SOC what do I need to learn?

UnixGuy

Remedymp wrote: »

Did they offer you a shift in pay for 2nd or third shift?

no shift, just on-call every few weeks - it's exhausting and will probably be the reason why I'll leave this place sooner than I thought.

Remedymp

UnixGuy wrote: »

no shift, just on-call every few weeks - it's exhausting and will probably be the reason why I'll leave this place sooner than I thought.

Really? No way! What's so exhausting about it???

UnixGuy

Remedymp wrote: »

Really? No way! What's so exhausting about it???

Getting random calls at 3:00 am, 6:00 am, 11:00pm,...etc! The entire week you're just on standby and get called at anytime for any alert...

N2IT

Ewwwwww

How long are you going to stay Unix?

UnixGuy

@N2IT:
I'm not sure. Management is good, they told us they're aware of this and they're doing something about it. They are recruiting more people, so the end goal is that we are on call once every 2-3 months. It's not too bad to be honest.

The positives:
1) Great brand name on CV. It's a great organisation. Very complex network.

2) Exposure to many cool stuff, in a complex network.

3) The pay is good, and the over time pay is good. So staying for - say - 1-3 years (tops) you are making good money AND gaining experience.

4) The more I understand, the less stressed I get - more confidence.

5) You can talk to your manager about your plans to wanting to move to another team and manager is supposed to help you (although moving to a new team takes years sometimes).


So yeah, something to think about. The negative for me is just the on call. Think I need to tolerate it for now. It's getting better.

N2IT

Unix glad things are work out for you. On-call is a major deal breaker for me, but if you can afford to handle that with your life style great!

Line 3 is where I am at now, and if I can keep the blinders on and not deviate from my plan I should be set up extremely well. (This is assuming they keep me on for 2 - 3 years and that I stay for that long).

If the only negative is on-call that's pretty good to be honest. I'm sure other negatives and positives will come up but nothing major so far is a very good sign.

renacido

(Not to poo-poo your new job or anything, congrats and all) This job looks to me more like network admin position at a SOC that provides managed security as a service to other companies rather than a Security Analyst position which beads described earlier. From what I see you aren't actually monitoring events and alerts or doing incident response or forensic analysis or vulnerability assessment, you are administering the security appliances and systems in the stack and responding to service outages of the firewalls and IPS's and so forth, not *security incidents* like malware infections, intrusions, botnets, privilege abuse, etc.

You should still learn a lot of cool stuff and easy to pivot to security analyst / incident handler role if you want to later.

UnixGuy

yep you're actually spot on. It's 100% pure sysadmin job within a SOC, but the positive side is that we ger exposure to our (complex) network, which is a good leg up to get into other teams that do the stuff you described above. It's a good entry I think, but I shouldn't fall in the trap of staying in this team for too long. There are other teams that do other stuff (i.e. configuring/troubleshooting policy/access issues for proxy firewalls...other teams do forensic, and team that does governace etc). No rush..

Mike-Mike

UnixGuy wrote: »

The negative for me is just the on call. Think I need to tolerate it for now. It's getting better.

on call does suck... but.. sometimes it can be quite the healthy payday. not sure how your company does it, but for me, it has caused some huge paychecks...

We get extra money for each day you are on call, if you get called out you get Overtime pay, and if you get over 10 hours, you get double time pay.

Once I went on call and worked both my off days, plus a few calls, so about an extra 24 hours on one week's check. 14 of that on doubletime

UnixGuy

Mike-Mike: yep we get similar! I got paid handsomely on my first week on call, but I didn't get much sleep due to some alerts. Not too bad. Only catch is that I need to align myself with a certain career path, Ops work is not forever.

N2IT

Agreed Ops work is not forever, it's not even 6 months

I have to be in a tactical role, not quite strategy but designing around the business strategy. Pure operations and my personality type don't work very well. Think oil and water.

beads

Remedymp wrote: »

Are you saying this this a good thing or a bad thing?

Its just a thing. Personally I consider SOC to primarily revolve around IH/IR, intelligence analysis, security project management, GRC and a host of other smaller things separate from network engineering and administration. Otherwise lets group helpdesk in there with security so we cover all the bases, shall we? After all resetting passwords is security, after all.

Keeping a boundary or firewall between the SOC/NOC and operational engineering is just good sense in my opinion. Operationally, you cannot audit oneself and be credible. Rather throw the operational brick over the wall when its all nice, neat and package. Just be ready to catch as these things can hurt if your not looking.

