Security positions requirements: reality check.

UnixGuy

I'm just looking at a security position requirements that I've applied to recently, and I'm wondering if this is the norm to ask for all these skills.

This is a list of the stuff the "Security Engineer" is expected to work with:
Mandatory:
Firewalls, WAFs, Website security, Active directory
Highly Regarded:
DLP, Mobile device management, IDS/IPS, VPNs, Certificate Management, SIEM, Nessus, VMWare, Oracle or SQL Server, Windows Server


Now I understand this isn't too much to ask, but coming from a Servers/Unix background, I'm having a difficult time gaining all those skillsets. For example I have experience with DLP (which is in the highly regarded list) but I have *some* experience with Firewalls...I have knowledge of Nessus, but very weak in Active Directory.



So my two questions are:

1) The position above doesn't mention anything related to Penetration testing or forensics or incident response or malware analysis....This leads me to believe that this organization doesn't do these sorts of tasks?

2) I understand that Firewall/Proxy/IDS/IDS/AD are considered perimeter security, is it becoming a separate discipline from things like incident response redteam/blue team? I'm ultimately interested in Red Team or Blue team sort of work, but I keep seeing positions asking for Firewall management for example without mentioning anything about incident response.



I'd like to hear some opinions...

Danielm7

Every company is different, but, where I work firewalls are handled by network security, but they really only deal with firewalls, VPNs, etc. I don't think it's a crazy amount to ask for engineer level position. With that said, I know enough about firewalls to talk rules with the netsec guys and discuss route planning, I don't have to implement it, but I need to understand it and make suggestions/approvals. Some ask for tons of pen testing, some ask for other things. Understand that application requirements aren't really something where someone always has 100% of the requirements. For example, you don't have to be a database, virtualization, windows and unix admin while also doing all the security stuff, but, they will likely expect you to be familiar enough with them to deal with the security related to them.

I don't configure AD, but I've worked with it enough as a sysadmin that I can recognize when certain permissions aren't a good idea and talk to the systems team about it.

Some companies just go "we need a security person, list everything they might touch" then you get some sheet with 4 pages of "requirements" that aren't always entirely accurate.

cyberguypr

This type of post is normally seen for smaller entities that want to do exactly what Danielm7 said: get someone who is THE security guy. Typically these organizations have a very low security maturity level mostly focused on compliance and "checkbox" mentality. this is not necessary a bad thing as it leaves a lot of room to create policy, develop processes and metrics, etc. Incident response and forensics are foreign concepts, unless there's a major breach.

My take is that if they are willing to drive security in the right direction, it may be worth a shot. Don't worry about meeting all the requirements upfront.

joneno

As mentioned above, every organization is different. At my organization I handle DLP (Host and Network), SIEM, IP360, WAF, FIM, and a lot of governace, sprinkled. We do have a separate firewall and networking team.

the_Grinch

I find a lot of companies throw everything and the kitchen sink into their postings. I submit when I have at least three of the skills they are looking for. Also, often they look at your resume and from there decide if you'll fit the bill.

UnixGuy

Good points guys....my issue is that how do I really gain experience with all of this? I know getting enough firewall experience isn't really difficult, but I'm finding it challenging to get positions where I get this sort of diverse experience. I'm still going with the interview but I know I will struggle if I get this position...

EnderWiggin

Struggle breeds success. Go for it!

UnixGuy

and now another recruiter is asking me if I have experience with SPLUNK and iOS and Android security....ummm

Sheiko37

I'm also in Australia and have two friends who've just done a lot of applying and landed security jobs recently, they saw a lot of what you're describing.

I'm guessing the roles you're going for aren't high level $120k+ roles, more entry/mid level around $70-90k? In which case you're not expected to be an expert across all these different areas, and the people who are experts and that experienced wouldn't be applying for this sort of job. They just list everything on the job listing because they likely don't even know what they want, they're looking for someone who can tell them what can be done.

In regards to your question how do you get experience across everything, well, you land one of these trial-by-fire jobs and become "the security guy".

I wouldn't be worried about the interview, tell them what you have experience in and what you don't, tell them what you're interested in and where you want to learn. I wouldn't try float through an interview saying you kind of have some experience in all of these areas when they bring them up, because they'll be left with the impression that don't know much about anything, just focus on what you're good at.

