SOC what do I need to learn?

UnixGuy

So I'm moving away from traditional Unix administration to a SOC ( http://www.techexams.net/forums/jobs-degrees/106651-security-analyst-checkpoint-interview-help.html )

This is a new area for me so there is a lot to learn. I haven't started the job yet, but I want to create a yearly plan for myself.

Goal: by the end of 2015, I want to be a SOC Ninja.

The job requires me to learn CheckPoint, Proxy, IPS, IDS....

So for those of you who are working in SOC or have worked in SOCs before, what's a good learning path?

I'm planning to start with CBT nuggets for CheckPoint...

John-John

Guys in my SOC are learning CEH and CCNA. You will most likely be analyzing packets so what might come in handy is understanding html and scripting. Im learning Javascript right now at Code School. At the very least just keep up to date on the latest threats. Find some good security blogs and read them every day. I was all about formal education before I came here but security never sleeps. Your textbooks get old real quick. I think the net has all of the most relevant information you might need. Cybrary.it is a pretty cool site. Malware.dontneedcoffee.com. Sites like that. Being that you are a UNIX admin you might want to do offensive stuff. The pentester I knew had been a redhat guy. Maybe you would want to do the OSCP.

philz1982

Read the TAO of Network Security -SIEM and Sensor Deployment
Also practical packet analysis- Network Log analysis

I also recently read the Blue Team Handbook, really good defensive book.

SephStorm

Depends on the position. My company splits the network security guys and the analysts. When it comes to network security, things such as the CCSA/E and the SFCP are relevant. Of course there are other vendor options. In this role, if I were hiring, i'd be looking for someone who has set up a lab and has asked question, and gotten answers on things. Like, "Why does Checkpoint say that it blocked traffic for a domain in the block list but it doesn't tell me which site? How do the IPS rules work and how do we see/modify the rules? Questions I have that our team of CCSA's can't answer.

For the analyst route, know how to navigate tools, the specifics can be taught, but please have an idea how to get around, how to search for data. How to form a clear (as possible) view of what happened when you have limited data (you won't always have full pcaps. Sometimes pcaps will be corrupted, or the data is encrypted). Try to build a lab and throw exploits from the Snort ruleset against a server so you can see the alerting, as well as validate legitimate attempts vs. false positives.

ramrunner800

In my environment it's all about PCAP analysis and knowledge of attack methods.(it's hard to determine someone's breaking something if you don't know how things can be broken) Wireshark, Bro, and script writing are good skills for PCAP analysis, as is comfort with the common languages used in web technologies. (Perl, PHP, JS, etc.)

I'd echo Seph's recommendation to build a lab, attack it, and analyze the pcaps from your attacks. Security Onion has everything you need to get started in an easy package. The Practice of Network Security Monitoring by Richard Bejtlich is a great intro.

the_Grinch

http://www.amazon.com/Designing-Building-Security-Operations-Center/dp/0128008997/ref=sr_1_1?s=books&ie=UTF8&qid=1422539185&sr=1-1&keywords=security+operations+center&pebp=1422539191395&peasin=128008997&pebp=1422539191399&peasin=128008997 <---Haven't read it, but might be worth it...

UnixGuy

John-John wrote: »

Guys in my SOC are learning CEH and CCNA....

They mentioned that CCNA is very important, so I need to learn a bit of that


Philz The_Grinch

Thanks, I'll take a look



@SephStorm & @Ramrunner

This position they're hiring people from different backgrounds so they know I don't have networking/SOC experience.

Where do I start if I wanna learn how to analyse pcaps? any book/site? I'm looking for resources to start my learning journey, I know I have a lot to learn. Coming from a Server's background, there is a bit of learning curve for me.

ramrunner800

I have used Wireshark 101 and Practical Packet Analysis. If you need some samples to play with Contagiodump has a good collection of samples of traffic containing malware that you can play with. You can also do packet capture on your own attacks to look for examples there.

philz1982

UnixGuy wrote: »

They mentioned that CCNA is very important, so I need to learn a bit of that

Interesting, I can see why they say the CEH, because of the tools. Are you guys a Cisco shop? That would make sense then that they want you to understand the CLI.

