Everything Security Operations Analyst Entry Level - Is it the Cyber Security Job for you?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today we're talking sake analyst 1 and everything you would want to know about that job before you actually have to do it coming up today we're talking about the security operations analyst entry-level position job this job is pretty widely available within the cyber security community across you know different enterprises different industries different sized organizations larger organizations tend to have an in-house kind of security operation and smaller to medium sized ones might outsource it to managed security services provider or basically you know kind of a sock that is has multiple clients who don't have one in-house so for the show today I couldn't think of a better person to interview that Eric Capuano of recon InfoSec he's the CTO there and basically has a long storied career working in security operation centers all the way from his Air Force days where he was kind of an entry-level sock one analyst all the way up to today where he runs a company that basically provides that managed service most of the video today will be that interview with him I will preface this by saying this whole series of choose-your-own-adventure I'm still figuring out exactly how I plan on delivering the content and I was going to just take notes from our interview with Eric and then provide that to you myself but I really felt Eric delivered so much value and really hearing it from his perspective I think is going to give you really the perspective and the appreciation for what the security operations analyst level one job is so I wanted it so I chose to you know basically show you the interview itself so I'm gonna just break it down right here on the different parts of the interview and what the time breakouts would be so you can either you know watch the whole interview or jump around to different sections or come back even to refresh yourself so hopefully that'll be somewhat useful so we're going to talk to Eric now so let's hop in well I mean there's there's a broader expectation right and then you know I kind of have my spin on that the more broad expectation is that you know an entry-level analyst you know is essentially frontline of Defense and triage of you know if you you've got sensors to put in the environment right and these sensors by themselves deliver limited value because they can't solve problems for you they might be able to you know proactively block activity but a lot of organizations are head shy to do that so a lot of times these sensors are producing alerts based on traffic or activity that's happening and it's up to a human to analyze what these sensors are reporting on to determine is this something that needs to be you know take an action all right or is this just simply regular or normal activity for this environment and that's a non-trivial activity right because it literally it varies from place to place from organization to organization you know sitting down and looking at what an IPS is spitting out looking at what a seam is spitting out and saying you know is this normal for this environment or not and that requires you know longevity it requires understanding of the mission of that organization and and and baselining them and there's a lot that goes into that and so a lot of that is what rolls into the expectations of a sock analyst not just to ingest an alert and assume everything that you see here is a breach and then spend countless hours investigating what happened on at endpoint is because you got a single detection it's instead being being quick and effective at triaging the data coming out of a seam or something like that and knowing when to invest a lot of time into investigation or also knowing when a signature needs to be tuned to prevent alert fatigue all right so it's really uh that's that's the ultimate struggle there so let me ask you this how much of kind of the typical sock job would be for an entry-level person would be kind of following the appropriate playbook versus I don't want to call it freestyling but you know following your gut or whatever yeah yeah yeah so so that's an interesting question because obviously so you know my my you know early as part of my career I was aircraft maintenance for the Air Force and and I bring that up because one of the things that I loved about that career path was that every single thing that we did on a jet there was a by the number technical manual that said how to remove the panel how to troubleshoot this computer in the avionics Bay and then how to swap it out if need be right and therefore there is never any question about how the performance particulars and and I think a lot of folks recognize that you know security operations can and should follow a similar structure but here's the biggest issue that I see it's just like I I mentioned you know knowing how to hunt for evil in an organization there's no manual for that because it varies so wildly based on you know place to place well similarly how to respond to these situations or how to triage these types of incidents can seldom be a cookie cutter type playbook and therefore it's left to the organization right so it's left to the sock to build these playbooks so when you have a small team of three or four or five stock analysts unless one of those has been in that organization for five plus years and just happens to be a fantastic critical thinker and really good at predicting the many different Forks that an investigation can take most of these teams don't have these playbooks so so the short answer your question is should socco's be following playbooks absolutely the problem is they seldom exist because it's that's also a non-trivial activity to create those playbooks so i you know my sort of you know theory of operation for a sock is for every task an analyst does on a daily basis there should be an internal wiki entry for that task some sort of procedural document right and the best time to be creating and updating that document is while the analyst is performing that task right not not as an afterthought right like hey let's let's spend Friday afternoons working on documentation that's the wrong approach because one if I'm working on the documentation outside of doing that actual I'm going off of memory I'm just kind of you know throwing darts at a board here but if I'm writing the doc as I'm doing the task much better chance of that being pretty true to life and true to the workflow this of the operation interesting so kind of a natural segue then is what would you identify as prereq skills for for a sock one analyst but in I'm thinking there's probably some hard skills and some some soft skills yeah so again this is one of those this is one of those there's there's an industry answer but I'll straight I'll skip straight to kind of giving you my answer for this because it's it's it's it's done well for me to kind of hired this way so essentially I think one of the most critical role our one most critical character traits of a successful stock analyst is strictly critical thinking and and I've had interviews with entry-level analyst before that had no prior security experience