UnixGuy

sheiko: ive been in a role for over a year now, where I do a bit of everything but unfortunately it can be renamed as operations type role...mostly dealing with the OS and bit of network troubleshooting, I gained some security experience for sure but not enough to convince someone to give me a full incident response or red team sort of role.
Im not on 120k but above 100k, and when handsome over time and some bonus. I get called for few roles every month but nothing come out of it.
I get the odd role that's 80K, but the experience is even worse than what I have now...I think I need to have some serious certifications, that should help.
I'm trying to narrow my focus on pentesting for now and see if this leads to a pentesting role, there seem to be a lot of demand but not enough people with real skills, so I'm aiming for that (for now).

OctalDump

If pentesting is what you want, give a call around the boutique Pen Testing companies and see what they want. They mightn't have work available now for you, but if you get the right guy on the right day, they are often happy to spend some time chatting with you. You are then on their radar for when a position does open up.

If you can afford it, SANS is on in Canberra later this year, which might be a networking opportunity.

From the other side, if you are looking at a web/public facing services pen test type thing, then getting in on the blue team side (enterprise defence or whatever you wish to call it), does help. Knowing how to secure SSL/TLS, set up Apache with SE Linux, yada yada is going to be useful when you're writing those pen test reports and come to the "recommendations" section. Being able to give the 'idiots guide to securing IIS 8.5' is a good thing to have.

renacido

I might go about it a different way, but it seems to work for me.

I look at the job and decide if it's a job I'd enjoy doing at a company I'd like to work for. I don't stress out if I'm missing a few of their qualifications. It's for them to decide whether or not I'm qualified. I'm honest about my lack of experience in an area if it comes up in an interview. If it's that important to the company that I start from day 1 as an expert on something I haven't worked with recently, it's better for both of us if they don't hire me.

When I see skill sets and experience that are required for the type of job I want to do next on my career path, based on numerous job postings, then I know what I need for those jobs and what if any gaps I have to fill. But the one-off's, if those are deal-breakers at company X, I move on.

yzT

I don't see anything odd in that list. Those are typical technologies you should know about if you are planning to become Security Engineer. Maybe VMware is the only one irrelevant.

About your questions:

1) Except malware analysis, you are definitively going to be exposed to everything else you mentioned.
2) Nothing special on this. It's expected you know that stuff.

renacido

UnixGuy wrote: »

So my two questions are:

1) The position above doesn't mention anything related to Penetration testing or forensics or incident response or malware analysis....This leads me to believe that this organization doesn't do these sorts of tasks?

2) I understand that Firewall/Proxy/IDS/IDS/AD are considered perimeter security, is it becoming a separate discipline from things like incident response redteam/blue team? I'm ultimately interested in Red Team or Blue team sort of work, but I keep seeing positions asking for Firewall management for example without mentioning anything about incident response.



I'd like to hear some opinions...

1) The organization should do some/all of those things, they just aren't part of this particular role at that organization, they're done by other people (or outsourced).

2) Security engineers can be focused on perimeter security, web/app security, system (server) security, etc., or they can be the guy for all of those things. Depends on the way the org chart is structured and how many security engineers they have. But regardless, incident response, red/blue team, that is usually a different role (Security Analysts). Security Engineers are more involved with making changes to the environment to improve security, mitigate risks, remediate vulnerabilities, ensure new sysems/architecture meets security requirements, etc. I've worn both hats and those are the main distinctions. Analysts monitor, scan, intercept, contain, eradicate, etc. Engineers design, test, implement new countermeasure, administer/optimize platforms, act as security SMEs to systems/network/app teams, etc.

renacido

yzT wrote: »

I don't see anything odd in that list. Those are typical technologies you should know about if you are planning to become Security Engineer. Maybe VMware is the only one irrelevant.

About your questions:

1) Except malware analysis, you are definitively going to be exposed to everything else you mentioned.
2) Nothing special on this. It's expected you know that stuff.

Virtualization (VMware) and cloud (AWS/Azure/VMware Cloud) are extremely relevant to security engineering, and will only be more so in the coming years.

Incident response is not normally in the security engineer's job jar, usually Security Analysts (SOC) cover that.

kiki162

I wouldn't worry about some of the requirements. AD is fairly easy to learn. Normally most pentest or forensic position would clearly state that in the description. I sent you a PM, take a look and let me know.