I found ICND1 and ICND2 to be more valuable then Network + in regards to practical Network knowledge.

Pupil

Some other good books to check out:
- Practice of Network Security Monitoring
- Practical Intrusion Analysis
- Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
- Applied Network Security Monitoring: Collection, Detection, and Analysis
- Network Security Through Data Analysis: Building Situational Awareness
- Network Flow Analysis

ramrunner800

Pupil wrote: »

Some other good books to check out:
- Practice of Network Security Monitoring
- Practical Intrusion Analysis
- Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort
- Applied Network Security Monitoring: Collection, Detection, and Analysis
- Network Security Through Data Analysis: Building Situational Awareness
- Network Flow Analysis

Those are some good suggestions, I think I'm going to pick up a few myself. Thanks!

Remedymp

What is the least amount of time spent in a SOC role before being transtioned to a new role? Three months?

UnixGuy

@Remedymp:

Good question. I don't know. I'd like to know the answer myself...

ramrunner800

Remedymp wrote: »

What is the least amount of time spent in a SOC role before being transtioned to a new role? Three months?

I've been in my SOC for 9 months, and will probably be moving into Incident Response in the not too distant future. This feels really fast to me. I've certainly not mastered the SOC yet. There's a huge learning curve to both learning how to do network security monitoring well and to learning your environment; knowing what is normal for your network is almost as important as the fundamental skills of NSM.

A real answer to your question would require you to provide a bit more context, but I think 3 months is a pretty quick timeline to have even settled into the role and received the basic training associated with any new position.

Remedymp

ramrunner800 wrote: »

I've been in my SOC for 9 months, and will probably be moving into Incident Response in the not too distant future. This feels really fast to me. I've certainly not mastered the SOC yet. There's a huge learning curve to both learning how to do network security monitoring well and to learning your environment; knowing what is normal for your network is almost as important as the fundamental skills of NSM.

A real answer to your question would require you to provide a bit more context, but I think 3 months is a pretty quick timeline to have even settled into the role and received the basic training associated with any new position.

Position such as this.

UnixGuy

I'd really like to move to incident response. SOC work seems very demanding (24/7 alerts etc etc), and little learning, but yeah it's a great way to learn your environment. I agree I think 3 months is short, my thinking was something like 2 yrs or one year (depends on your previous experience really).

Remedymp

Role Overview

Security Center Operations Analysts provide network and data security functions for Dell SecureWorks. Analysts provide excellent customer service while evaluating the type and severity of security events and having in-depth understanding of exploits and vulnerabilities. Analysts will also answer inbound phone calls, address customer emails, prepare and implement changes on network security devices such as Intrusion Detection Systems, Intrusion Prevention Systems, Web Application Firewalls and other Unix/Linux based security platforms. Additionally, this position also provides basic level troubleshooting support for all 3rd Party IDS/IPS/WAF devices and resolve customer issues by taking the appropriate corrective action, or following the appropriate escalation procedures. All work is tracked via a ticket based CRM system. Applicants must demonstrate exceptional attention to detail, possess analytical and troubleshooting skills, be capable of maintaining high levels of customer satisfaction, and be able to work in a team orientated environment.

Role Responsibilities

-Responsible for making basic device configuration changes and working with customers to troubleshoot network and security related issues

-Interact with host and network based network intrusion detection devices and other security systems via proprietary and commercial consoles, both local and remote

-Responsible for answering inbound calls and emails from customers, create tickets for all work, and address customer requests or issues

-Meet service level objectives related to device change processing

-Set clear expectations and provide timely follow-up to customers as appropriate

-Work within a 24x7 shift-scheduled security operations environment

-Manage, participate in, or directly work on any additional projects, assignments, or initiatives assigned by management

-Maintain keen understanding of evolving Internet threats to ensure the security of Dell SecureWorks’ customers’ networks

-Learn prerelease products in the area(s) of support responsibility in order to support devices when released

-Participate in knowledge sharing with other analysts and develop customer solutions efficiently

-Perform other essential duties as assigned

As a managed security provider, Dell SecureWorks expects its employees to understand and apply commonly known security practices and possess a working knowledge of applicable industry controls such as NIST 800-53. Employees will be expected to acknowledge their security responsibilities in writing prior to gaining access to company systems. Employees will be required to maintain a working knowledge of local security policies and execute general controls as assigned.

