Operations // Careers & People
4/2/2014
11:00 AM
Rick Howard
Rick Howard
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

The Right Stuff: Staffing Your Corporate SOC

What makes a top-notch security analyst? Passion, experience, and communication skills trump certifications and degrees. But you get what you pay for.

Building a Security Operations Center (SOC) from scratch or revamping an underperforming one is a daunting leadership challenge. If a cyber adversary gets past your SOC analysts, there is nobody else in the organization who can find them. 

You can deploy all of the latest and greatest tools for your security stack, but if you don’t have the right people to run them and analyze the data they generate, you’re wasting your time. As you might expect, folks like these can be heard to come by, so let’s take a look at what makes a top-notch SOC analyst. 

Let’s start with the perennial question over certifications. In the past decade our college and professional certification programs have strived to meet the demand for trained cyber-security experts. This has flooded the employment space with cyber-security wannabes who think a cyber-security certification from some reputable program or an Information Assurance degree qualifies them to sit in an SOC. 

This couldn’t be further from the truth. In my experience, passing a certification exam or getting a degree simply shows that a potential employee is a good test-taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs.

Don’t get me wrong. Certification programs can be an important piece of a cyber-security practitioner’s complete education. A couple of certifications I do think SOC analysts should pursue are the CISSP certification and the many courses in the SANS Curriculum.

Passion and experience
The most critical attributes involve passion tempered by experience. SOC analysts have to deeply understand how computers and networks work at the ones and zeros level and be able to sling code into useful tools for analysis. They have to love this stuff and be able to explain what they know to all kinds of audiences: fellow geeks, IT management and the C-Suite. If they’re not playing with a Linux box at home, they are not qualified. In other words, they have to have a basic understanding of computer science, a passion for the craft, and an ability to explain what they know to anybody who will listen.

They also must have spent time in the IT trenches. A career path for my fantasy SOC analyst includes time on the IT help desk, managing servers in the datacenter, and finally, managing some of the security devices in the security stack. Once they’ve performed these functions, they’ll have some context when an adversary starts to work his way down the kill chain into your network. They will understand the impact to your network when a cyberspy bypasses your controls to target your CEO. They will understand what has to be done when a hactivist attempts to destroy your business’ reputation by leveraging a programming error on a public-facing website. And they will intuitively understand what the cyber criminal must do to steal your customer’s credit card numbers. Without that IT background, they can’t understand what they are seeing as incidents arise in the SOC.

That said, here are what I consider to be the top five skills an entry-level SOC analyst must have:

  • Strong understanding of basic computer science: algorithms, data structures, databases, operating systems, networks, and tool development (not production-quality software but tools that can help you do stuff)
  • Strong understanding of IT operations: help desk, end-point management, and server management
  • Strong ability to communicate: write clearly and speak authoritatively to different kinds of audiences (business leaders and techies)
  • Strong understanding of adversary motivations: cybercrime, cyber hactivism, cyberwar, cyber espionage, and the difference between cyber propaganda and cyber terrorism
  • Strong understanding of security operations concepts: perimeter defense, BYOD management, data loss protection, insider threat, kill chain analysis, risk assessment, and security metrics

If you are hiring a more senior person, some specialties to look for include:

  • Strong understanding of vulnerability management: what vulnerabilities are, how do we find them, and how do we mitigate them?
  • Strong understanding of malicious code: reverse engineering skills, practitioner tactics, techniques and procedures from common motivations (see above)
  • Strong understanding of basic visualization techniques, especially big data
  • Strong understanding of basic cyber-intelligence techniques
  • Strong understanding of foreign languages: (First Tier: Chinese, Russian, Arabic, and Korean; Second Tier: Japanese, German, French, Portuguese, and Spanish)

Lost in translation
The skill that is the hardest to find in a potential SOC analyst is the ability to communicate: to write or present intelligence derived from raw information. I know this is not intuitive. I just outlined the set of complex technical skills that a SOC analyst needs to have, then said the rarest skill is the ability to write sentences. But it’s true because it’s tough to relate the impact of a security event to a business or government leader or a techie if the SOC analyst cannot effectively communicate relevant information. An individual can be the smartest malcode reverse engineer on the planet, but all that knowledge is useless if he or she can’t translate geek speak into a response.   

As for compensation, SOC analysts who have the basics covered and one or more specialty skills are making north of $100K year, depending on where they live. You can pay less, but your analyst will likely not have the skills you need. This may not be a problem provided you already have qualified SOC analysts who can train the newbie. 