Sheiko37

UnixGuy wrote: »

I gained some security experience for sure but not enough to convince someone to give me a full incident response or red team sort of role.
-
I get the odd role that's 80K, but the experience is even worse than what I have now...I think I need to have some serious certifications, that should help.
I'm trying to narrow my focus on pentesting for now and see if this leads to a pentesting role, there seem to be a lot of demand but not enough people with real skills, so I'm aiming for that (for now).

I've gotten the impression that entry level pentesting or red team roles aren't that lucrative, and also didn't know there was much demand around at the moment. I get zero calls about job offers, you must be well networked.


I'm planning to do exactly what OctalDump mentioned. I have a shortlist of phone numbers and emails from Crest approved companies that I plan on contacting if I ever get my OSCP.

636-555-3226

Man I'm only 24 hours late to this thread and tons of people have written back. Any outstanding questions you'd like answered unixguy?

As others said, the post is written by a company that doesn't have an infosec manager. Security departments should always start with knowledgeable infosec managers, otherwise you're just having some network or sysadmin manager throwing all kinds of scheisse out there thinking he's going to get superman who can do all that and accept their 70k a year job.

UnixGuy

yzT wrote: »

..
2) Nothing special on this. It's expected you know that stuff.

^^ It's really challenging to get experience in all of these areas. I guess the only way is get a job and learn on the job...along with labbing at home...

renacido : that explains a lot! thanks


@kiki162: thanks I replied to your PM!


@Sheiko: they sure are, have a look at seek!


@636-: this forum is great isn't it? I guess it would be nice if you share what you think the best way to for me to gain experience in such a diverse set of technologies? I feel that I don't know enough...

TechGuru80

The skills listed are pretty common of what is desired. Usually people will have varying exposure and it could come down to the specific tools/technologies an organization has at their disposal.

1. That doesn't mean the organization doesn't do those other aspects. InfoSec is not solely just pen testing, forensics, incident response, or malware analysis. Other aspects can include governance risk and compliance, network & system security (configuring aspects), auditing....and many other areas. Is it possible they don't do those? Sure...but it is also possible that they have other roles performing those tasks and are looking for skill sets that they don't have or need more of...ask if you get an interview but if it's a big organization they are doing them in some fashion...I hope.

2. AD is not really perimeter security...usually that term is reserved for Firewall/Proxy/IDS/IPS etc. Blue team and internal SOC teams generally review logs from those technologies in some kind of SIEM tool, and then there are engineers who configure them. Your SOC teams are generally were incident response sits but depending on the organization engineers might have a role in incident response.

The reason why you see some of the duties separated is because best practice is to separate the person who configures something different from the person who reviews the activity. Large organizations will usually have more of a separation of duties because they have the budget, where smaller companies have people performing a lot of different duties.

Danielm7

UnixGuy wrote: »

^^ It's really challenging to get experience in all of these areas. I guess the only way is get a job and learn on the job...along with labbing at home...

It is, this is why everyone says, frequently, that security is rarely your first IT job. I know it isn't yours, or even your first security role, but you also say most of your role isn't security either. Not many people jump into an engineer role as their first job in a new niche. Even if they do, those people were typically systems or network engineers first and have a high level understanding of most of the stuff you listed.

636-555-3226

UnixGuy wrote: »

This is a list of the stuff the "Security Engineer" is expected to work with:
Mandatory:
Firewalls, WAFs, Website security, Active directory
Highly Regarded:
DLP, Mobile device management, IDS/IPS, VPNs, Certificate Management, SIEM, Nessus, VMWare, Oracle or SQL Server, Windows Server

Again, this is a bad position written by someone who doesn't know what they're doing. Firewall management - this is an old school infosec requirement and I'm of the belief that it's a network role and not an infosec role. if you don't already know firewall management, you can't really practice this on your own. sure, you can buy some cisco gear off of ebay and learn the ropes, but if they expect you to be a firewall manager for security purposes you're going to need years of dedicated experience that a home lab isn't going to give you. and that's just the first requirement...

i'd ignore this post and start learning the ropes on your own. Nessus and Splunk are free to download and use. Do it. Ubuntu or Mint are likewise to learn linux. you've got the (expired) ccna experience, so your networking should be OK. download and play around with kali (and get some cheap books on it on amazon) to learn the basics of how penetration testing works.

most important - ask around at work and see if you can help with any security stuff. if you have a security dept, i can guarantee you they're overworked, so if you can convince them (and your boss) to let you help out with just the basics at first, it's a foot in the door.

