Cloud Security, PowerShell Expertise Emerge as Key SOC Analyst Skills

Though artificial intelligence is poised to drastically transform enterprise security operations centers (SOCs), for the moment at least, the top three technologies for new hires to be familiar with remain SIEM, host-based extended detection and response, and vulnerability remediation.

But a trio of other hard skills scored highly in a survey of some 400 cybersecurity practitioners that the SANS Institute conducted on behalf of Torq. These include a knowledge of cloud security issues, PowerShell expertise, and the ability to automate repetitive tasks and systems management functions.

Core Hard Skills

Besides the top three skills, "the core hard skills that are currently essential for SOC analysts include: incident handling and response, threat hunting, cloud security, digital forensics, Python, PowerShell, and bash scripting," says Dallas Young, senior technical product manager at Torq.

"As for soft skills, those include critical thinking and creative, informed problem solving, attention to detail in rapidly changing environments, and communication skills at both a technical and interpersonal level," he says.

The SANS survey polled respondents from small, medium, and large companies in the US and other countries about their top SOC challenges. The responses showed that many organizations continue to struggle with issues that have plagued them for years. These include a lack of automation and orchestration of key SOC functions, high-staffing requirements, a shortage of skilled staff, and a lack of visibility. They also reported a pervasive silo mentality among security, incident response, and operations teams.

SOC Retention Rates Improve

On the positive side though, the survey showed a surprising uptick in staff retention rates at many SOCs. Some 30% of respondents — a plurality — identified the average SOC tenure at their organization as being between three and five years, compared to the one-to-three year tenures that respondents indicated in previous SANS surveys.

Young chalks up the trend to the increasing automation of Tier-1 triage and analysis at more organizations. This has enabled SOC analysts to focus on more strategic and intellectually stimulating activities, such as threat hunting and advanced incident response. It's also helped alleviate the analyst burnout problem, he says.

Other factors that appear to have contributed to the increased retention rates include better work environments, with remote and flexible hours and management-track leadership training for high performers. "In addition, for security analysts who want to maintain a technical focus, organizations are paying for more training and certification opportunities in areas of interest such as penetration testing, reverse malware engineering, and cloud security subject matter areas as examples," Young says.

Jake Williams, faculty at IANS Research and vice president of R&D at Hunter Strategy, says current job market conditions have allowed many organizations to secure more experienced SOC analysts at the same budget than they could a few years ago. "This is a good thing for organizations short term, but they should be making plans now for when the job market rebounds," Williams says. "Many organizations are camouflaging a lack of process with the skills these more senior analysts bring to the table."

Cloud Knowledge, ID Management, PowerShell Are Hot Skills

Like Young, Williams says the biggest in-demand SOC skills — outside of the obvious core skills of SIEM and XDR — are knowledge of cloud platforms such as AWS and Azure, and understanding of Active Directory and Entra ID. "I've seen a lot more expectation of baseline cloud knowledge, especially for senior SOC analysts," Williams notes. Given the prolific use of M365 in enterprise, there's an expectation that many senior SOC analysts know PowerShell to query GraphAPI, he says, "PowerShell experience and cloud platform knowledge were niche skills a few years ago. For midtier to senior SOC analysts today, it seems like table stakes."

The SANS survey showed that many SOC practitioners aren't thrilled with their initial usage of artificial intelligence and machine learning tools for SOC analysis purposes. In fact, respondents gave AI and ML tools the lowest rating when asked to rate SOC tools. However, there's little doubt that AI and GenAI technologies are set to fundamentally change the SOC and, in the process, the skills landscape as well.

Young says AI will fundamentally continue moving forward to enhance automated threat detection, proactive threat hunting, automation of repetitive and time-consuming tasks, alert fatigue reduction, and predictive analytics. Increasingly, SOC analysts are going to need to be familiar with machine learning algorithms and data analysis techniques to interpret AI-generated insights, Young says. They will also need skills to handle complex security incidents identified by AI systems and be willing to continuously learn and adapt to new AI technologies and methodologies, he says.

"Why Does That Matter?"

Williams expects AI tools to reduce the need for analysts whose sole role has been to respond to basic alarms. "Junior analysts should be looking now at what tasks AI does — and doesn't — do well and educating themselves in the places they can't be replaced by AI, such as critical thinking," he says. "The SOC of the future will be less about knowing that port 3389 is RDP — AI will provide that context on demand — and more about providing the 'why does that matter in this context?'"

Creative thinking when it comes to interesting problems and correlations will remain a key asset for SOC professionals, says Sajeeb Lohani, senior director of cybersecurity at Bugcrowd. "Nowadays, SIEMs are capable of raising alerts, so it is quite easy to fall into a rut and churn tickets," he says. "However, in my opinion, the most successful professionals are able to correlate events and understand business context when triaging and responding to such alerts. That context is key."

Lohani expects that some threats that are considered relatively niche issues in the SOC will become more important over the next few years. "Currently, a large portion of SOCs haven't had to deal with more niche threats like supply chain security issues," he says. "I believe, over time, that will start to change, and more mature practices will [be needed] to prepare and adapt."