Thoughts from conducting Jr security analyst interviews

2»

Comments

  • yellowpadyellowpad Member Posts: 192 ■■■□□□□□□□
    Thank so much for this thread....I am okay and usually enjoy interviewing others. Once I become the person across the table being interviewed, I get nervous.....I need to overcome this.
    Completed MSCIA f/ WGU~ CISSP 5-days boot camp scheduled :)
  • Christian.Christian. Member Posts: 88 ■■■□□□□□□□
    yellowpad wrote: »
    Thank so much for this thread....I am okay and usually enjoy interviewing others. Once I become the person across the table being interviewed, I get nervous.....I need to overcome this.

    Something that helps me is thinking about the interview just like a conversation, but in a more formal setting. They want to know you, and you want to know them. If you are sitting across the table, that means they already liked something about you and they just want to know more.
    CISSP | CCSM | CCSE | CCSA | CCNA Sec | CCNA | CCENT | Security+ | Linux+ | Project+ | A+ | LPIC1
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Danielm7 wrote: »
    That's fine, I don't agree, but I'll explain my side. My resume screening process for an jr level contractor consists of a very trusted recruiter doing the first wave. He's been doing IT recruiting for a long time, but he talks to them about their jobs or experiences, he doesn't tech screen them. He gives people who can have a reasonable conversation who have related things on their resumes. When he contacts me and says, "This guy has his BS in IT security, had 2 internships and a contractor role as an analyst for a few months and is studying for his net+ and sec+" I see someone who sounds new but likely has a lot of drive and interest and I look forward to talking to them. I look over the resumes, check linkedin for people I'm interested in just to see if there is more detail and there frequently is, and I setup a first round phone screen to get an idea.

    As for the overqualified ones, this is a jr level position, if you have an MS, 10+ years in IT and 3 years in security and you're already a security engineer, why are you applying as a jr level analyst? Best case you're just trying to get out of your current role badly and will likely leave me in 3 weeks when you find a better job you're already qualified for, worst case your resume is all fake. I know different people have different reasons for taking different types of jobs, but the the two that we ruled out that fit that bill have yet to explain to the recruiter why they'd want to take such a step down.

    I in no way expect someone to know about all things infosec, I don't, neither does anyone really. I expect them to have a reasonable foundation. I try to get a baseline of what they know, and when you can't even tell me that a VPN allows you to connect to another network or even that it's a tunnel and you basically fumble over words for 5 mins, can't even explain at the most basic level what 2 factor authentication is, that even my wife (who is in no way technical) who says "that's when I get a text message as a 2nd way to log in with my password, right?" and when asking about internal or external / public or private IP addresses I'm told "well, I guess one is external and one is internal" and that's it... then it's not me just being picky and expecting too much, it's someone who needs to hit the books again.

    I ask very basic questions to start then we can dive deeper. For example, someone asked me about VPN when I was hired. I said I had set them up as a systems engineer in the past. We got into the way I did it on a Sonicwall vs how they do in Cisco, IPSEC vs SSL, etc, we went deeper. I wasn't expecting deeper I was expecting a general understanding of a technology so when they bring an alert and I say, "oh that's a remote user who is connected via VPN let's reach out to them" they don't stare at me like I have 6 eyes.

    I've interviewed people and have sat next to my supervisor and listened to a bazillion phone interviews that he's received AFTER a recruiter has sent them over and you are absolutely correct.

    You'll get some people that either lie on their resume or just don't understand simple concepts (VPN, IP addresses, etc). Those people aren't "par for the course" but they do come through on occasion.
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    Christian. wrote: »
    It's a phenomenon known as ghosts pings. If you run a continuous ping, an echo is created in the network and it can reply back even if nothing is there. Similarly to what happens with light, you might see something that isn't there anymore. If you ping long enough, you might trace the beginnings of the corporate topology and it helps you to understand changes over time. That's explained in a hidden dark chapter in the ccnp, but it was removed after many people pinged Cthulhu by going too far back, waking him from his eternal sleep and destroying their minds. This is dark network stuff. That guy was just afraid to speak about it.

    icon_study.gif


    Is this some kind of Joke? :)
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    I think with advent of Linkedin, you can get a pretty good grasp on the resource you're interviewing and hiring. The problem here is: The interviewer drills down on subjects that do NOT correlate to the position being advertised. I think If you're interviewing a Jr. Analyst, the Security+ questions suffice. If this candidate already has the Security+ or SSCP, then it should be more about personality.

    For example: We have interns who are on a Rotated roles where they do 6 months in the NOC, they do 6 months in Information Security, they do another in Business Analyst role,etc. They do NOT know everything from a Jr. level and it's not necessary for them to do so. If your line of business has proper onboarding documentation for processing within their role, I can't see why there is such a need to have a deep conversation about VPN,etc.

    Another example: We have big posters of subnets/IP ranges posted on the wall of SOC in case anyone forgets. Not everyone is going to know off the top of their head. It's implied that they don't know.