NetworkNewb

636-555-3226 wrote: »

most important - ask around at work and see if you can help with any security stuff. if you have a security dept, i can guarantee you they're overworked, so if you can convince them (and your boss) to let you help out with just the basics at first, it's a foot in the door.

I'd go and assign them an audit to do, and they would probably be ending up wondering why people want to get into security so bad.

UnixGuy

Danielm7 wrote: »

those people were typically systems or network engineers first and have a high level understanding of most of the stuff you listed.

^^ I am one of those people by the way

renacido

636-555-3226 wrote: »

Again, this is a bad position written by someone who doesn't know what they're doing. Firewall management - this is an old school infosec requirement and I'm of the belief that it's a network role and not an infosec role. if you don't already know firewall management, you can't really practice this on your own. sure, you can buy some cisco gear off of ebay and learn the ropes, but if they expect you to be a firewall manager for security purposes you're going to need years of dedicated experience that a home lab isn't going to give you. and that's just the first requirement...

If you're saying that firewall administration isn't one of the core proficiencies that every infosec pro should have, I agree. However, I think they should still be managed by infosec pros, because we know the threat environment and we focus on security risk. If FW management is under IT Operations' umbrella, I think they will always be too lax, too permissive, because IT Ops has different priorities. At the minimum, the Security department should do routing auditing of the FWs, the configs, check for port/protocol hygiene, good security practices, strong passwords, etc.

I'm personally a fan of security pros who specialize in network security. Network security isn't just about the perimeter. You need someone to ensure you have good segmentation, ACLs, oversee how your IP space (public and private) is managed, look for vulnerabilities related to DNS, DHCP, VPN, be able to identify malicious traffic, and know how best to leverage your FWs, proxies, NIPS/NIDS, etc based on the threat/risk picture and normal network behavior there.

UnixGuy

636-555-3226 wrote: »

.. I'm of the belief that it's a network role and not an infosec role....

^^ That's what I wanted to hear!!! And that's what I think too. I have experience setting up host-based firewalls and automating it.....and at this current I have to monitor the health of firewalls, and I also login to firewalls and analyse PCAPS, I troubleshoot network problems...but I haven't got a chance to install/configure firewalls for serious environments, and I'm exactly interested in that to be honest. I've always worked in environments where network engineers did that! They're the best people for the task to be honest.

636-555-3226 wrote: »

i'd ignore this post and start learning the ropes on your own. Nessus and Splunk are free to download and use. Do it. Ubuntu or Mint are likewise to learn linux. you've got the (expired) ccna experience, so your networking should be OK. download and play around with kali (and get some cheap books on it on amazon) to learn the basics of how penetration testing works.

most important - ask around at work and see if you can help with any security stuff. if you have a security dept, i can guarantee you they're overworked, so if you can convince them (and your boss) to let you help out with just the basics at first, it's a foot in the door.

Yep I agree. I have tons of Linux experience and I passed the eLearnSecurity student pentest course and I'm doing the PTP now. It's just posts like these make me think wth where do I even start, damned if I'm expected to be a firewall and proxy ninja before even starting.

yzT

I think this kind of conversations will lead nowhere due to one reason: most people here is from US and there everything is different that in EU (and in UnixGuy's case, Australia).

/offtopic
In the US you are used to field-specific knowledge and positions. This is something I've been noticing since I joined in this forum three years ago, and recently confirmed by a colleague who spent the past 8 years working in San Diego.

The University programmes in US are too specific to a single topic, while in EU they are too broad. The outcome of this is that EU people has better skills for handling every situation, while the US people is often lost if you take them out of their comfort zone. In fact, that colleague told me that most people in a lead position in the companies he joined and the nearest ones, where all from EU for that particular reason.

That's why also the certification industry is most expanded in the US than in EU, for that simple reason of focus in a determined area.

Just to be clear, I'm not saying EU people is better than US people, just that they are more prepared to address any situation. On the other hand, while a US guy is in its area of comfort (i.e. the field he has knowledge in), it's pretty likely he's more proficient than his EU counterpart.