As you build your shiny new SOC or upgrade your old one, don’t neglect the skill sets of the analysts you hire. And don’t be fooled by newly minted cyber-security professionals with their brand-new certifications or information assurance degrees. They are on the right path, but they need some seasoning first.

Have I missed anything? Let’s chat about it in the comments.

Rick Howard is Chief Security Officer for Palo Alto Networks, where he is responsible for internal security of the company as well as developing the Threat Intelligence Team to support the next-generation security platform. He previously served as Chief Information Security ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RaceBannon99
50%
50%
RaceBannon99,
User Rank: Apprentice
4/3/2014 | 9:21:56 PM
Re: Outside the Box
Oh yes - they are great first steps. But he has to demonstrate his ability to learn on his own. It is like I said in the essay, if he is not running Llinus at home, he is probably not curious enough to be a good SOC analyst.
RaceBannon99
50%
50%
RaceBannon99,
User Rank: Apprentice
4/3/2014 | 9:20:02 PM
Re: Outside the Box
That is really well said. I agree with you. Don't get me wrong. I was not trying to de-value the college or certificate experience (OK - I did take a jab at them I admit), but I do stand by my point that they are not sifficient. You need more.
KevinK-
50%
50%
KevinK-,
User Rank: Apprentice
4/3/2014 | 4:49:16 PM
Re: Outside the Box
Rick, thanks for clarifying your posting. We all could probably debate this topic until the 'cows come home.' I have a few certifications that I'm looking into. Such as from CompTIA, ISC2, Cisco and EC-Council. I will add SANS to my list to review and consider. I'm currently taking the IT Security Certification course from VillanovaU....not sure how valuable this will be on my resume. Right now, it's all about time and money!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/3/2014 | 4:21:28 PM
Re: Outside the Box
@Kevin, I think you make some very valid points.

@Rick, An experienced professional should have experience intertwined with education and certification. However, I think everything is what you make of it. So to say that college and certification people are just good test takers, I guarantee that if thats what the individual is trying to accomplish, then that person will show the same get through attitude in a work environment. So I would say experience, certifications, education, is all well and good but I think in the end of the day the most important trait you are trying to delineate is good character. You want someone who will get the most out of all those situations. Cause experience does not guarantee efficiency and capability. Thoughts?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/3/2014 | 8:45:55 AM
Re: Outside the Box
Rick, What advice would you give someone like Kevin in how to present himself to an SOC hiring manager in order to build a foundation in security. Would the CISSP certification or a course in the SANS Curriculum that you mention be a good first step? Or is there another path to get him in the door. 
RaceBannon99
50%
50%
RaceBannon99,
User Rank: Apprentice
4/3/2014 | 8:34:08 AM
Re: Outside the Box
Hey Kevin,

You make some good points. Let me clarify a bit. I am not saying that you should not hire inexperienced folks to work in your security organization and train them to be better employees. I am saying that these new people should probably not be key players in your SOC right out of the gate. I also agree that having IT experience and passion, as you describe yourself, go a long way towards making a very good SOC analyst. Having worked in the IT trenches, you already have a basic understanding of how everything fits together. Your willingness to imporve yourselve on your own time go aloong way too. This are the qualities I would be looking for in my SOC analyst.

 

Rick
KevinK-
50%
50%
KevinK-,
User Rank: Apprentice
4/2/2014 | 9:46:22 PM
Outside the Box
Hi Rick,

You write a very compelling article for bringing on qualified people into a SOC. I agree that folks who have very little IT experience, but a couple of security related certifications, may not be ideal. But, with the so-called 'shortage' of skilled security candidates, hiring manager should really be thinking outside the box. Not everyone is going to have the solid IT experience, but some will have the passion and desire....so they just need a bit of hand-holding to get going, and they will flourish. 

In my case, I have been in IT for 16 years, but on the fringes of IT security and networking. I have the desire, interest and passion to move into the IT security world. I have been a software developer, tester, systems analyst and business analyst. As far as I'm concerned, I just need some solid training and some certifications, which I'm working on. I'm taking an 'unconventional' route, based on your guidelines in your post. But, sometimes you would be surprised by the unconventional.

Cheers
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/2/2014 | 4:34:41 PM
Re: odes are malicious!
My odes would be malicious. But thanks for catching the typo -- and making me smile at the end of a long day. :-)
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/2/2014 | 3:42:19 PM
Re: odes are malicious!
Shakespeare was particularly adept at writing malicious odes, although they were purported to come out of the mouths of the characters in his works, and not from himself.
adriendb
50%
50%
adriendb,
User Rank: Apprentice
4/2/2014 | 1:42:46 PM
odes are malicious!
'malicious ode'? typo in the story.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.