defensive security

Defensive Security: Jobs, Roles, & Responsibilities

Gray Oshin
06 June, 2023

Defensive Security
Defensive security involves protecting networks, computer systems, and data from unauthorized access by identifying, preventing, and responding to threats. 

It primarily covers every counteractive step taken to defend an organization’s resources from cyber-attacks. This includes implementing firewalls, intrusion detection systems, network analyzers, and access controls to stop attacks, minimize their effect on the business, and prevent them from happening.

Defensive security is often a reactive measure because it involves detecting and responding to intrusions and incidents when they occur. This is opposed to the proactive nature of offensive security (links to offensive security page), which is actively attacking security systems to find vulnerabilities before they’re exploited. 

However, defensive security can also be proactive.

For example, continuous threat intelligence and implementing security measures like firewalls, data encryption, and access controls ahead of time can be a proactive defensive security approach to preventing threats before they happen.

This is why offensive and defensive security must be combined for the most effective cybersecurity strategy.

Defensive Security Jobs and Responsibilities

For every computer system or network that is attacked, someone designed and deployed a system to prevent the intrusion. This person is a defensive security specialist. Or a group of professionals, commonly known as the BLUE TEAM. 

More than 66 percent of business leaders believe their company is still vulnerable to attacks. Hiring an experienced defensive security professional today can save you from financial and reputational damage.

There are numerous jobs in the blue team you should consider hiring. They all have the same goal of defending your organization. However, they may employ different strategies and tools to reach their objectives. 

Below, we’ll look at two of the most critical defensive security jobs and their responsibilities.

SOC Analyst

A SOC Analyst works in an organization’s security operations center (SOC) to monitor and analyze an organization’s network and systems for threats and potential security incidents. 

SOC Analysts typically monitor network traffic, event logs and gather data from other sources using tools like Security and Information and Event Management (SIEM) systems. 

This allows them to identify, triage, and escalate security incidents as necessary.

Once an anomaly is detected and confirmed, they notify the appropriate professional, usually an Incident Responder, for adequate action. 

What Does a SOC Analyst Do?

A SOC Analysts specific responsibilities will vary depending on the organizational size, project complexity, industry, tier, and internal tech stack.

As part of a defensive security team, here is a SOC Analyst's job description and typical day-to-day outlook.

  • Network and System Surveillance

One of the SOC's primary roles is to monitor the company's network, data, and systems. This includes continuous surveillance of security systems, applications, and networks for irregularities and security alerts indicating a breach has happened or may happen.

  • Real-time Incident Response and Investigation

Depending on the organization, SOC Analysts may need to work in real-time during an attack to curtail its effect on business continuity. So, beyond identifying the potential attack, they may also contribute to mitigating it and investigating its root. 

After an incident, the SOC Analyst may cooperate with law enforcement agencies to provide an accurate event report. 

Part of the SOC’s duties may also involve collaborating with customer support staff on what to share with stakeholders.

  • Collaborating with other Blue Team Members

In medium to large-scale organizations, SOC Analysts will often find themselves as part of a large cybersecurity team. 

In that case, they will need to collaborate with other team members, such as the Incident Handler and Security Incident Manager, on building and implementing solutions, security procedures, and best practices. 

They may also be required to report incidents to the Chief Information Security Officer (link to the Security Development and Management page).

  • Participating in Security Audits

Although this is primarily the red team’s responsibility, a SOC Analyst may also be called upon to participate in regular internal security audits. Their expertise in threat intelligence can provide valuable insights into security monitoring processes, evidence collection, and incident handling.

  • Contributing to Developing Incident Response Plans

SOC Analysts may work with the Incident Response team to develop comprehensive Cyber Incident Response Plans. This outlines the procedures to take and the responsibilities of each stakeholder before, during, and after a cyber-attack.

SOC Analyst Levels

SOCs frequently use a tiered or hierarchical structure to organize and streamline operations. The specific levels or tiers may vary depending on the organization, but they typically include the following:

  • Tier 1 SOC Analyst

This is an entry-level role consisting of professionals who are typically the least experienced. Tier 1 SOC Analysts are responsible for monitoring event logs and security alerts for suspicious activity or indicators of compromise (IOCs).

They perform the initial triage and analysis of security events, investigate low-level incidents, and may also assess the severity and impact of risks. Tier 1 SOC Analysts are excellent options for small-scale companies who expect low levels of attacks.

  • Tier 2 SOC Analyst

Tier 2 SOC Analysts are medium-level professionals with more expertise and experience to handle more complex incidents. They gather data from multiple sources to conduct in-depth analyses and investigate threats. This is done to find the threat's root and recommend possible strategies to prevent it from happening again.

  • Tier 3 SOC Analyst

The Tier 3 SOC Analyst is an expert analyst. They are popularly known as threat hunters and are responsible for reviewing vulnerability and asset discovery data to pinpoint complex, covert threats that may have infiltrated a system or network. 

Tier 3 and Tier 2 SOC Analysts regularly work together to perform in-depth digital forensics, leverage the latest threat intelligence, and use security monitoring tools to improve the organization’s security posture.

Although these three tiers are the most popular, some organizations may also have a SOC Manager or Tier 4 SOC Analyst. 

This cybersecurity professional oversees, guides, and supervises other SOC Analysts to ensure coordination and improvement. They are typically part of the specialization of Security Development and Management (link to page).

Incident Responder

The Incident Responder, also called the Incident Handler, is often considered the first line of defense against cyber-attacks. They are sometimes referred to as firefighters, which demonstrates the urgency of their role in combating incidents.

An Incident Responder responds to and resolves intrusions that have occurred or are occurring in real time. 

The SOC Analyst typically detects the security incident while the Incident Responder contains it, determines what systems or data were affected, and mitigates the threat. 

They may also collaborate with the SOC Analyst to restore systems to normal operations and prevent similar future occurrences.

Part of this role also entails control of change management, ensuring hassle-free transitions during software patches or upgrades.

Lastly, an Incident Responder may collaborate with the public relations, Scribe, or legal team to manage how events are documented and announced to the public.

Incident Responders use various tools and techniques to deal with attacks effectively. They have a similar tech stack to SOC Analysts but also use tools like Endpoint Detection and Response (EDR), Malware Analysis, and Incident Response platforms.

Conclusion: Stop Cyber Threats Today

Defensive security is a vital part of a robust cybersecurity strategy. It can help your organization safeguard data, systems, and networks from threats and malicious activity.

Looking to improve your anticipation and mitigation of potential cyber-attacks? Leverage our security staffing services now.

WebSec’s experienced SOC Analysts and Incident Responders can protect your company’s resources from the latest cyber threats. Regardless of your organization's size and need, we provide flexible, budget-friendly, and customized solutions. Contact us today for a tailored defensive security service based on your requirements. 

Is this an emergency? Call our 24/7 Incident Response team at +31 (0) 850023061 now.

Authored By
Gray Oshin

A Team Member at Websec

Share with the world!

Need Security?

Are you really sure your organization is secure?

At WebSec we help you answer this question by performing advanced security assessments.

Want to know more? Schedule a call with one of our experts.

Schedule a call
Authored By
Gray Oshin

A Team Member at Websec