maybe they came off of an IT help desk somewhere maybe they were previously a system administrator or software engineer you have it and and there's a there's a there's a noticeable confidence sort of you know or a lack of confidence right in these interviews but right off the bat I'll clear the air and say listen I know that you're coming with no experience and that's okay right so if I ask you some security related questions that you don't know the answer to I'm actually fine with that what I want to know is how do you think through the problem right even if you produce a wrong answer if I can just peer into your thought process and understand how you approach an issue you immediately give up because it's difficult or because you don't know the answer or do you still try to you know you know reduce down to the most likely correct answer that means a lot more to me than just being able to regurgitate what a Security+ study guide said right and I've absolutely hired folks that theoretically bombed the interview but because I was able to peer into the thought process and see that critical thinking because you know what I can fill in the training gaps right I can teach you the concepts that you don't know but it's actually very hard to instill a critical thinking trick right you kind of kind of have it or you don't right and so that's probably the most critical dependency that I would identify because you know training and experience that comes with the job it's a natural sort of progression but critical thinking is key there and another thing that I would say is and it kind of feeds you know feeds from from the previous statement is be comfortable not knowing right like you know because most of the time a stock analyst is sitting here looking at something that at face value they don't know what it is they don't know what it means and you have to be comfortable with that but you also have to be comfortable with self-starting and knowing how to kind of chase that down to get to the answer you know as quickly as you can you know but also knowing when to raise your hand and say hey you know what I've spent about 15 20 minutes trying to triage this I'm just not sure what it is and then you know being able to communicate with a colleague for an escalation so can I get another set of eyes on this versus kind of digging your heels and and you know spending hours upon hours triaging something that a more seasoned analyst might have helped you deconflict much quicker right so being comfortable in the unknown but then also knowing how to call for help for the efficiency design so as far as kind of career path and someone were to become a sock analyst I mean is it is it so structured that you know it's just sock to sock three would be the career path what do you see is someone who's been an analyst one for a year and a half like what kind of realistic options they have quite a few actually now it does vary from organization to an organization but actually I would say that there are many possibilities as as either an upward or a lateral movement from from a stock analyst position because oftentimes you know an entry-level stock position is really just a feeder into an organization that has many other positions that are related to that field right so if you come in as a very broad sock you know analyst you can sort of from that point you know choose your own adventure if you will to say hey the cases I love the most are the ones where I get to reverse Janee or some piece of malware right well if your team is large enough and has enough you know specialty focuses that you can eventually transition into a reversing reverse engineering type position that might be your next you know your next path right versus going up to a sockeye MLS level - you might actually you know switch over to a more focused specialty based on something you're interested in and that's actually something that I've foster with my teams because one you know those positions need to be filled and two it's a component that helps keep the Sauk analyst happy that helps keep people at the organization longer if you let them do what makes them happy that's how you build and keep really good teams so as far as like I do want to send them in to talk about pros and cons of the jobs I have my own assumptions of what you might say but you know having done as much soccer because you've done what is like the best part of that job I would have to say the best part of the stock work is that of course depending on you know depending on your role if you're in if you're the larger team where you're very very much kind of shoehorn into a one specific function which is not you know the status quo so on most soccer teams where you're wearing multiple hats one minute you're troubleshooting you know a host-based sensor that's not producing the right telemetry another minute you're chasing down a suspicious you know parent-child process creation you know situation it never gets old right like every day you come into work you know you have no idea what you're going to face today you know it could be a relatively quiet day where maybe you just deal with a couple phishing attacks it could be something much more serious than that you know you know dealing with targeted campaigns or you know malware that seems to have been crafted particularly for a specific customer you know and then when when it is quiet right when you're not putting out fires that doesn't mean that you're bored and you're sitting here and waiting for the next fire it actually means that now you get to go into the back end of your detection tools and you know write new signatures for emerging threats so it's this this constant so sort of you know shifting between you know responding to situations and then bolstering our detection so that we don't miss the things that when you do to be detecting but what would you say is kind of the biggest downside to the role yeah I'll give you I'll give you I'll give you two because I think they're they're equally you know if I had to give you a list you know one two and three there'd be two number ones so one of the bigger detractors are downsides especially on smaller teams is obviously you know you never know when critical situations are going to unfold and this is not much different than say even just conventional IT positions right when you're on a small IT team someone is on call 24/7 right because you never know when you know critical system is going to go offline or an application is going to crash or something disastrous is going to happen well a sock operation is no different and and so there's that that kind of unpredictability of more code right you know you could have a pretty quiet week and then the week of Christmas all hell breaks loose and that's that's not always not always desirable right and then I would say the other one that can that can be just as just as taxing and tends to burn folks out if it's not kept kept at bay is the concept of sort of that that alert fatigue of you know running on a treadmill but never feeling like you're getting anywhere and and I but I really think that there's a solution to that problem and it's something that I harp on pretty heavily in my sockets you know if we're