/ontopic

So getting back on topic, for US people this position looks like a "what the hell, that's a pretty bad position because they are mixing lot of stuff", while for EU people it is like I said "nothing odd in that description". That's why I also stopped to be so active in this community as I was before, because often it's a "fight" between different mindsets, so job-wise if you are from EU you can't really trust what someone from US says and viceversa, because there are different systems and knowledge background.

636-555-3226

yzT wrote: »

So getting back on topic, for US people this position looks like a "what the hell, that's a pretty bad position because they are mixing lot of stuff", while for EU people it is like I said "nothing odd in that description". That's why I also stopped to be so active in this community as I was before, because often it's a "fight" between different mindsets, so job-wise if you are from EU you can't really trust what someone from US says and viceversa, because there are different systems and knowledge background.

I see your point, but in security land you have to be specialized to be any good. Nobody spends a few days learning intrusion prevention systems and then being any good at them. To actually be any good at security you need that specialization. A company that hires a guy who is at 101-level with SIEM, AV, Pentesting, secure web programming, and writing policies/standards is a company that isn't going to succeed at any of the action items it has planned. Being a jack of all trades is great for levels 1-3 workstation support and even some server work, but some areas of IT (esp. security) get really deep really fast.

renacido

The EU-US argument is really an argument over the value of generalists vs specialists.

With scale and complexity, specialization becomes a necessity. I'm sure that even in the EU, very large IT enterprises aren't made up of generalists who all know the basics of everything. It just wouldn't work.

Likewise, a small IT staff drives the need for generalists who can do it all or at least cover adjacent functional areas when people are sick, on vacation, etc.

In the US, the smaller the company, the smaller the IT staff, and that drives a need for more generalists and fewer specialists. When a few people have to do everything, those guys need to know the basics of everything. But you don't see the demands or the complexity in any functional area of a small company that you see in a big Fortune 500 company, especially one with a heavy regulatory burden (Sarbanes-Oxley, PCI-DSS, NIST, HIPAA, NERC, ISO27000, etc). Big complex IT environments NEED specialists or they either suffer from degraded performance or waste a ton of money due to very weak implementations that don't realize maximum ROI.

Where the "leads" (managers?) are from the EU because they have a broader span of skills... First managerial roles are less specialized because they're usually responsible for a broader range of activities and functions. Second, if it was a EU-based company that promotes from within or sources candidates for management positions in the EU, it's not surprising that those are filled by people from the EU.

UnixGuy

I don't see a big difference between US/EU/Australia to be honest, I think it depends on the size of the company and the maturity.

My idea is, Security pros can define the rules and Network Engineers can configure/apply the rules. Network engineers can setup the firewall, configure clustering or virtualisation across the devices etc, but as a security pro, I don't necessarily think this should be your job. Sure it's good to have that, but then can you install and configure Servers? Can you cluster database servers and secure them? NO, it's not possible that you know everything (reality check). But you can know enough to recommend best practices, audit, pen test , parse the logs, setup your SIEM, and make sense of IDS. That's what I think


Anyway..Update:
Got approached for a job to do DLP work....plot twist#1: it pays significantly more than what I make now (30% more), with no over time no oncall. Plot twist #2: it's in a different state...so I need to relocate, make new friends, etc etc etc. (trying to make a decision soon)

OctalDump

renacido wrote: »

The EU-US argument is really an argument over the value of generalists vs specialists.

The way I've heard this argument "resolved" is that good specialists are also decent generalists - that you build on a generalist base to become a specialist, and you have some appreciation of the broader picture.

UnixGuy wrote: »

I don't see a big difference between US/EU/Australia to be honest, I think it depends on the size of the company and the maturity.

That's my feeling, too. There are more "big" companies in the US, since it's about 15x the population. And "big" companies are the only ones large enough to make a real contribution to standards etc. Small companies just don't have the resources. The end result is that best practice tends to make assumptions which hold true for larger organisations, but might not be true (or reasonable) of small organisations.

There's actually a guy doing research on some of these best practice frameworks and how they work in Australia.

UnixGuy wrote: »

Anyway..Update:
Got approached for a job to do DLP work....plot twist#1: it pays significantly more than what I make now (30% more), with no over time no oncall. Plot twist #2: it's in a different state...so I need to relocate, make new friends, etc etc etc. (trying to make a decision soon)

I don't envy the choice. It sounds exciting, but it's a big move. Hopefully it's not Adelaide or Sydney