Cybersecurity Analyst

Job Role

The analyst role is one of the most common jobs in cybersecurity. Various titles may be given to analyst roles such as Security Operations Center (SOC) Analyst, Security Analyst or Cyber Defense Analyst. Whatever the job title, ultimately, this job is about analysing data from a range of data sources (such as firewall logs and endpoint events data) to identify and mitigate threats.

The NICE Workforce Framework defines cyber defence analysis (which includes PR-CDA-001, the Cyber Defense Analyst role) as an area which:

Uses defensive measures and information collected from various sources to identify, analyze, and report events that occur or might occur within the network to protect information, information systems, and networks from threats.

What is a SOC (Security Operations Center)

The SOC is a critical area that employs cybersecurity analysts. Not all organisations will require a SOC, and of those that do, sometimes it will be a managed service provided by a third party.

According to the UK's National Cyber Security Centre, the key aims of a SOC are:

to detect and respond to threats, keeping the information held on systems and networks secure
to increase resilience by learning about the changing threat landscape (both malicious and non-malicious, internal and external)
to derive business intelligence about user behaviours to shape and prioritise the development of technologies
to identify and address negligent or criminal behaviours

SOC analysts are at the heart of this, monitoring their organisation (or customers' organisations) for alerts and investigating as required.

What does a cybersecurity analyst do?

Analyst roles often require monitoring a wide range of toolsets for alerts, triage of alerts to identify cyber threats (such as cybercriminals seeking to steal data or deploy ransomware) and determine their significance. A cyber analysis role will also include utilising a SIEM (Security Information and Event Management) platform such as Splunk or the Elastic Stack.

Where triage identifies significant threats, you may be required to escalate threats and support the development of response and mitigation options. Security analysts are presented with lots of data from different sources, which they will need to analyse to identify patterns and anomalies for further investigation. Some SOC roles are in 24/7 operational teams and will require shift working.

Defence analysts who work for a managed service provider will also be expected to liaise with customers routinely, including attending client meetings and report generation. Where an incident response team is deployed, you may be expected to support incident responders with their investigations.

Finally, as an analyst, you will be expected to contribute to the continuous improvement of security operations by supporting the development and improvement of signatures and rules to help detect further threats in the future.

Typical job requirements

Understanding of computer networks and operating systems
Knowledge of current cyber threats to enterprises
Triage and evaluate alerts raised by various toolsets
Work as part of a 24/7 operational team
Perform detailed analysis of possible cyber threats
Identify potentially significant incidents and escalate to seniors as appropriate
Develop, improve and review threat signatures
Act as a point of contact for key stakeholders
Assist with the planning and execution of remediation plans
Ability to write internal and customer-facing documentation

Related certifications

CREST Practitioner Intrusion Analyst
CREST Registered Intrusion Analyst
GIAC Certified Intrusion Analyst (GCIA)
GIAC Continuous Monitoring Certification (GMON)
CompTIA Security+
CompTIA Cybersecurity Analyst (CySA+)

Who employs cybersecurity analysts?

Cybersecurity analysis roles are critical for organisations concerned with maintaining a high level of information security. Larger enterprises may have their own analysts, potentially as part of an in-house SOC, whereas other organisations may outsource this function.

Both general managed service providers and specialised cybersecurity consultancies (or managed detection and response companies) employ cyber defence analysts to monitor customer networks and potentially support other services (such as incident response or 'managed detection and response').

When starting out, you should think about whether you would prefer to work in-house, focused on just defending that organisation's networks. Alternatively, would you get more out of working for a service provider where you may be doing monitoring across a range of customer networks?

Cybersecurity analyst salary

In May 2019, the median annual wage for information security analysts in the US was $99,730. In the UK, the median advertised salary for a 'core cyber job' was £53,000.

Salary will often be tightly linked to the industry (for example, cybersecurity roles in finance and insurance are likely to pay more than other sectors) and geography. In the UK, cybersecurity salaries are much higher in London than elsewhere.

How to become a security analyst

When starting out, focus on the core competencies listed below. As you develop as an analyst, you will gain responsibilities supporting and supervising junior staff as you progress to a senior analyst role. You should also consider whether there are particular areas you wish to specialise in or other job roles that might interest you later in your career, such as a malware analyst or dedicated threat hunter.

Computer operating system foundations - for Windows and ideally at least one of Mac and Linux.
Computer networking foundations - understanding TCP/IP and experience using Wireshark to analyse network traffic.
Learn how to automate basic tasks with Python or another scripting language.
Develop an understanding of the cyber threat landscape, cyber threat intelligence and the MITRE ATT&CK Framework.
Get familiar working with a SIEM, such as the Elastic Stack or Splunk.
Develop an understanding of intrusion detection and prevention systems, including developing rules or signatures. For example, familiarity using and developing rules for Snort.