noticing that we're just getting bombarded with alerts week after week after week you know there should be some symmetric tied to this to say how many of these alerts are actionable the ones that are not there should be an output there right it should be the tuning of those sensors to reduce that noise because otherwise the stock analyst becomes an immune to it becomes numb to you know the this noise is coming from all these systems and sensors and now we're no longer delivering a valuable service so but but the alert fatigue is real and it is something that I see pretty much everywhere that I go you know I drop it as a consultant to many other pretty mature sock operations one of the first things I see is a 50,000 alert backlog for spans years because no one will ever get to the bottom of it and they say they'll think that the solution is just chipping away at it one day at a time and I'm like but but no one has addressed where all these are coming from yet right so like you'll you'll never get to inbox zero here because no one's stopping to tune any of the things that are creating this noise so you're on the hamster wheel right you're running but you're never going to get to the end of this and and that's one of the things that I see burning out silence the fastest where they want to move up or out and unfortunately often times out is much faster route whenever you're you're burning out that way and when you say out just out of curiosity when you say out are you talking about out to just go start fresh at a different talk basically maybe but I'll tell you that you know I've seen I've seen folks that have burned out at those levels and and often times the last thing they want to do is go for one sock to another sock right grass is not always greener now you know of course if you know if you're lucky and you find that you find that other place that is putting those concepts into practice and is preventing the burnout and trying to curb the fatigue then then sure but I hate to say it but I think it's it's the majority of operations that I've seen that are that are still combating that and not doing a very good job at it and so it's it's pretty rampant issue you know it's it's kind of a kind of abstract answer but but I can I can tell you that essentially my path was sort of getting to where I am now was a whole lot of self-study because like most folks I was doing something completely unrelated before I entered into the security space and I had to build on I had to build my skills on you know open source tools open source knowledge a lot of nights and weekends you know tinkering I'm sure everyone in this space is either you know deployed or at least thought about the boiling a home lab and I can't recommend that enough but but pursuing knowledge and not not relying on formal training for it in all cases because go me wrong formal training is great but some of the better formal training can be cost prohibitive especially if you don't even have a job in that space yet so not waiting for formal training and instead pursuing as much knowledge as you can with your own mechanisms you know finding a mentor in the space someone that's willing to kind of take you aside and show you the ropes and then as much of a cliche as this is you know Twitter right I'm not a huge social media person but I think most people in our space would agree that Twitter can be a pretty valuable source of knowledge and of networking for especially for InfoSec folks but then it kind of boils down to knowing who to follow for to maintain a decent signal noise ratio right but but then the critical thinking aspect of it you know that again is I think a skill that's tough to teach and I think it might be tough to just simply acquire but I will say that one thing that I attribute my own critical thinking skills to is that I worked in a previous job where it was very heavily centered around troubleshooting complex systems so you know I would say it's as simple and silly as this might sound if you want to work on critical thinking skills the next time something complex breaks you know my toaster no longer makes toast right like don't throw it out fix it because as seemingly unrelated as that is to InfoSec it's actually very related because if you can work through figuring out why that toaster no longer works you were demonstrating the skills that people like me are looking for in stock analyst right for making toast has nothing to do with solving intrusions but problem solving critical thinking will get you through that process and that's I think one of the most valuable skills that you could be working on interesting cool all right well this is this has been incredibly valuable I definitely think folks watching this are going to be much more well-informed on what kind of a stock analyst is and kind of what the expectations are and how to how to progress towards that so talking with Eric Capuano of recon InfoSec I really appreciate it Eric wow that was great and I really really want to extend my sincere appreciation to Eric for taking the time to talk to me and provide all that great content for you all to be able to digest so definitely Saki analyst job is a fantastic job lot of opportunity if you love puzzles I think it's right for you obviously there's BER known as a concern and you know getting the call at 2:00 a.m. you know threat actors bad guys they don't take nights and weekends off and holidays you know actually is kind of the best time for them to attack because they know that organizations typically are on a skeleton crew so definitely some things to think about as you're going along your cyber journey and thinking about it but again really really appreciate Eric first time thank you Eric now if you if you like this and you want to follow the choose-your-own-adventure series we're gonna be talking to TJ Nelson coming up here in a few weeks he's a Maui you know he was a form of malware you know so we're gonna be talking level one malware analyst will be talking to a pen tester Paul I me coming up here next week and really what is a level one ethical hacker a pen tester offensive security type person do and will be doing a threat analyst later on if there's another job in the field that you'd like more information on put it in the comments below and I'll find an expert in the field and interview them and get the answers that you want to hear about these jobs I really appreciate it be sure to hit like on the video subscribe if you want to help me you know promote my show and promote this content and until next week stay secure [Music]

Info

Channel: Gerald Auger - Simply Cyber

Views: 39,647

Rating: 4.9629631 out of 5

Keywords: cybersecurity, career, cyber, security, cyber security, entry level, what is a soc analyst, what is security operations, recon infosec, what is an entry level cyber job, what is an entry level cyber security job, get a job, cybersecurity for beginners, security operations center, entry level cyber security job no experience, entry level job cyber security, simply cyber, blue team, security analyst, soc analyst basics, soc analyst career, soc analyst level 1

Id: p9RsKDIGKvc

Channel Id: undefined

Length: 21min 56sec (1316 seconds)

Published: Mon Jan 27 2020