Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/2/2014
11:00 AM
Rick Howard
Rick Howard
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

The Right Stuff: Staffing Your Corporate SOC

What makes a top-notch security analyst? Passion, experience, and communication skills trump certifications and degrees. But you get what you pay for.

Building a Security Operations Center (SOC) from scratch or revamping an underperforming one is a daunting leadership challenge. If a cyber adversary gets past your SOC analysts, there is nobody else in the organization who can find them. 

You can deploy all of the latest and greatest tools for your security stack, but if you don’t have the right people to run them and analyze the data they generate, you’re wasting your time. As you might expect, folks like these can be heard to come by, so let’s take a look at what makes a top-notch SOC analyst. 

Let’s start with the perennial question over certifications. In the past decade our college and professional certification programs have strived to meet the demand for trained cyber-security experts. This has flooded the employment space with cyber-security wannabes who think a cyber-security certification from some reputable program or an Information Assurance degree qualifies them to sit in an SOC. 

This couldn’t be further from the truth. In my experience, passing a certification exam or getting a degree simply shows that a potential employee is a good test-taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs.

Don’t get me wrong. Certification programs can be an important piece of a cyber-security practitioner’s complete education. A couple of certifications I do think SOC analysts should pursue are the CISSP certification and the many courses in the SANS Curriculum.

Passion and experience
The most critical attributes involve passion tempered by experience. SOC analysts have to deeply understand how computers and networks work at the ones and zeros level and be able to sling code into useful tools for analysis. They have to love this stuff and be able to explain what they know to all kinds of audiences: fellow geeks, IT management and the C-Suite. If they’re not playing with a Linux box at home, they are not qualified. In other words, they have to have a basic understanding of computer science, a passion for the craft, and an ability to explain what they know to anybody who will listen.

They also must have spent time in the IT trenches. A career path for my fantasy SOC analyst includes time on the IT help desk, managing servers in the datacenter, and finally, managing some of the security devices in the security stack. Once they’ve performed these functions, they’ll have some context when an adversary starts to work his way down the kill chain into your network. They will understand the impact to your network when a cyberspy bypasses your controls to target your CEO. They will understand what has to be done when a hactivist attempts to destroy your business’ reputation by leveraging a programming error on a public-facing website. And they will intuitively understand what the cyber criminal must do to steal your customer’s credit card numbers. Without that IT background, they can’t understand what they are seeing as incidents arise in the SOC.

That said, here are what I consider to be the top five skills an entry-level SOC analyst must have:

  • Strong understanding of basic computer science: algorithms, data structures, databases, operating systems, networks, and tool development (not production-quality software but tools that can help you do stuff)
  • Strong understanding of IT operations: help desk, end-point management, and server management
  • Strong ability to communicate: write clearly and speak authoritatively to different kinds of audiences (business leaders and techies)
  • Strong understanding of adversary motivations: cybercrime, cyber hactivism, cyberwar, cyber espionage, and the difference between cyber propaganda and cyber terrorism
  • Strong understanding of security operations concepts: perimeter defense, BYOD management, data loss protection, insider threat, kill chain analysis, risk assessment, and security metrics

If you are hiring a more senior person, some specialties to look for include:

  • Strong understanding of vulnerability management: what vulnerabilities are, how do we find them, and how do we mitigate them?
  • Strong understanding of malicious code: reverse engineering skills, practitioner tactics, techniques and procedures from common motivations (see above)
  • Strong understanding of basic visualization techniques, especially big data
  • Strong understanding of basic cyber-intelligence techniques
  • Strong understanding of foreign languages: (First Tier: Chinese, Russian, Arabic, and Korean; Second Tier: Japanese, German, French, Portuguese, and Spanish)

Lost in translation
The skill that is the hardest to find in a potential SOC analyst is the ability to communicate: to write or present intelligence derived from raw information. I know this is not intuitive. I just outlined the set of complex technical skills that a SOC analyst needs to have, then said the rarest skill is the ability to write sentences. But it’s true because it’s tough to relate the impact of a security event to a business or government leader or a techie if the SOC analyst cannot effectively communicate relevant information. An individual can be the smartest malcode reverse engineer on the planet, but all that knowledge is useless if he or she can’t translate geek speak into a response.   

As for compensation, SOC analysts who have the basics covered and one or more specialty skills are making north of $100K year, depending on where they live. You can pay less, but your analyst will likely not have the skills you need. This may not be a problem provided you already have qualified SOC analysts who can train the newbie. 

