Tier 1 vs. Tier 2 vs. Tier 3 Cybersecurity

It’s no secret that cybersecurity can be overwhelming. But, as an MSP, it’s your job to simplify this world for your clients. One of the easiest ways to do this is to rely on NIST’s tiered cyber analyst system.

According to the NIST security framework, cybersecurity analysts can fall under one of the following tiers:

  • Tier 1 cybersecurity analyst
  • Tier 2 cybersecurity analyst
  • Tier 3 cybersecurity analyst

In this edition of our cybersecurity glossary, we’ll dive into how each tier fits into the overall cybersecurity analyst job description. From there, we’ll break down each tier’s role and how to guide your clients toward selecting the best tier for their business.

There’s a lot of information to cover, so stick around.

What are the roles of cybersecurity analysts?

To break down each specific tier of cyber analyst, we first need to answer, “What does a cybersecurity analyst do, exactly?”

In short, the role of a cybersecurity analyst is protection. Their primary function is to protect a company’s IT assets from corruption or malicious attack. This means any IT hardware, software, and network.

Naturally, this job is easier said than done. Most businesses are moving toward enterprise software and cloud computing solutions and increasing their reliance on the digital realm. This creates more opportunities for digital threat actors, which means cybersecurity needs to evolve in order to maintain defenses. 

Today, cybersecurity professionals are responsible for a wide range of tasks like updating and monitoring security alert systems, running tests/exercises to test and strengthen their existing system, and keeping up with the latest in emerging threat intel and digital threat actor TTPs. 

This broad spectrum of responsibilities is what necessitates a variety of tiered cybersecurity analyst positions, all working together to protect the health of your client’s overall IT estate.

What does a Tier 1 cybersecurity analyst do?

A tier 1 cybersecurity analyst is often referred to as a triage specialist. Their role centers around reviewing and categorizing the latest threats signaled by the system.

Once the tier 1 analyst assesses the urgency and relevancy of these new threats, they will then create a support ticket for anything requiring the attention of a tier 2 cybersecurity analyst.

Tier 1 analysts also handle vulnerability scans and reporting. They will run the necessary scans, review reports, and they will also oversee and configure security monitoring tools. 

What does a Tier 2 cybersecurity analyst do?

Tier 2 cybersecurity analysts fill the role of incident response. They are tasked with reviewing and responding to any support tickets forwarded by tier 1 analysts.

Tier 2 analysts are also responsible for reviewing incoming threat intelligence and responding accordingly. This is the unique skillset Tier 2 analysts bring to the table. They can quickly analyze emerging threat intelligence, identify which systems have been targeted by an incoming attack, and assess the scope of the affected files or systems.

After they have fully determined the extent of a threat, they will go to work on the recovery process. They’ll begin the collection of asset reports (configuration, running processes, etc.) to gain deeper insight into the attack in question. Once this additional information is collected and reviewed, a Tier 2 analyst will begin to craft and direct recovery efforts.

What does a Tier 3 cybersecurity analyst do?

A Tier 3 cybersecurity analyst is regarded as an expert analyst. These professionals are also known as threat hunters. They’re tasked with reviewing vulnerability and asset discovery data to uncover more complex, covert threats that may have entered your client’s system.

Typically, these are threats that somehow circumvent existing security protocols. Tier 3 analysts will leverage the latest threat intelligence, run penetration tests, and recommend potential optimization opportunities for your security monitoring tools to improve your organization’s threat hunting efforts. 

Do cybersecurity analysts need to be certified?

A combination of education and industry-specific certification is required for what a cybersecurity specialist does. A bachelor’s degree in cybersecurity and information assurance is the best place to start.

After receiving the baseline education, cyber analyst candidates pursue specific professional certificates to strengthen their knowledge within the industry. Here are some of the top cybersecurity analyst certifications available:

  • The CompTIA Security+ Designation. This certifies analysts in several areas, including vulnerabilities, incident response, enterprise architecture, and compliance.
  • Certified Information Systems Security Professional. This is widely regarded as the premier cybersecurity analyst certification. Recipients of this certificate possess the knowledge to design, maintain, and implement an ongoing security program. It also satisfies the federal requirement for analysts looking to work at the DoD or other government bodies.
  • Certified Ethical Hacker (CEH). This certification is for professionals who want to work as professional hackers, as well as Tier 3 cybersecurity analysts who need to run penetration tests for organizations’ systems.

Many more certification programs are available, but these stand out as some of the most helpful for individuals wanting to be cybersecurity analysts – regardless of which tier they choose. 

How to choose the best cybersecurity tier for your team

Each client’s IT framework is going to be different. Therefore, the type of analyst that’s best for your team will depend largely on your clients’ needs and your chosen business model as an MSP. 

What type of services do you want to provide? What services are in demand? What specific IT challenges do you see businesses in the marketplace facing? These are just a few of the questions you’ll want to ask yourself when forming your SOC team.

Aside from these questions, the types of IT services you need to provide will also be important. Keep in mind that you can also leverage technology to complete certain cybersecurity tasks, rather than relying on an analyst. It’s important to see what you can outsource or automate to save time, energy, and other resources.  

Let’s take a quick look at why you may want to hire each type of analyst.

Why you might need a Tier 1 analyst

Most duties performed by a Tier 1 cybersecurity analyst can be handled by modern IT automation and orchestration applications. Their primary function will be gathering data to inform more experienced analysts and submitting support tickets. Leveraging automation tools to complete these tasks can give your team a scalable, dependable solution free of human error.

Why you might need a Tier 2 analyst

Tier 2 cybersecurity analysts are necessary when dealing with larger organizations with many IT hardware assets. These analysts excel at conducting the process of incident investigation and can help organizations piece together a forensic timeline of attacks after they occur. If you have clients with complex systems containing intricate networks and many user endpoints, tier 2 analysts may be the perfect fit to help you triage, resolve, and respond to incoming threats.

Why you might need a Tier 3 analyst

Tier 3 cybersecurity analysts are widely considered experts in their field. As such, they are hard to find, and most SOC teams outsource this role. However, that being said, if your organization often deals with complex threats, you may want to consider bringing someone in-house. Any team faced with in-depth incident investigations may benefit from hiring or consulting with a tier 3 analyst.

Ultimately, building the best team comes down to striking a balance between human talent and leveraging technology. Delegating, automating, and outsourcing the more trivial or mundane cybersecurity tasks frees your people to focus on the best use of their time. The result is a team that runs smoothly while making the most out of its human capital. Check out this ebook for a walkthrough on how MSP can build their security offerings and teams

Summing up cybersecurity tiers

Building out an effective SOC team will take analysts of all types. Tier 1 cybersecurity analysts play an essential role in gathering initial incident data and pushing it up the “chain of command.” Your whole incident response process can start on the wrong foot without talented people in this role.

Tier 2 cybersecurity analysts are essential for responding to threats quickly and minimizing your clients’ file loss or damage. These professionals need data, and they need it fast. Leveraging automation to handle initial incident response tasks is critical in minimizing response and dwell times. If your team is constantly getting hit with complex threats, or your system seems to be getting circumvented by hackers, you can always lean on a Tier 3 cybersecurity analyst to offer support.

Getting the most out of any team member, no matter the tier, means these professionals need to use their time efficiently. That’s where SOC automation and orchestration come in. ConnectWise offers several tools to help you better serve your clients’ cybersecurity needs. If you’re unsure what tools may be the best fit, reach out to us. We’ll work with you to determine precisely what you may need and give you trials & demos of our software so you can see what works best for you in real-world scenarios.