Unlock SOC Efficiency with AI for Tier 1, 2, and 3 Analysts

Security Operations Center (SOC) teams often divide responsibilities among Tier 1, 2, and 3 analysts. Each level has its distinct duties and expertise, but all of them face the challenge of managing growing workloads with limited resources. This post explores how AI SOC analysts, like Dropzone AI, can complement and enhance the work of human analysts at each tier.

What is the SOC?

At its core, the SOC continuously monitors data from security tools and user reports, hunting for any signs of malicious activity. SOCs have become more widespread over the past 15 years as organizations adopted an “assume breach” mentality. It was in 2011 that Dmitri Alperovitch, then a VP at McAfee but who went on to co-found Crowdstrike, said, “There are only two types of companies—those that know they’ve been compromised, and those that don’t know.” Nowadays, organizations assume threats will slip past defenses, so they are always looking out for indicators of attack and compromise that can give them a head start on responding to an incident.

SOCs vary widely depending on the organization:

• Smaller organizations often rely on managed security service providers (MSSPs) for SOC support. 
• Midsize organizations may have small, in-house teams handling multiple cybersecurity functions, including monitoring for threats, and they may outsource Tier 1 alert triage to a managed detection and response (MDR) provider or MSSP.
• Large enterprises usually have a fully staffed, internal SOC, often structured with defined roles for Tier 1, 2, and 3 analysts.

Let’s dive into what each of these tiers involves and how an AI SOC analyst can help.

Tier 1: Triaging Alerts

Tier 1 analysts are the front lines of the SOC. They’re responsible for managing the flood of security alerts, determining whether they’re worth investigating, and taking the first steps in response. Tier 1 analysts must perform tedious work for long stretches of time. The work can be taxing because of the high percentage of false positives, which can lead to “alert fatigue.” 

The hours can also be challenging. For example, a 12-hour shift is common (e.g., 7 AM - 7 PM or 7 PM - 7 AM) on a 4 days on, 4 days off rotation. This junior role usually requires at least one cybersecurity certification such as CompTIA Security+ and knowledge of frameworks such as MITRE ATT&CK to classify the tactics and techniques of attackers. 

Primary Responsibilities:

• Reviewing alerts generated by security tools, assessing whether they indicate a real threat
• Follow company playbooks when investigating different alert classes (phishing, identity, etc)
• Escalating alerts that require further investigation to Tier 2
• Escalating alerts that have strong indicators of malicious activity to Tier 3
• Addressing user reports of unusual activity, such as suspected phishing attempts

How Dropzone AI Helps:

Dropzone AI can take on the heavy lifting by automating alert triage and investigations. Instead of a manual process, the AI examines each alert in a matter of minutes, producing detailed reports with all the necessary findings. This helps SOCs keep up with growing alert volumes as human analysts can be more productive. AI SOC analysts also let human analysts spend their time reviewing the results rather than digging through data themselves. By shouldering routine tasks, AI allows Tier 1 analysts to focus on more in-depth work, such as threat hunting or vulnerability management, ultimately broadening their skills.

Because AI SOC analysts replicate the techniques of elite analysts, Tier 1 human analysts that are getting their start in the SOC can learn as they review the reports and findings. This has the potential to accelerate the progress of employees from Tier 1 to Tier 2 work.

Tier 2: Deeper Investigation

Tier 2 analysts handle the escalated alerts that require more thorough investigation. These individuals usually have a few years of experience under their belt and often possess advanced skills for things like putting together timelines of events, interpreting malware sandbox reports, and root cause analysis. Their primary role is to determine whether a flagged incident is a genuine security issue and, if so, how severe it is.

There are fewer Tier 2 analyst positions out there. The ratio between Tier 1 and Tier 2 analysts typically depends on the size of the SOC. In smaller SOCs, it might be 2:1 or 3:1 but in larger SOCs it might be 5:1. Tier 2 analysts are often expected to provide mentorship and help build the skills of Tier 1 analysts.

Ultimately, Tier 2 analysts are looking for any type of incident. They can remediate and close up common incidents, such as user account compromise and common malware execution. Anything involving an advanced attack (lateral movement, ransomware, cloud infrastructure compromise, multi-account compromise from a phishing campaign), is escalated further. If those types of attacks are identified, the Tier 2 analyst will engage the computer security incident response team (CSIRT) that includes Tier 3 analysts as well as representatives from IT, legal, PR, and customer support.

Primary Responsibilities:

• Dig into escalated alerts with advanced tools to confirm whether an attack actually occurred
• Investigate the root cause of security incidents and assess their scope—whether sensitive data was accessed, for example 
• Extract indicators of compromise (IOCs) that can be used to enrich detections or be shared with information sharing and analysis centers (ISACs)
• Collaborating with other teams to confirm details needed during investigations
• Writing up detailed reports on their findings and, if needed, escalating the issue to Tier 3

How Dropzone AI Helps: While Dropzone AI focuses primarily on assisting with Tier 1 tasks, it also cuts down on the time Tier 2 analysts need during an investigation. For instance, the AI provides consistent, well-documented summaries and findings that can quickly bring a Tier 2 analyst up to speed on a case. In addition, Dropzone AI’s chatbot feature allows human analysts to quickly go deeper into an investigation, asking questions in natural language and retrieving answers directly from security tools without having to worry about query languages or data schemas. This eliminates the back-and-forth of pulling data from different systems and lets analysts focus on decision-making.

Tier 3: The Specialists

Tier 3 analysts are the experts who step in when a serious incident is confirmed. To be clear, there’s not many people with “Tier 3 analyst” in their job title. More often, these are senior security engineers who join in incident response when needed. They’re responsible for analyzing incidents in depth, determining how attackers infiltrated the system, and working with incident response teams to contain and remediate the threat. These analysts are highly skilled, often with years of experience in forensics and incident response.

For P1 incidents that have a serious impact, the company may also bring in outside consultants to help with incident response.

Primary Responsibilities:

• Conducting detailed forensic investigations on confirmed security incidents
• Assessing the scope of a breach and understanding the attackers’ methods and objectives
• Identifying gaps in security controls and making recommendations for improvements
• Working with legal, PR, and customer service teams during incidents that require a coordinated response

Their investigations often come under pressure to produce quick and accurate answers, especially as regulatory requirements (such as the disclosure requirements from the SEC) and customer demands for transparency increase.

How Dropzone AI Helps: Dropzone AI supports Tier 3 analysts by speeding up data collection and analysis. For instance, it can help them to quickly gather key information like user permissions and historical activity, allowing analysts to get a complete picture fast. It’s also equipped with the ability to use forensic tools like Wireshark, CAPA, and osquery, performing tasks that would otherwise consume valuable time. When incidents demand quick action, having an AI assistant to gather data and perform analysis can make all the difference.

Conclusion: AI and the Future of the SOC

AI SOC analysts like Dropzone AI are already proving their value in managing the flood of alerts that threaten to overwhelm security teams. By automating routine tasks and providing fast, consistent insights, AI allows human analysts to focus on more meaningful work. Whether you’re a Tier 1 analyst triaging a mountain of alerts or a Tier 3 expert conducting a high-stakes investigation, an AI SOC analyst can streamline your day-to-day operations and help you make the most of your expertise.

‍