This article is aimed primarily at those security operation center operatives who believe they are ready to move to a higher tier in their work but find themselves imprisoned in entry level roles. Alcatraz was a legendary prison encircled by guards, a cold sea, and hungry sharks. It was terribly boring to live there, and difficult to leave.
My purpose in writing this is two-fold, firstly to help you identify if you are a tier 1 thinker, and secondly to offer some suggestions on how you might elevate yourself into a more desirable role. I’m breaking up this article into two parts. This first article is the reality check. The second article will suggest some tangible learning paths and provides practical examples, texts, blogs and/ or training pathways.
Let me preface this article by making the point that a marine biologist at Alcatraz would have a quality of life that is far higher than other prisoners. They have an opportunity to grapple with sharks directly. The best marine biologist would dispense with dreaming of access to labs and spend their time with basic tools, taking notes and classifying type, studying behavioral anomalies, and preparing texts to publish.
‘Not every prisoner is a marine biologist’. To this I respond, “Every prisoner in Alcatraz had the opportunity to become one.” Some of you are working in second languages, come from backgrounds where your exposure to computers at home was limited or non-existent, or face other challenges.
You can be great at what you do, overcome your limitations, and achieve your goals, but it requires time, energy, and commitment. It requires more than doing one thing well and ticking boxes.
Curiosity is the key to escaping the island.
I’d like to dispense with four fallacies:
- Time spent at work translates to seniority. This may have been true in the provincial civil service and the staffing of steam trains but not in the modern organisation. If you behaved like a button pusher for the first three years, you’ll stay a button pusher for the next three.
- The second fallacy is that your certificate guarantees promotion. The road to SOC1 is paved with certificates. Clients require basic accreditation of individuals providing services, but insiders don’t rate them highly (with some exceptions).
- You are going to acquire the experience during working hours that you need to migrate to SOC2. This is fallacious, you’ll need to spend a substantial amount of time in research outside of working hours. If you don’t love the role, it’s going to be tough on you. If you only work 8 – 5, you aren’t going to move up unless your company allows significant time during the day for study, and / or you have access to competent mentors who have the time to teach you. Both scenarios are unlikely.
- If you are in SOC1 you are a security analyst. It’s just as silly as calling someone on the IT support desk an Engineer. In this article I will refer to SOC1 as a security operator or operative. I prefer to think of the title, “Analyst” as a gold standard to aspire too.
If you are confused or angry about why you haven’t been promoted, I recommend asking yourself a few questions:
1. Is security research a regular part of your daily activities?
- Can you identify security leaders in your industry? Are you connected to security movers and shakers through twitter and other social media sources?
- Can you identify major security trends?
- Can you discuss seismic security events over the last 6 months? Can you talk about Solargate, PrintNightmare, PetitPotam, and SeriousSam?
- Are you familiar with common tactics, techniques, and procedures (TTP) of well documented APT groups? Can you talk about the use typical tools used by ransomware groups during the various phases of their operations?
- Could you structure a correlation rule to detect the use of common tools on your network?
- Do you tend to skip over concepts and terminology you don’t understand rather than noting them down for research?
2. Do you find yourself doing the same repetitive tasks, and always escalate events you don’t understand?
- Are simple tasks such as deconstructing alarms difficult for you?
- Do you struggle to understand how events fit together?
- Do you understand the concept of data enrichment and correlation?
- Are you still learning to data mine in google and other security sources to understand your alarms?
- Do you rarely ask questions about the alarms you don’t understand, but instead close them and hope for the best?
3. Are you Inexperienced in writing documentation and note taking?
- You suffer from helpdesk amnesia, often forgetting about previous events, such that you will flag the same alarm repeatedly?
- You don’t take notes, or your note taking is unstructured such that it becomes difficult to consult your notes after a certain period?
4. Do you tend to focus only on events that you are directly involved in, and have no interest in what’s happening around you?
- Do you care about what alarms your co-worker is closing?Do you care about what alarms your co-worker is closing?
- Are you concerned that your co-worker might be closing indicators of a real threat as a false positive?
- Do you spend nights worrying that your clients might be compromised and that your correlation rule set does not cover all the scenarios?
5. Do you have a poor understanding of all the data sources contributing data into your SOC?
6. Are you multilingual in your understanding of open source and windows products?
- Are you familiar with basic Linux commands?
- Do you struggle to install Linux applications?
- Do you have a weak understanding of how to manage windows servers?
- Do you have a weak understanding of windows event logging, and no understanding of products like Sysmon?
7. Do you tend to accept things as they are, and rarely contribute towards improving processes?
- You’ve worked for more than a year in SOC1 and have not suggested ways to improve SOC processes and procedures.
8. You don’t threat hunt in your work time or in your personal time, and have little interest in threat hunting.
- Do you have more than a vague idea of what a threat hunt means
9. Do you have only a basic understanding of security topics?
- If you take a topic at random such as the common vulnerability scoring system (CVSS). Can you break a vulnerability into base and environmental scores?
- Are you familiar with higher level vulnerability topics such as the exploit prediction scoring system?
- Do you present a list of CVES, or can you pick high velocity vulnerabilities for your client?
10. Do you have no understanding of scripting and programming?
- Can you read basic code?
- Can you cannibalise other people’s scripts or programs to achieve objectives?
- Can you compile code?
11. Do you have a good understanding of network concepts?
- You understand high risk protocols such as SMB and the associated ports?
- You understand authentication protocols such as Kerberos and NTLM and the value of signing traffic?
- Your understanding of network concepts extends beyond a simple understanding of HTTP and HTTPS?
12. Do you have a basic understanding of offensive security tools and how they fit into the kill chain?
If you weren’t comfortable with many of these questions, and you have spent more than a year in a tier 1 role, you’re stuck in a rut. These are just a small sample of the kind of questions I might explore in a job interview and these are a very limited set of topics. You should be able to discuss them comfortably. It’s my expectation that any tier 2 analyst should be able to comfortably discuss these topics and complete a technical assessment to prove their understanding.
In my opinion there are few other roles that require the capabilities of a polymath than the role of an analyst. By polymath I mean someone who can draw on a body of knowledge that encompasses many different subjects. If you thought you were just going to, ‘get by’ you entered the wrong field.