on track, or you don’t know if you are on track? In an environment that isn’t abusive or hostile, you should have a polite but frank conversation with your manager before simply considering quitting. Are they aware of your goals? Do they intend to facilitate you reaching them in a reasonable amount of time? Are their expectations of you and your progression clearly documented and achievable? If there isn’t a clear, written plan for how you will reach the next level, that’s when you might want to start evaluating the value of your current role in the greater scheme of your career.

What might this facilitation look like? Well, a decent manager should make reasonable concessions where possible for your individual learning style. However, training and exposure may come in different forms in different organizations. Formal training and certifications, internal training, 1:1 mentorship, and job shadowing are all valid methods for knowledge transfer and preparing you for that next role. Which ones organizations choose may depend on logistics, price, and preferences. In any healthy environment, some of those things should be part of your documented performance goals.

Finally, let’s pivot and talk a little about SOC work in 2021 itself. When I worked in a SOC many eons ago, my work involved monitoring and tuning a lot of IOCs and static rules. Today, a moderately-sized SOC should be leveraging much more advanced tools to efficiently tune alerts, script analysis, focus on behaviors over noisy static alerts, and handle common problems with orchestration where possible. This stuff wasn’t available a decade ago, but it sure is now. There’s still ticket-marshaling to do, and plenty of calls and emails to handle, but there’s a process problem if you’re constantly triaging the same events in the same way. There should also be more of a focus on proactive threat hunting – which means utilizing analysts to detect novel activity that automated tools can’t detect, based on plausible hypotheses. Adversaries are getting very good at evading machine detection.

So, in conclusion, SOC work can kinda stink. Working night shift on Christmas isn’t typically a blast, and there’s a lot of mundane and very process-driven work assigned to junior folks for a reason. However, the goal of employing junior people should be both to do that work where it cannot be automated, and also to train those junior people to become senior people in a reasonable amount of time. If you don’t feel you’re on track to reach that next tier or goal, it’s time to have a chat with your manager about the plan to get you there, and get it in writing. If that still doesn’t work, then maybe you are in an unhealthy ticket farm, and it’s time to weigh your options.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s