8 Tips for Leading a SOC Team

As a security manager or SOC team leader, you’ll know that building, directing, and orchestrating a first-class security operations centre is no simple feat.

With security operations centre teams facing more pressure than ever, SOC managers are uniquely positioned to champion the team while building, training, and empowering SOC Analysts. As a successful SOC manager must be able to lead a team of employees effectively, we’ve compiled a list of our top tips!

1. Ongoing training

Broadening your team’s cyber security knowledge and analytical thinking enables them to adapt to different needs. With blue team security training for your SOC Analyst team, you can ensure new hires develop their foundational knowledge while existing members continuously learn and upskill.

For new hires, our Pre-Security Training covers fundamental knowledge you would expect entry-level hires to know, while our Introduction to Cyber Security pathway gives your team a holistic understanding of the different areas of cyber security. These SOC training courses allow your team to gain hands-on experience while brushing up on topics including web application security, operating system security, network security, operations, and digital forensics.

For existing SOC Analysts looking to brush up on their skills and continuously upskill, the SOC Level 1 training follows the fundamental training listed above, diving into tools and real-world scenarios. The level of detail we explore in these blue team training exercises reflects the needs of Level 1 SOC Analysts - of medium difficulty.

The SOC Level 1 pathway empowers your team to:

• Monitor and investigate alerts around the clock
• Configure and manage security tools
• Develop and implement IDS signatures
• Escalate security incidents to the Tier 2 and Team Lead where necessary

2. Staying up-to-date

Ensuring your team are up to speed with new and evolving threat intelligence and mitigation techniques is vital for security operations.

TryHackMe SOC training covers the latest threats and mitigation techniques, enabling your team to better analyse and defend.

Meanwhile, several researchers, influencers, and key content creators in the field share the latest in defensive security! These include Katie Paxton-Fear, Nicole Enesse, Simply Cyber, Florian Roth, Chris Greer, Alyssa Miller, Tracy Z. Maleef, Lesley Carhart, and Marcus J. Carey.

News articles are another way for you and your team to keep up with the latest! We recommend regularly keeping up with Recorded Future, The Hacker News, PenTest Magazine, and the TryHackMe blog. The DFIR Report shows the latest in industry cyber intrusions with insights and information about tactics, techniques and procedures (TTPs).

3. Use security automation

Efficient SOC teams use security automation and technological advances to continue to increase the accuracy of detection tools and their ability to assess each risk. This also means that SOC teams can better identify incidents, reduce false positives, analyse security events, and arm defences more effectively.

An effective SOC team must have better visibility by placing the host-centric and network-centric monitoring and detection tools in place.

Some of the more mature SOCs rely on Threat Intelligence to help automate the detection of suspicious events that in turn may be investigated further by the analysts. The results of these investigations are then fed back into the automation, making it as close to perfect as possible, and ideally alerting only on actionable findings.

By combining highly skilled SOC professionals with AI automation, SOC teams can reduce the time and cost spent, therefore freeing up your team to focus on higher-priority alerts. While automation can reduce workload, effective detection engineering and strategic automation can reduce unnecessary fatigue from analysts (check out point five for more on this!)

4. Measure performance

Measuring the performance of your SOC team is vital to improve the processes and handling of incidents continuously. SOC metrics should be incorporated into evaluation and refinement processes.

Important SOC team metrics include:

• Mean Time to Detection (MTTD) - the average time taken to detect an incident
• Mean Time to Resolution (MTTR) - the average time between detection and resolution of the threat
• SOC Analyst Productivity - the number of alerts, incidents or threats discovered per analyst in a period
• Type of SOC Cases - a calculation of incidents by type (for example, web attack, brute force, etc.)
• Total Cases Per Month - the total number of security incidents detected and processed by the SOC team
• Case Escalation - a calculation of how events were escalated to higher SOC Analyst tiers and identifying the workload of each tier

5. Take care of your team

You should always take care of your SOC team with consideration for their career growth and well-being. With alert fatigue one of the biggest challenges facing the modern security operations centre (SOC), SOC Analysts are likely to experience stress and burnout and a decline in effectiveness.

Analysts need to be empowered in their role, therefore aim to hold regular reviews with individual members of your SOC team and discuss ongoing training and progression, along with issues they may be experiencing.

SOC teams are faced with a huge percentage of alerts, most of which are false positives that can be time-consuming and resource intensive. As we mentioned above, using automation can help to overcome high alert volumes and fight alert fatigue.

You should ensure your SOC team regularly take breaks and annual leave, and that any leave is respected. Ensuring that incidents and alerts are rerouted to other team members is crucial in ensuring annual leave is taken effectively.

Bharat Mistry, Technical Director for Trend Micro, says: "To avoid losing their best people to burnout, organisations must look to more sophisticated threat detection and response platforms that can intelligently correlate and prioritise alerts. This will not only improve overall protection but also enhance analyst productivity and job satisfaction levels.”

6. Become a leader

A good incident process requires strong leadership. During an incident, there is no room for democracy, it has to be an autocracy. We can all have discussions about what we think should happen, but you need that one person in the room that is actually going to take the information from these discussions, make a call, and force action to be taken.

On several occasions, we have seen teams stuck in days of discussions with no action taken, so take responsibility to ensure roles, responsibilities and processes are clear and understood by your team. Every role in a SOC team is important, therefore make sure that everyone knows and understands what their role is and allow them to execute it to avoid confusion.

7. Ensure steps are followed correctly

An important function of the SOC is to document the response to an incident and to detail the postmortem. In the heat of the moment, this step can sometimes be missed and it can be forgotten that the ticket has to be logged to have the action taken and to monitor its effects.

When leading a SOC team, try to ensure all actions are taken, specifically around Containment, Eradication, and Recovery. Who is responsible for performing the action? Has the action been performed? Has the action had any noticeable effect on the incident? These are all crucial questions that you should regularly ask your team!

Another step that must be taken is a handover at the end of every shift pattern and alerts are not left for other shifts to pick up.

8. Encourage collaboration

SOC Analysts require cooperation, with processes that can only be achieved with collaboration, communication, escalation, and team problem-solving. Two core ways of encouraging collaboration within your SOC team include team workspaces and King of the Hill.

Workspaces encourage team engagement through a competitive leaderboard with rankings of all team members and their points collected from completing rooms, labs, and pathways. With SOC teams required to learn and upskill continuously, workspaces spur training for those with a competitive streak!

As a manager or leader, you’ll be able to monitor activity and gain insights in the management dashboard, with a rank of all team members in your workspace, ordered by the number of points each user has collected.

King of the Hill is a competitive hacking game designed to strengthen team relationships through collaboration by putting offensive and defensive cyber skills into practice. Your team can then keep track of performance through a competitive leaderboard - an awesome way to ignite competition, display results, and foster a thriving culture. Check out our guide for more information on using King of the Hill for business!

Businesses partner with us to create branded learning paths that align with skill requirements, giving teams relevant, engaging, personalised training. With over 560 training labs, TryHackMe ensures your SOC team get the most out of blue team security training, paired with our collaborative workspaces and tools to ignite competition.

We help upskill your team to mitigate the risk of cyber attacks, and can be a pillar of your SOC team strategy!