-b/eads

UnixGuy

I mean, I don't see the loss in my case. My background is sysadmin, so basically I'm just doing sysadmin with exposure to some new gear that I haven't touched before. It could be a good way for me to get my foot in the door for security or I could just go back to sysadmin. To be completely honest, I lack motivation to do any kind of self-study so I learn whatever I can on the job and take it from there.

SaSkiller

Anyone have any idea how to move into compuer forensics or malware analysis from the analyst position?

the few dedicated positions seem to want experience in it prior to you getting on, so all I can hope for now is to move into a position later down the line.

Remedymp

SaSkiller wrote: »

Anyone have any idea how to move into compuer forensics or malware analysis from the analyst position?

the few dedicated positions seem to want experience in it prior to you getting on, so all I can hope for now is to move into a position later down the line.

What are your current responsibilities?

Remedymp

UnixGuy wrote: »

I mean, I don't see the loss in my case. My background is sysadmin, so basically I'm just doing sysadmin with exposure to some new gear that I haven't touched before. It could be a good way for me to get my foot in the door for security or I could just go back to sysadmin. To be completely honest, I lack motivation to do any kind of self-study so I learn whatever I can on the job and take it from there.

I'm surprised you're not working for Redhat yet. Where I live, RH can't find enough candidates to fulfill roles. If I had my RHCSA or RHCE, that's exactly where I would be.

beads

UnixGuy wrote: »

I mean, I don't see the loss in my case. My background is sysadmin, so basically I'm just doing sysadmin with exposure to some new gear that I haven't touched before. It could be a good way for me to get my foot in the door for security or I could just go back to sysadmin. To be completely honest, I lack motivation to do any kind of self-study so I learn whatever I can on the job and take it from there.

Those are precisely the same skills you need later on with most IH/IR cases. Security is very much an apprenticeship best practiced AFTER you have had a career in IT: Infrastructure, Development or DBA. I have lots of freshers to teach to prove/reinforce the idea as well. All with shiny new "security degrees" and no idea how to do much of anything useful because they we're taught how to do much of anything.

-b/eads

SaSkiller

Remedymp wrote: »

What are your current responsibilities?

Lol don't ask. Officially i'm an intrusion analyst, but most of my time right now is spent answering client questions about the events we have sent over to them, logging into security devices and correlating data, making changes to some processing rules, ect. Eventually I will be sent to do actual analysis, which I do have experience doing, but in my current company, its a waiting game.

All with shiny new "security degrees" and no idea how to do much of anything useful because they we're taught how to do much of anything.

Sounds like most degrees. Occasionally I look at getting a degree, then I read the class description and say "I know that".

UnixGuy

Remedymp wrote: »

I'm surprised you're not working for Redhat yet. Where I live, RH can't find enough candidates to fulfill roles. If I had my RHCSA or RHCE, that's exactly where I would be.

Good question! Red Hat was my dream company (or maybe it's still one of them..), their headquarters in Australia is different state, and the positions in my state are usually Solutions Architect (maybe I'm not on that level yet or maybe I am...guess I can only try). I also think there *might* be some favorism that I don't wanna talk about publicly in a forum, so I was bit cautious with them. My RHCE is for RHEL 5 so it expired but I can pass the new one easily if I have to. They don't have security positions here either, so it's either Support Engineer, Senior Support Engineer, Open Stack specialist (yuck), Solutions Architect (awesome but very few positions advertised), and some sales stuff as well. Thanks for reminding of Red Hat!

UnixGuy

beads wrote: »

Those are precisely the same skills you need later on with most IH/IR cases. Security is very much an apprenticeship best practiced AFTER you have had a career in IT: Infrastructure, Development or DBA. I have lots of freshers to teach to prove/reinforce the idea as well. All with shiny new "security degrees" and no idea how to do much of anything useful because they we're taught how to do much of anything.

-b/eads

Good to know! So I can safely land a new position in security doing IH/IR if I get some good mentoring or direction I guess. Thought it wasn't the rocket science that people make it out to be. Right now my CV looks good, lots of Unix/Linux stuff working in banking, healthcare, defensive etc etc so a diverse background. I have good people skills too so that helps.

cynicbeard

It is not uncommon for roles to cross-pollinate. Many organizations still do not have dedicated security staff. However, if you have a SOC, I would think that you do. Sys-admin / SOC analyst... it sounds like it might be a bit of a stretch depending on the size of the organization.