    We have an array of Linux+, Network+, CCNA and RHCSA, Reverse Malware, etc books on shelf. For those looking to deepen their knowledge and those not in the know.

    I don't see why the process of hiring an L1 analyst has to be like a terrorist investigation with water boarding techniques.
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    Remedymp wrote: »
    ...

    I don't see why the process of hiring an L1 analyst has to be like a terrorist investigation with water boarding techniques.

    +1

    This right there. Expectations vs reality, a junior is a junior, sec+ sort of questions are sufficient and a character type questions to see if they're willing to learn.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • Mike RMike R Member Posts: 148 ■■■□□□□□□□
    What I'm finding hilarious is all the jobs that code themselves "Entry Level" then you see them wanting 3+ years experience. This is the first time I've been back in the job market in a while, let alone changing occupations. I certainly see the frustrations many people have expressed when looking at job posting that give a list of required skills for a help desk position that no one in their right mind would have. It's like asking for a janitor with a BS and 3 years experience ><.

    /end rant
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    Mike R wrote: »
    What I'm finding hilarious is all the jobs that code themselves "Entry Level" then you see them wanting 3+ years experience. This is the first time I've been back in the job market in a while, let alone changing occupations. I certainly see the frustrations many people have expressed when looking at job posting that give a list of required skills for a help desk position that no one in their right mind would have. It's like asking for a janitor with a BS and 3 years experience ><.

    /end rant


    The Story of Entry-Level Positions That Need Prior Experience
  • Mike RMike R Member Posts: 148 ■■■□□□□□□□
    Thanks that was a great read. Trying to break into the IT field is proving more difficult than I anticipated, it seems like the past 10 years of my life make no difference. Even though it was managing my own small business and handling client relations.

    Anyway thanks again, <3 Techexams.
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    Mike R wrote: »
    What I'm finding hilarious is all the jobs that code themselves "Entry Level" then you see them wanting 3+ years experience. This is the first time I've been back in the job market in a while, let alone changing occupations. I certainly see the frustrations many people have expressed when looking at job posting that give a list of required skills for a help desk position that no one in their right mind would have. It's like asking for a janitor with a BS and 3 years experience ><.

    /end rant

    This is valid. I used the term "entry level" here in a giant block of text somewhere I'm sure. But, it's a Jr level. I think Jr is different depending on the specialty in IT. You might hire an entry level helpdesk person with no prior technical experience if you felt they had great customer service skills and train them on your workflow and knowledge base, but would you hire an entry level SQL database employee who had never used a database? How about an entry level programmer who has never written code before?

    You'd look for someone who might have gone to school for it, or used different databases/languages in other capacities, etc. I view security as a summation of other skills, meaning I expect someone to know basic networking, some basic client/server relationships, etc, a rounded enough background in enough things so you can actually understand what you're securing.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    If the candidates that they send you your way do not meet your standards and you are part of a forum full of knowledgeable and certified individuals some of which are trying to break into those junior roles, why dont you post here and try to hire someone from TechExams?
  • dustervoicedustervoice Member Posts: 877 ■■■■□□□□□□
    As mentioned before here, when i interview candidates for Infosec or whatever role i rarely asks any technical questions. its all about personality for me. As 98% of the time the solution is just a google search away. my techie questions are normally. what is smtp, how do you perform a ping ,etc if you cant answer those basic questions, i don't move on to personality types.
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    but would you hire an entry level SQL database employee who had never used a database? How about an entry level programmer who has never written code before?

    This is a straw-man argument. There is no such role that even exist for a Level 1 SQL Database analyst with no prior experience in working with data structures. Or a Level 1 programmer who has no prior experience working with code even on the basic level of HTML.

    We really have to stop having these discussion of this imaginary Jr. analyst who has never touched a computer before and is applying for these sophisticated roles. This is madness.
  • KrekenKreken Member Posts: 284
    I always thought that security is a field that you eventually get to and not start with. How can you protect something if you don't know how it works.
  • Russ5813Russ5813 Member Posts: 123 ■■■□□□□□□□
    Remedymp wrote: »
    This is a straw-man argument. There is no such role that even exist for a Level 1 SQL Database analyst with no prior experience in working with data structures. Or a Level 1 programmer who has no prior experience working with code even on the basic level of HTML.

    We really have to stop having these discussion of this imaginary Jr. analyst who has never touched a computer before and is applying for these sophisticated roles. This is madness.

    Quoting that line out of context, you could make an argument for straw man fallacy, sure. But that particular response is Daniel elaborating on his (reasonable) views of the differences between "jr" and "entry-level" positions. I think Mike has a good point as well, in that there are still entry-level jobs out there with ridiculous prerequisites and this isn't always just an HR issue. As to the original post, I think it's fair to expect some level of technical competence from applicants, as long as these expectations are clearly reflected in the job posting. Initiative and enthusiasm are helpful as well :)
  • si20si20 Member Posts: 543 ■■■■■□□□□□
    Kreken wrote: »
    I always thought that security is a field that you eventually get to and not start with. How can you protect something if you don't know how it works.

