Learn What a Security Operations Engineer Does

Learning Objectives

After completing this unit, you’ll be able to:

  • Describe the responsibilities of a security operations engineer.
  • List key skills needed to become a security operations engineer.

What Does a Security Operations Engineer Do?

Does the idea of chasing adversaries on the internet and thwarting threats excite you? Are you a great problem solver? Do you want to learn more about how adversaries use publicly available information on social media to target organizations? If so, security operations engineering may be the perfect job for you!

Let’s meet Kerri. She’s a security operations engineer at a marketing and advertising company. Kerri enables her company to detect, analyze, and respond to evolving threats to the business. Her first task is to identify valuable assets and associated threats, then protect systems and data, and next detect threats and risks in real time. When a potential threat is detected, she responds to and triages alerts and alarms that may indicate malicious activity, and finally works together with the incident response and disaster recovery teams to recover from incidents. 

Kerri wears a lot of hats in this challenging, but pivotal role. She uses a combination of technical tools and interviews with business system owners to identify the organization’s most critical assets. She works as a sleuth, researching and analyzing the latest threats to better understand the adversary’s tactics, techniques, and procedures (TTPs). She uses open source platforms, such as online research of threat trends in the news, as well as private news feeds on the latest threats and vulnerabilities available from threat intelligence vendors and information sharing consortiums.

Kerri also helps the company take the necessary precautions to protect its systems and data from adversaries by using technology tools to enforce configuration and security policies across the company’s network. This ensures the company’s ideal security state is achieved, as informed by the organization’s cyber risk management process that seeks to identify what level of cybersecurity risk the organization can tolerate. 

She also thinks about ways to automate security procedures and processes in order to protect the company more efficiently and reduce the burden on system owners in securing their data. For example, Kerri receives an alert of a suspicious login. She can use security tools to set up an automatic process by which a ticket is created about the login that is sent to the user by email or in a messaging application. The user can confirm the login and close the ticket, or indicate the login is illegitimate, in which case the information security team will be automatically alerted. This type of automation makes Kerri’s job much easier and more efficient. She’s constantly thinking of these new ways to streamline security postures for the organization. 

Kerri also gets to play the role of watchdog, guarding the network and sniffing out hidden threats. As a security operations engineer, she’s part of the Security Operations Center (SOC) team, which is ground zero for threat detection and response. She watches network, application, and other data to try to detect suspicious activity that could indicate an adversary or malicious insider is up to no good. She needs to protect the company from both known threats, and zero day vulnerabilities, which are brand-new attacks that take advantage of vulnerabilities that were not previously known. 

A guard dog protecting computer servers tracks the footprints of an intruder.

Kerri also plays the role of first responder, rushing to the scene to respond to and triage alerts and alarms generated by the SOCs monitoring tools. She determines the severity of threats and provides context to the situation to support the incident responders on her team. She helps contain threats, for example by taking a system offline temporarily. She then tries to diagnose how the system was compromised by investigating the root cause. 

She also advises the SOC team and business system owners on remediations when a breach has occurred. She reviews the affected system, as well as other connected systems to ensure they are in compliance with security standards. She updates policies, procedures, and controls, to help the organization recover and to ensure the problem does not reoccur. 

All this may sound like a lot of work but Kerri doesn’t work alone. She partners with teams across the organization, including business systems owners, network and application security engineers, cyber risk managers, the incident response and disaster recovery teams, and others, to ensure the organization operates securely. 

Security Operations Engineer Skills

So, like Kerri, you’re excited by the job of identifying threats against organizations and figuring out how to thwart them in order to protect the company’s systems and data. What skills do you need to pursue this career? 

Education and Certifications

First, it helps to have a bachelor’s degree, although this is not a strict requirement. Security operations engineers often have an educational background in computer science, engineering, or information technology, with an emphasis on security controls, such as network access controls, identity, authentication and access management controls, or intrusion detection and prevention controls. Alternatively, instead of a college education, you may have military training. Security operations engineers often also have some years of experience working in security-related disciplines such as threat intelligence, log monitoring and analysis, network diagnosis and analysis, vulnerability analysis, or incident response. 

Pursuing certification is a great way to bolster your skills in these areas, including the Certified Information Systems Security Professional (CISSP), Systems Security Certified Practitioner (SSCP), the GIAC Certified Incident Handler (GCIH), and technology-specific certifications such as the Cisco Certified Network Associate (CCNA) Security certification, to name a few. 

Technical and Business Skills

As a security operations engineer you are a great analyzer, who understands security operations, programming languages, and security architecture. You are adept at analyzing malware and email headers, and you have skills in network security, intrusion detection and prevention systems, operating systems, risk identification and analysis, threat identification and analysis, and log analysis. Familiarity with cloud computing platforms and knowledge of relevant security regulations and compliance practices will also help you in this role. 

In addition to technical skills that help you assess threats and troubleshoot security problems, it’s helpful to have business know-how and an investigative mindset. You collaborate across teams in the SOC and with business systems owners to identify critical assets and assess their security posture. You are a great communicator who can explain security concepts to both technical and nontechnical audiences. You like solving problems and building partnerships, and you are passionate about advocating for improving security practices across the organization. 

Finally, as a security operations engineer, you thrive in a results-oriented, high-energy environment, and you’re very self motivated to solve problems. You’re great at multitasking and prioritizing, and working under pressure in fast-paced environments excites you. Above all you’re highly organized and detail-oriented: You never miss a beat.

Work Environment

One thing to consider as a security operations engineer is that, because many SOCs operate all day, year-round, these roles may require on-call and weekend work. However, you are compensated with a high salary, a variety of exciting opportunities, and increasing demand for your talents. Security operations is a top priority for most organizations, meaning that you’re highly valued and at the center of the action. Additionally, because of the breadth of technology you must protect, you get to work with a diverse range of information security technologies and products. Pretty cool, right?

Knowledge Check

Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, arrange the list of items in the right-hand column in the correct sequence by dragging them to the left in the order in which they should occur. When you finish ordering all the items, click Submit to check your work. To start over, click Restart.


Sum It Up

Great work! In this module, you’ve been introduced to the goals of security operations, learned more about the importance of a robust security operations program, and discovered the responsibilities and skills of a security operations engineer. In the next module, you learn more about how you identify high-value assets and associated threats and protect systems and data from adversaries. You also learned more about your role in detecting threats and responding and recovering from incidents. To learn more about cybersecurity and meet practitioners in the field, visit the Cybersecurity Learning Hub on Trailhead.