@philz1982 book suggestions are dead on. I would also throw two more in the mix:
Practical Intrusion Analysis
Incident Response and Computer Forensics

I disagree with CEH having ANY value in a SOC. Working in a SOC is highly technical and 100% analytical.

The most applicable certifications: GCIA, GPPA, and GCIH (You want to have a very good understanding of the IR process).

Introductory (Notable) Cert: SCYBER (Securing Cisco Networks with Threat Detection and Analysis) - I recently took this just for the hell of it and I was very impressed with the content. It is NOT Cisco specific per se. Maybe 5/60 questions pertain to Cisco. The rest require an understanding of general security practice, incident response, and basic traffic analysis.

Remedymp

SaSkiller wrote: »

Lol don't ask. Officially i'm an intrusion analyst, but most of my time right now is spent answering client questions about the events we have sent over to them, logging into security devices and correlating data, making changes to some processing rules, ect. Eventually I will be sent to do actual analysis, which I do have experience doing, but in my current company, its a waiting game.

The only thing I can suggest is setting up an infected device on camera and record yourself performing analysis and removal and upload it to linkedin. Videos are the new thing now for hiring managers or HR to look at. It gives them some form of idea who you are as well as starts a conversation.


Sounds like most degrees. Occasionally I look at getting a degree, then I read the class description and say "I know that".

The only thing I can suggest is setting up an infected device on camera and record yourself performing analysis and removal and upload it to linkedin. Videos are the new thing now for hiring managers or HR to look at. It gives them some form of idea who you are as well as starts a conversation.

Remedymp

UnixGuy wrote: »

Good to know! So I can safely land a new position in security doing IH/IR if I get some good mentoring or direction I guess. Thought it wasn't the rocket science that people make it out to be. Right now my CV looks good, lots of Unix/Linux stuff working in banking, healthcare, defensive etc etc so a diverse background. I have good people skills too so that helps.

The RH Certificate in Server Hardening could boost your profile as well.

UnixGuy

cynicbeard wrote: »

The most applicable certifications: GCIA, GPPA, and GCIH (You want to have a very good understanding of the IR process).

...

^^ yep, aware of the value of those. Hoping my employer would sponsor me or maybe find a new employer that will sponsor me.

UnixGuy

Remedymp wrote: »

The RH Certificate in Server Hardening could boost your profile as well.

I actually am not interested in pursuing certifications at this point, specially sysadmin stuff. People rarely recognise this cert, so I don't think it has a high ROI. Red Hat will hire you based on experience and will expect you to pass RHCE within 30 days...

Remedymp

I hate to use your thread, but after starting my job, I don't see myself sticking around the SOC for very long...

Khaos1911

Remedymp wrote: »

I hate to use your thread, but after starting my job, I don't see myself sticking around the SOC for very long...

Why is that, Remedymp?

Remedymp

Khaos1911 wrote: »

Why is that, Remedymp?

I don't think managed security services is market I can foresee myself sticking around for as you're constantly stuck in a position unless you quit to move on. Today we were told that they don't advance anyone until after 18 to 26 months. I came from a desktop/datacenter/ analyst roll where I was constantly groomed for various roles Tobe more well rounded for the sake of the team. However, here its not like that. But they are big on certs, especially GIAC and Comptia.

For example: if a client opens request for adding a scope of IP's to the firewall to allow access over a port like 443, somehow without knowing it's my responsibility to follow up with the client to verify whether or not these ip's have been added to the switches vlan as well?? If this client is making the request, shouldn't they know their own network better than I working in some remote SOC?? And I'm responsible somehow for this change request??


No thank you to this.

UnixGuy

@Remedy: It does sound like a hectic environment, but you are learning!

How about you do what I'm about to do? I'll start a pentesting course (I can message you about it), skill up big time and then take it from there. You can move to another team within the same organisation or elsewhere Better focus on the opportunity we have I think. My environment is hectic too, but I know that I lack the skills to do proper Pentesting/Forensics/Incident Handling.

ramrunner800

Remedymp wrote: »

I hate to use your thread, but after starting my job, I don't see myself sticking around the SOC for very long...

I recently interviewed with a gentleman who stands up and runs SOC's for huge companies all around the world. He said that he doesn't think anyone should stay in the SOC for more than 18 months because you get 'console burn in.' I've worked in various operations center type jobs for the last 5 years, and I think vigilance fatigue is a real thing. Every once in awhile you need to change roles and shake out the cobwebs. You can go back, but some kind of change is really helpful.