Qualifications

Requirements

-Good understanding of NIDS/NIPS, HIDS/HIPS and WAF platforms

-Intermediate experience with Linux, UNIX, Windows

-Thorough understanding of the OSI model, including TCP/IP and key application level protocols

-Understanding of basic network services, exploits, vulnerabilities and attacks

-Basic networking expertise and understanding of routing principles and networking fundamentals, well known protocols, command line interfaces

-Basic to intermediate understanding of regular expressions

-Basic understanding of Packet Analysis Tools (TCPDUMP, Wireshark, Ngrep, etc.)

-Excellent problem solving skills and keen ability to diagnose and troubleshoot technical issues

-Well-spoken and articulate containing an attention to detail with excellent writing abilities.

-Must be able to communicate technical details in a clear, understandable manner

-Dedication to customer service and passion for learning and security

-Experience with 3rd party technology such as SourceFire, CheckPoint, Cisco, TippingPoint, and Imperva

Preferred

-Undergraduate Degree in a technical field such as Computer Science, Information Technology or 4-6 years of relevant experience or undergraduate degree and 0-2 years of relevant experience

-CCNA Certification a plus

-CCNA Certification a plus

-GIAC, GCIA, GCIH, GWAPT, GSEC or similar certification a significant plus

** Must be willing to work either 2nd or 3rd shift

Looks to be demanding.

UnixGuy: Have you thought about doing the GIAC certifications?

beads

The above description appears to be more along the line of hands on engineering than Security Operation Center where the Incidents are monitored, triaged, diagnosed, contained and eventually investigated and closed. So it depends on what the definition of SOC is to the company and how its defined. Here we're primarily doing investigation, audit and directing the architecture (software and infrastructure).

What I/we have been hiring for are interns to mid-level Engineers with the following skills: IDS, IPS, A/V, NBAD, SIM/SIEM, CCNA-CCNP level skills like CIDR, DLP as well as the investigative skills to understand how all this works together. No one has had a real inkling of real forensics or advanced malware analysis, even when they think they are "experts". Guess the forensics and AMA pieces lie with me. Don't even begin to ask about Java obfuscation or Hex-Rays. Now, that would just be crazy talk.

Now have a rogues gallery of four security freshers and another seasoned security person would be ideal but practically don't exist or you wouldn't want to try to work with them in the first place. Hmmm... I suspect there are a couple on this board that would say much about myself as well... Oh well. There loss.

-b/eads

UnixGuy

@Remedy: I have, I just don't want to pay 5K for it.


@beads: my job doesn't even include monitoring 'incidents', it's all 100% sysadmin-y type work (ops, firewall health, proxy health), don't think I'm learning much..any tips?

NetworkNewb

UnixGuy wrote: »

@Remedy: I have, I just don't want to pay 5K for it.

https://www.sans.org/work-study/

UnixGuy

@Networknewb yep I applied to that and the training starts next week I didn't get in, they put me on a waiting list so I can't do it.

NetworkNewb

damn that is disappointing to hear... I applied to one that is in a couple months. Crossing my fingers!

BlackBeret

b/eads,

You're working in a SOC that handles events, but you don't have personnel for forensics and malware analysis? I don't think it's you that people don't want to work with, I think it's your organization. But since you mentioned it, how are events handled in that situation? Do you just have to remedy the situation and not investigate it in depth?

Danielm7

I applied to work study and expected to hear back by now as it's around a month away, I applied over a month ago, nothing yet.

beads

BlackBeret wrote: »

b/eads,

You're working in a SOC that handles events, but you don't have personnel for forensics and malware analysis? I don't think it's you that people don't want to work with, I think it's your organization. But since you mentioned it, how are events handled in that situation? Do you just have to remedy the situation and not investigate it in depth?

Don't get me wrong. None of the above existed before I came on board - in January! No real Policy, procedure, guidance, standards were found. Tools were half installed... I could go on and on but it would be impolite.

