Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

5/20/2019
10:30 AM
Edy Almer
Edy Almer
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Killer SecOps Skills: Soft Is the New Hard

The sooner we give mindsets and tool sets equal bearing, the better. We must put SOC team members through rigorous training for emergency situations.

I spend a lot of time with security operations center (SOC) and incident response teams — functions that have been hit particularly hard by the cybersecurity talent shortage. As I witness my colleagues struggling to fill open SOC positions, I can't help but notice their tendency to value technical skills and specific product knowledge over all other criteria. Now that breaches are the new normal, so-called "soft skills" — such as communication and teamwork skills — are just as important as technical skills but are almost always overlooked when hiring.

Don't get me wrong — technical skills and product knowledge are essential, but when a breach is discovered, SOC staff flip from being the last line of defense against an attack to the first ones responding to it. SOC analysts have evolved into cybersecurity first responders, but they're not evaluated and trained the way first responders in other domains are, and they should be. Think about it — when a cyberattack occurs, an analyst with 10 years of experience with Windows Sysinternals and Wireshark won't be much of an asset if he or she doesn't perform well under pressure.

No reputable EMT provider would hire paramedics only because of their experience with a certain kind of defibrillator, yet that's how we hire in cybersecurity. Even in SOC analyst job descriptions where soft skills are given lip service, rarely are those traits vetted with any rigor during the interview process.

● Excellent communication skills: At just about every customer site, we are asked to help train SOC managers to do a better job of communicating technical information to non-technical executives. This is hard enough to do when you have time to prepare what you want to say, so imagine how stressful it can be to explain the nuances of a ransomware situation to a CFO or CEO when a decision on whether or not to pay the ransom needs to be made in a matter of minutes.

● Teamwork skills: SOC teams must be able to collect and disseminate information and tasks across multiple teams. For example, when correlating information about a new attack, clues usually come from multiple sources: network and endpoint experts, malware analysts, operations teams, and additional team members. Incident responders must not only communicate effectively and succinctly, they must be able to delegate to and project manage multiple teams that may have limited understanding of cybersecurity, and under accelerated timelines where broken communication channels can have irreversible negative consequences. 

● Creative thinking/problem solving: Out-of-the-box thinking is an asset valued by the hacker community for good reason. The same qualities than enable attackers to get into a network are just as useful for defense. For example, one of our customers simulated an attacker blocking the Windows Task Manager process. One clever incident responder renamed and ran the file, which revealed the attacker's actions and enabled them to squash the attack.

● Functions well under pressure: This is a signature quality of any first responder in any field. Currently, few cyber incidents qualify as life-and-death situations, but as attacks against industrial control system targets such as electric and nuclear power plants and Internet of Things systems such as car computers and medical equipment become mainstream, that is likely to change. Incident responders who are unable to function under extreme pressure should be identified and transferred into other roles now, before cyberattacks have the capacity to become fatal.

Any profession that requires people to perform well in high-stakes, high-pressure situations (doctors, pilots, paramedics soldiers, professional athletes) are evaluated and trained the same way — through realistic, experiential drills that simulate or otherwise recreate real-world conditions.

When preparing for the Battle of Normandy, General Eisenhower created a replica of the enemy's coastal defenses, and in order to get soldiers used to the pressure, had the troops repeatedly practice landing on the shore amid simulated gunfire and explosions. Other fields, including ER doctors and pilots, undergo equally elaborate simulated training as well. It's time we did the same with SOC analysts.

But we can't just look for these traits when hiring and then move on once the analyst has been hired. To make sure cybersecurity first responders are prepared for an attack, especially given how quickly SOC tools and attack tactics, techniques, and procedures evolve, incident responders should be drilled regularly — at least quarterly.

It will be a culture and process shift to adapt our hiring and training processes accordingly, but it's an entirely doable proposition — we just need to make it happen. The skills shortage won't go away overnight, but when it comes to hiring and training incident responders, the sooner we give mindsets and tool sets equal bearing, the better.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Edy Almer leads Cyberbit's product strategy. Prior to joining Cyberbit, Almer served as vice president of product for Algosec. During this period the company's sales grew by over four times in five years. Before Algosec, Almer served as vice president of marketing and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
amyjack
50%
50%
amyjack,
User Rank: Apprentice
6/6/2019 | 11:24:36 AM
Security
Everywhere security should be there and always the security has to be updated according to the conditions otherwise there will be some loopholes in it and it can be bypassed easily can someone suggest what kind of security should be there in the best institute in bhubaneswar so that my coaching remain safe.
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17666
PUBLISHED: 2019-10-17
rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a certain upper-bound check, leading to a buffer overflow.
CVE-2019-17607
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php servername parameter.
CVE-2019-17608
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter.
CVE-2019-17609
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter.
CVE-2019-17610
PUBLISHED: 2019-10-16
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter.