Questions/Suggestions

abnmiabnmi Member Posts: 66 ■■■□□□□□□□
I am stuck in a rut I am classified as a IT Specialist (INFOSEC) 2210 by the Army. That said I deal more with the physical security of classified IT equipment. I have my CISSP, GSEC, and some government security specific certs but really want understand complete security operations center duties. Can anyone recommend any courses, books, certifications that could educate me on SOC operations, ARCSIGHT/SIEM use, PCI, FFIEC,HIPAA(essentially all of the broad IT compliance regulations). I am looking o eventually get into the private sector but cannot qualify because I do no have the requisite understanding. Any advice you can provide is highly appreciated.

Comments

  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    No one's going to understand everything that happens in a SOC. The GSEC should have given you a general idea of a lot of what goes in there. I'll try and break them down in to the different areas you likely have there and what you can use to study them.

    The people using ArcSight and the related appliances are network security analysts, that's one entire field. Download security onion and learn Wireshark, Snort, and Bro. Sguil is the SIEM on there. Focus on reading network traffic, get the Guide to TCP/IP and Wireshark Network Analysis. Related certifications would be like GCIA.

    The HBSS guys are host analysts, that's a separate area but still related to the first. Use Security Onion again and get really familiar with OSSEC, ELSA, and the rest of the tools. Learn what you can about the host OS that you're interested in. Know normal so you can find evil ;) Depending on what hosts you want to learn, MCSA certs, Linux certs, etc. would be helpful here.

    The IRT (Incident Response Team) is going to need a combination of the above knowledge, as well as incident response knowledge. Basic forensics courses and SANS GCIH course focus on incident response. Learn to use a forensic imager, read log files, create cases, identify attempted malicious attacks like a drive-by exploit kit, and differentiate the ones that are successful from those that aren't successful.

    The forensics teams. That one is self explanatory. The IRT guys handle the basics like imaging machines, parsing log files, etc. The forensics guys get deep in to five W's. Any forensics book would be a start, again knowing the host OS thoroughly, learning how to examine them forensically, etc. is a start. After you read and learn system forensics, learn network forensics. Then move on to malware analysis and reverse engineering. Get a book like Practical Malware Analysis, take the SANS Forensics courses, GREM, etc.

    The IA section is going to responsible for your compliance items. You're going to use fun tools like Nessus, NeXpose, and Nipper Studio. Don't just learn to run scans. The real power in those tools, especially for compliance checks, is in learning to fine tune the configuration. You can get details on any of the federal regulations from their various websites. Learn to interpret those and define them as far as compliance scans go. Get used to using good paper and pencil checklists and verify information with real people in audits.

    Advanced traffic analysis will use tools like Bro and Splunk to analyze traffic patterns and look for anomalies. This goes back to reading network traffic at a very indepth and large scale level. Think expert analysis.

    Signature management team. Someone has to be skilled in writing signatures for all of the different tools, as well as updating, refining, version control, etc. Learn the various tools signature functions, learn Regex, Extended Regex, and again know the basics of network traffic and host OS's so you can properly write signatures for them.

    Vulnerability analysis - Same tools as the IA/compliance guys, but configured much differently. Keep up with emerging threats, learn how to write custom rules for your tools, etc.

    Penetration Testers - Use all of the above knowledge to gain access to systems. When not doing that for them, plan to be pentesting and analyzing software. If you need resources on this start with Google. Go from the very basics all the way up to ICS.
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    You have a CISSP, you can easily get into the private sector with that cert alone.
  • abnmiabnmi Member Posts: 66 ■■■□□□□□□□
    Mr Agent, yes I have my CISSP but to me that is just a starter. Some on the board would say I put the cart before the horse, my first cert was the CISSP. My background in pure IT is limited, I worked n the Intelligence field during my military career and for a bit post retirement. While working intelligence there were bleed over duties dealing with network/computer security information assurance. I have not worked as a Cable puller, sysadmin, or netadmin. I understand many of the required concepts but cannot say I have the experience. Yes I could get those CISSP jobs but they require skills such as archsight, compliance standards, etc. My issue is my current employer has me pigeonholed doing physical security of classified information systems and I am trying to break out.
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    If you're cleared you may way to look at jobs in the NOVA/DC area. Lots of variety.
    Cissp Jobs, Employment in Chantilly, VA | Indeed.com
  • abnmiabnmi Member Posts: 66 ■■■□□□□□□□
    Yep have an active clearance and all. Trust me I have applied through indeed for a number of applications. The CISSP is not a magical factor. I have been unable to even get my foot in the door.
  • astudentastudent Member Posts: 26 ■□□□□□□□□□
    Then try usajobs.gov for Fed job, if you want to build up your IT experience.
    Are you on active duty now? If you are going to be separated soon, you will have veteran hiring authority, which means that you do not have to compete with civilians. There are a lot of jobs that need SC for DoD.
  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    @astudent, he's already a fed employee looking to move in to the private sector eventually.

    @OP, astudent has a point, apply to another position. The Air Force is exploding with this new CPT structure and bringing in massive amounts of people to do what you want to do. You're already a 2210, it shouldn't be hard to move over and a lot of the new spots are GS 11-13. I don't know where you're at now but if you're willing to move for a better GS position for a few years of hands on IT experience it might be worth it to look around on USAjobs.gov again.
Sign In or Register to comment.