Its an uphill battle to corral folks who have been free range most of their careers. As far as Forensics, malware and all that. Yeah, I am also starting from scratch with all new everything. EVERYTHING. I can do those line items but there is only so much time in the day. Incidents are handled albeit slowly. Average day, I handle 6 incidents of varying levels. My NOC guy is getting close to dangerous, so that helps. Yeah, that's not a typo. I raided the NOC for an additional research asset and I ain't giving him up. In seagull terms: "Mine, mine, mine, mine, MINE!!"

I've gone through 100s of resumes in the past year and 1000s over my career. Seen just about every faux pas and gaff you can imagine. People who just want a "job" or position contact me fairly regularly for PM and security positions when they have no clue as to what the work actually entails. In this case I couldn't find the reasonable skill sets I was looking for or those who have them are either working somewhere full time and happy with it or they want more than what even this budget is generously allowed. Oh and lets not rule out the: "I wouldn't want to work with this person in the first place..." people. I know its a tough market for hiring managers but come on. I'll be checking your shoes to see if there still dry there "Hey-zues".

I take exceptionally good care of my people and demand a great deal of them as well. I must cause most people that have worked for me will follow me from company/opportunity to the next or until I cannot afford them any longer. Good for them. This time I don't have the spares to back-fill these positions. When you can't find what you need - you build.

Now, you understand why I sound cranky, doncha?

- b/eads

beads

UnixGuy wrote: »

@Remedy: I have, I just don't want to pay 5K for it.


@beads: my job doesn't even include monitoring 'incidents', it's all 100% sysadmin-y type work (ops, firewall health, proxy health), don't think I'm learning much..any tips?

Ideally those are the stepping stone skills I look for when hiring a SOC analyst/Engineer. Add to that the overall understanding of Windows architectures: Workstation kernel through server communications, protocols, ports, etc. Highly recommend GIAC Incident Handling. Probably the most fun SANS course I have ever taken if not the most practical as I use this stuff daily. The 500 level audit course is close to the CEH as well being a "Tour of Tools" with audit basics built in. For now I will build out this team with triage auditors and I'll still close anything more complicated than calling the helpdesk. I have a busy summer.

Truth is most of the time your really doing technical audit but hardly anyone wants to refer to it as such. Baseline the crap outta everything and compare. Follow the auditor's rules for effective auditing and your life becomes so much easier. I can teach anyone to audit properly. I was taught by a CPA well before I went into security as a practitioner in the 90s.

Who watches the watchers? Who will guard the guards? Can't audit one's self - its a violation. Happened to me yesterday, lol.

- b/eads

Remedymp

@Remedy: I have, I just don't want to pay 5K for it.

Most SOC will pay for it once a year.

beads

UnixGuy wrote: »

They mentioned that CCNA is very important, so I need to learn a bit of that


Philz The_Grinch

Thanks, I'll take a look



@SephStorm & @Ramrunner

This position they're hiring people from different backgrounds so they know I don't have networking/SOC experience.

Where do I start if I wanna learn how to analyse pcaps? any book/site? I'm looking for resources to start my learning journey, I know I have a lot to learn. Coming from a Server's background, there is a bit of learning curve for me.

With Laura Chappell of course! Laura is the hands down expert on this subject.

Wireshark University
Amazon.com: laura chappell wireshark

- b/eads

Remedymp

The above description appears to be more along the line of hands on engineering than Security Operation Center where the Incidents are monitored, triaged, diagnosed, contained and eventually investigated and closed.

Are you saying this this a good thing or a bad thing?

UnixGuy

beads wrote: »

Ideally those are the stepping stone skills I look for when hiring a SOC analyst/Engineer. Add to that the overall understanding of Windows architectures: Workstation kernel through server communications, protocols, ports, etc. ...
- b/eads

Good tips! My gut feeling was that this is just a stepping stone. I really like the organisation though, one of the best to be working with, so I hope I can stick around and move to another team later. Guys seem to take about 3-5 yrs to move to a different team though, I think this is a long time!

Remedymp

UnixGuy wrote: »

Good tips! My gut feeling was that this is just a stepping stone. I really like the organisation though, one of the best to be working with, so I hope I can stick around and move to another team later. Guys seem to take about 3-5 yrs to move to a different team though, I think this is a long time!

Did they offer you a shift in pay for 2nd or third shift?