Security is changing quickly, and it's never been more critical to ensure teams have the skills necessary to defend their company's infrastructure and sensitive data. But overall, organizations undervalue cybersecurity. Security operations center (SOC) teams are often understaffed, overworked, and receive little visibility. With the threat landscape constantly evolving, new skills are required to stay ahead of cyber adversaries.
Here are the top five skills a modern SOC team needs to succeed in the future of high-scale detection and response.
1. Basic Coding
Everything-as-code — a term used to express the practice of extending the idea of how applications are treated as code to operating systems, network configurations, and pipelines — has significantly changed how security teams operate and the skills they need. Where work in a SOC of yesteryear did not require coding skills, they are essential today.
Detection-as-code — a modern and systematic way to write detections using software engineering principles — means teams need the ability to create custom-tailored rules that can be properly tested, versioned, and programmatically managed in version control. The flexibility and robust nature of full programming languages enable teams to detect either simple or advanced behaviors in addition to context fetching, enriching, and telling the whole story of what happened.
Security teams should invest in learning the basics of software development by solving real problems they face, such as analyzing vast amounts of raw data. They should embrace writing code that is first functional and then go back to learn best practices, unit testing, and other techniques that help with the sustainability of good code. Security teams can also learn from members across various software teams within their organization to help cross-train. Start with interpreted languages, such as Python or Ruby, which have simple-to-follow syntax with performance tradeoffs.
2. Cloud Technology
Arguably, all modern technology companies are built on cloud services such as Amazon Web Services or Google Cloud. Cloud services are continually moving up the infrastructure stack to simplify complex concepts. As this shift happens, security teams need to continually ensure they are gathering the related datasets to stay informed and are instilling tight controls to prevent accidental data or system exposure.
Security practitioners should start by learning basic services such as cloud storage, compute, identity and access management, and more. As with coding, start by solving real-world problems, such as storage, processing, and retention of security data, or work by hardening their company's existing infrastructure. Many reference architectures also exist that can serve as helpful models of learning.
3. Security Logging Pipelines
Every team is using software-as-a-service instead of on-premises solutions that live behind a firewall, which means security data is sprawled across multiple services with much less centralized control. The rise of tools like Google Workspaces, Auth0, Okta, Duo, Jamf, and many more results in the need to centralize this data. The challenge is that the logs have different formats, APIs, and methods to authenticate and gather the data.
Teams must gather as much data as possible to stay informed and defensive. They must build internal logging pipelines with tools like rsyslog, vector, fluentd, or logstash. Security teams should be familiar with how these tools are configured, scalable, and pluggable into other systems, such as cloud storage and SIEMs.
4. Attacker TTPs
Having a good understanding of recent attacker techniques, tactics, and procedures (TTPs) can help teams develop a robust set of detections that manage multiple vectors within their environment. Keeping up on recent breaches can help them understand modern threat models and techniques that could endanger their organization. A good example is the rise of ransomware attacks. Detections should be high-fidelity enough not to generate too many alerts, and by using programming languages, teams can test and express more complex attacks.
5. Threat Hunting
As cyber adversaries become more sophisticated, security teams must adopt a more proactive approach to identifying previously unknown or ongoing nonremediated threats within their organization's cloud infrastructure. Because complex advanced persistent threats can lurk for weeks or even months, modern SOC teams must be trained to complement automated systems and search for hidden malware or attackers by looking for patterns of suspicious activity.
Security teams are often small, understaffed, and generally not experienced in DevOps or software engineering. Yet high-scale monitoring requires these skills. Additionally, security practitioners need to understand how to use system instrumentation to get the data they need and build reliable, fault-tolerant, and elastic data processing pipelines to handle this data.
From learning the basics of programming to understanding cloud infrastructure, security practitioners should upgrade their skills. The adversaries poised to attack their systems are indeed formidable, but modern tools and a highly skilled security workforce can rise to the challenges of protection.