As you build your shiny new SOC or upgrade your old one, don’t neglect the skill sets of the analysts you hire. And don’t be fooled by newly minted cyber-security professionals with their brand-new certifications or information assurance degrees. They are on the right path, but they need some seasoning first.

Have I missed anything? Let’s chat about it in the comments.

Rick Howard is Chief Security Officer for Palo Alto Networks, where he is responsible for internal security of the company as well as developing the Threat Intelligence Team to support the next-generation security platform. He previously served as Chief Information Security ...
View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RaceBannon99
50%
50%
RaceBannon99,
User Rank: Apprentice
4/3/2014 | 9:21:56 PM
Re: Outside the Box
Oh yes - they are great first steps. But he has to demonstrate his ability to learn on his own. It is like I said in the essay, if he is not running Llinus at home, he is probably not curious enough to be a good SOC analyst.
RaceBannon99
50%
50%
RaceBannon99,
User Rank: Apprentice
4/3/2014 | 9:20:02 PM
Re: Outside the Box
That is really well said. I agree with you. Don't get me wrong. I was not trying to de-value the college or certificate experience (OK - I did take a jab at them I admit), but I do stand by my point that they are not sifficient. You need more.
KevinK-
50%
50%
KevinK-,
User Rank: Apprentice
4/3/2014 | 4:49:16 PM
Re: Outside the Box
Rick, thanks for clarifying your posting. We all could probably debate this topic until the 'cows come home.' I have a few certifications that I'm looking into. Such as from CompTIA, ISC2, Cisco and EC-Council. I will add SANS to my list to review and consider. I'm currently taking the IT Security Certification course from VillanovaU....not sure how valuable this will be on my resume. Right now, it's all about time and money!
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/3/2014 | 4:21:28 PM
Re: Outside the Box
@Kevin, I think you make some very valid points.

@Rick, An experienced professional should have experience intertwined with education and certification. However, I think everything is what you make of it. So to say that college and certification people are just good test takers, I guarantee that if thats what the individual is trying to accomplish, then that person will show the same get through attitude in a work environment. So I would say experience, certifications, education, is all well and good but I think in the end of the day the most important trait you are trying to delineate is good character. You want someone who will get the most out of all those situations. Cause experience does not guarantee efficiency and capability. Thoughts?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/3/2014 | 8:45:55 AM
Re: Outside the Box
Rick, What advice would you give someone like Kevin in how to present himself to an SOC hiring manager in order to build a foundation in security. Would the CISSP certification or a course in the SANS Curriculum that you mention be a good first step? Or is there another path to get him in the door. 
RaceBannon99
50%
50%
RaceBannon99,
User Rank: Apprentice
4/3/2014 | 8:34:08 AM
Re: Outside the Box
Hey Kevin,

You make some good points. Let me clarify a bit. I am not saying that you should not hire inexperienced folks to work in your security organization and train them to be better employees. I am saying that these new people should probably not be key players in your SOC right out of the gate. I also agree that having IT experience and passion, as you describe yourself, go a long way towards making a very good SOC analyst. Having worked in the IT trenches, you already have a basic understanding of how everything fits together. Your willingness to imporve yourselve on your own time go aloong way too. This are the qualities I would be looking for in my SOC analyst.

 

Rick
KevinK-
50%
50%
KevinK-,
User Rank: Apprentice
4/2/2014 | 9:46:22 PM
Outside the Box
Hi Rick,

You write a very compelling article for bringing on qualified people into a SOC. I agree that folks who have very little IT experience, but a couple of security related certifications, may not be ideal. But, with the so-called 'shortage' of skilled security candidates, hiring manager should really be thinking outside the box. Not everyone is going to have the solid IT experience, but some will have the passion and desire....so they just need a bit of hand-holding to get going, and they will flourish. 

In my case, I have been in IT for 16 years, but on the fringes of IT security and networking. I have the desire, interest and passion to move into the IT security world. I have been a software developer, tester, systems analyst and business analyst. As far as I'm concerned, I just need some solid training and some certifications, which I'm working on. I'm taking an 'unconventional' route, based on your guidelines in your post. But, sometimes you would be surprised by the unconventional.

Cheers
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/2/2014 | 4:34:41 PM
Re: odes are malicious!
My odes would be malicious. But thanks for catching the typo -- and making me smile at the end of a long day. :-)
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
4/2/2014 | 3:42:19 PM
Re: odes are malicious!
Shakespeare was particularly adept at writing malicious odes, although they were purported to come out of the mouths of the characters in his works, and not from himself.
adriendb
50%
50%
adriendb,
User Rank: Apprentice
4/2/2014 | 1:42:46 PM
odes are malicious!
'malicious ode'? typo in the story.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.