SOC Analyst

Our customer is currently looking for a Security Operations Centre Analyst.

Nature of Services

The primary objective of this service is to act as the first line of response regarding the potential occurrence of a cyber-attack or security incident. Supported by several automated tools such as intrusion detection systems, log correlation engines and SIEM, ticketing system, alerts and warning from internal and external sources, this service involves receiving, triaging, and responding to alerts, requests, and reports, and analyzing events and potential incidents and to provide the primary support for incident responders. Triage involves assessing whether a security incident or the level of exposure of a vulnerability is a true or false positive, tagging the vulnerability or incident with an initial severity classification and to activate the corresponding incident response playbook entry. Another objective of this service is to follow pre-defined procedures to perform technical tasks related to identity and access management.

Main Tasks

This list is not exhaustive and may evolve in time, also depending on the type of assignment:

• Real-time monitoring of cyber defense and intrusion detection systems
• Automatic-based processing (centralization, filtering, and correlation) of security events
• Human-based analysis of automatically correlated events
• Processing of incoming warnings, alerts, and reports
• Triage based on verification, level of exposure and impact assessment
• Categorize events, incidents and vulnerabilities based on relevance, exposure, and impact
• Open tickets and ensure case management
• Activate initial response plan based on standard playbook entries
• Maintain incident response address book
• Provide support to incident responders
• Advise affected users on appropriate course of action 
• Monitor open tickets for incidents/vulnerabilities from start to resolution 
• Escalate unresolved problems to higher levels of support, including the incident response and vulnerability mitigation teams 
• Configure the SIEM components for an optimal performance 
• Improve correlation rules to ensure that the monitoring policy allows an efficient detection of potential incidents. For a new component to be monitored, this encompasses : 
  • Analyzing risks and security policy requirements
  • Translating them into technical events targeting the system components
  • Identifying the required logs/files/artefacts to collect from the monitored system and, if necessary, possible complementary devices to deploy
  • Elaborating the relevant detection and correlation rules
  • Implementing these rules in the SIEM infrastructure
  • Configuring and tuning cyber-defense solutions
  • Reviewing and improving the monitoring policy on a regular basis

• Integrate cyber-defense solutions for efficient detection 
• Define dashboards and reports for reporting on KPIs. 
• Produce qualified reports (including recommendations) or alerts to SOC customers and follow-up on actions 
• Contribute to the design of the overall monitoring architecture, in close relationship with the customers/system owners, on the one hand, and the security operations engineering team, on the other hand, by performing the following tasks:
  • Assessment of security events detection solutions, development of solutions. 
  • Integration of these solutions within the security monitoring scheme (log collection architecture, interoperability, formats, network aspects, ...) 
  • Deployment and validation of the solutions 
  • Draft documentation such as architecture design descriptions, assessment reports, configuration guides, security operating procedures 

• Produce and maintain accurate and up-to-date technical documentation, including processes and procedures (so called playbook), related to security incidents and preventive maintenance procedures 
• Management of identities and its related user accounts 
• Management of groups, roles, and other means of authorization 
• Solve incidents, requests and problem tickets from 1^st Level Support or internal customers related to identity and access management 
• Maintain accurate documentation 
• During security incidents, implement detection means to monitor attacker activities in real- time
• During security incidents, support the incident response team in the review/analysis of security logs and visualize the attack. 
• Integrate IOCs in security solutions 
• Take an active part in developing and improving the maturity framework, and have it understood and implemented by the team, by: 
  • Designing and drafting SOC processes and procedures framework
  • Implementing SOC processes and procedures, deploy collaborative tools and dashboards 
  • Coaching/training the team on the processes, procedures, and tools 
  • Regularly auditing and reporting on maturity to the management
  • Reviewing and improving the framework 
•   Provide activity reports to management to demonstrate service SLA and service quality