Although AI is poised to radically transform enterprise security operations centers (SOCs), for now at least, the top three technologies new hires should learn about remain SIEM, host-based extended detection and response, and vulnerability remediation.
But three other hard skills scored high in a survey of nearly 400 cybersecurity practitioners conducted by the SANS Institute. Made on behalf of TorqThese skills include knowledge of cloud security issues, expertise in PowerShell, and the ability to automate repetitive tasks and systems administration functions.
Hard core skills
In addition to the first three skills, “hard core skills that are currently essential for SOC analysts include: incident handling and response, threat hunting, cloud security, digital analytics, Python, PowerShell, and bash scripting,” says Dallas Young, senior technical product manager at Torq.
“As for personal skills, they include critical thinking, creativity, thoughtful problem solving, attention to detail in rapidly changing environments, and communication skills at both a technical and personal level,” he says.
The SANS survey surveyed respondents from small, medium, and large businesses in the United States and other countries about their top SOC challenges. The responses showed that many organizations are still struggling with issues that have plagued them for years. These include the lack of automation and organization of key SOC functions, High hiring requirementsa Lack of skilled staffand a lack of vision. They also reported a siloed mindset among security, incident response, and operations teams.
Improved Security Operations Center Retention Rates
On the positive side, the survey showed a surprising increase in employee retention rates across many SOCs. About 30% of respondents—a majority—stated the average length of time employees in their organization’s SOCs would stay between three and five years, compared to the one to three years respondents reported in previous SANS surveys.
Young attributes this trend to the increased automation of first-level triage and analysis in more organizations. This has allowed SOC analysts to focus on more strategic and intellectually stimulating activities, such as threat hunting and advanced incident response. It has also helped mitigate analyst fatigue The problem, he says.
Other factors that appear to have contributed to increased retention rates include better work environments, with remote and flexible hours, and leadership training on a management track for high-performing employees. “Additionally, for security analysts who want to maintain a technical focus, organizations are paying for more training and certification opportunities in areas of interest such as penetration testing, reverse malware engineering, and cloud security subject areas, for example,” Young says.
Current labor market conditions have allowed many organizations to secure more experienced SOC analysts for the same budget than they could have a few years ago, says Jake Williams, a faculty member at IANS Research and vice president of research and development at Hunter Strategy. “This is good for organizations in the short term, but they need to plan now for when the labor market recovers,” Williams says. “Many organizations are masking their lack of process with the skills these more experienced analysts bring to the table.”
Cloud knowledge, identity management and PowerShell are required skills.
Williams, like Young, says the most in-demand skills in SOCs — beyond the obvious foundational skills in SIEM and XDR — are knowledge of cloud platforms like AWS and Azure, and an understanding of Active Directory and Entra ID. “I’ve seen a lot of “There is an increasing expectation for cloud basics, especially for senior SOC analysts,” Williams notes. Given the widespread adoption of M365 in enterprises, there is an expectation that many senior SOC analysts will know PowerShell to query GraphAPIs. “PowerShell expertise and cloud platform knowledge were niche skills a few years ago. For mid- to senior-level SOC analysts today, it feels like a lot of money on the table,” he says.
The SANS survey showed that many SOC practitioners are not happy with their initial use of AI and ML tools for SOC analysis purposes. In fact, respondents gave AI and ML tools the lowest rating when asked to evaluate SOC tools. However, there is no doubt that AI and ML technologies are set to fundamentally change the SOC and, in the process, the skills landscape as well.
AI will continue to be fundamentally driven forward to enhance automated threat detection, proactive threat hunting, automation of repetitive and time-consuming tasks, reducing alert fatigue, and predictive analytics, Young says. Security operations center analysts will increasingly need to be familiar with machine learning algorithms and data analytics techniques to interpret the insights generated by AI, Young says. They will also need the skills to handle complex security incidents identified by AI systems and be willing to continually learn and adapt to new AI technologies and methodologies.
“Why is this important?”
Williams expects AI tools to reduce the need for analysts whose sole role was to respond to basic alarms. “Beginning analysts now have to look at what AI does — and doesn’t — well and educate themselves in the areas where AI can’t replace them, like critical thinking,” he says. “The security operations center of the future will be less about knowing that port 3389 is RDP — AI will provide that context on demand — and more about providing, ‘Why does this matter in this context?’”
Creative thinking when it comes to interesting problems and connections will continue to be a key asset for SOC professionals, says Sajib Lohani, senior director of cybersecurity at Bugcrowd. “Today, security event management systems are so capable of raising alerts that it’s very easy to get stuck in a rut and cancel tickets,” he says. “However, in my opinion, the most successful professionals are able to connect events and understand the business context when triaging and responding to such alerts. That context is key.”
Lohani predicts that some of the threats that are relatively specific issues in SOCs will become more significant over the next few years. “Currently, a large percentage of SOCs have not had to deal with more specific threats such as supply chain security issues,” he says. “I think over time that will start to change, and more mature practices for preparedness and adaptation will be needed.”