    I used to think that before I became a security analyst. I met guys with no experience in IT working as security analysts too. Some of them were effective - some were the worst IT-guys i've ever met. But to answer your question: you don't need to know how it works. Say for example we're monitoring a website - and I made the word 'monitoring' bold because security analysts don't protect anything - they monitor stuff. So say for example we see 5 logins to a website - ok that's fine. Say we see 5,000 failed logins to an admin account, we know we're dealing with a brute force. And that is how a lot of dumb asses get jobs in security, because they (unfortunately) don't need to know the underlying technologies.
  • markulousmarkulous Member Posts: 2,394 ■■■■■■■■□□
    Working at a company that develops a SIEM we get to speak with a lot of security personnel. A lot of them don't really understand as much as you'd think they would, but like si20 said, they really don't have to in some cases. You can teach someone how to navigate a SIEM and what to watch out for. Just really depends on their role and how much responsibility they have.
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    and the same can be said about a lot of us...we manage Operating systems and install packages ,for example, but we don't understand every detail of how each package has been programmed line by line - and frankly we shouldn't.

    Infrastructures now can be spun with a click of a button, so things will only get easier I think.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    si20 wrote: »
    Say for example we're monitoring a website - and I made the word 'monitoring' bold because security analysts don't protect anything - they monitor stuff.
    And most of them monitors SIEMs, with logs forwarded from firewalls. So if someone disables the firewall log forwarding and start hacking, no one knows. They cannot protect things they are not monitoring. icon_sad.gif
    si20 wrote: »
    So say for example we see 5 logins to a website - ok that's fine. Say we see 5,000 failed logins to an admin account, we know we're dealing with a brute force. And that is how a lot of dumb asses get jobs in security, because they (unfortunately) don't need to know the underlying technologies.
    So we set an alert (or remote IP blocking) for more than 3 failed logins per remote source IP. So if I program my botnet to do only 3 brute force logins per bot, the alert does not go off. :D This is typical distributed brute force login behaviour.
    markulous wrote: »
    Working at a company that develops a SIEM we get to speak with a lot of security personnel. A lot of them don't really understand as much as you'd think they would, but like si20 said, they really don't have to in some cases. You can teach someone how to navigate a SIEM and what to watch out for. Just really depends on their role and how much responsibility they have.
    @markulous is correct and this sort of personnel can be suitable for some junior roles. All we need is the person to follow instructions to the letter. The pay may not be high but the person is just contented. Put in another way, this person will stay in his job for a long time. Definitely not your typical TE forum reader.

    There is a limited pool of good infosec people. So what do we do? We try to automate most of the tasks and reduce it to monitoring aka "staring at the screen for red flashing lights". Not to say that all junior security analysts are just stupid; there are some great ones around. Just that sometimes supply does not meet demand and we have to be realistic.
  • si20si20 Member Posts: 543 ■■■■■□□□□□
    Mike7 wrote: »
    So we set an alert (or remote IP blocking) for more than 3 failed logins per remote source IP. So if I program my botnet to do only 3 brute force logins per bot, the alert does not go off. :D This is typical distributed brute force login behaviour.

    I like your line of thought icon_lol.gif This kind of attack would be slow but more effective than a generic brute force because the chances of a SOC having a rule on their SIEM to detect that kind of thing would be extremely low. But this just highlights the point that i've made in the past and am making now: SOC's are never going to catch everything, thus why so many companies only use them for compliance purposes.

    Trying to not only get a rule developed for that attack, get it tested and working, then get the client's technologies fed into your system, then an end to end test, followed by tuning for noise/false positives... Words that come to mind are: nightmare and headache.

    There are plenty of companies that have been hacked and had a SOC "protecting" them, look at talktalk for example. TalkTalk hack to cost up to £35m - BBC News - and if you look here, you can see who was "protecting" them: TalkTalk hired BAE Systems' infosec bods before THAT hack

    Now if you went a step further and looked at Linkedin profiles, you'll see LOTS of Security Analysts leave the company within months of the Talktalk hack. icon_wink.gif
  • Mike7Mike7 Member Posts: 1,107 ■■■■□□□□□□
    SOC need to get smarter hence the talk about threat intelligence, machine learning, UBA (user behaviour analysis).
    We need Skynet. icon_rolleyes.gif
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    Mike R wrote: »
    Thanks that was a great read. Trying to break into the IT field is proving more difficult than I anticipated, it seems like the past 10 years of my life make no difference. Even though it was managing my own small business and handling client relations.

    Anyway thanks again, <3 Techexams.

    Which area are you trying to get into, if you don't mind me asking?
  • Mike RMike R Member Posts: 148 ■■■□□□□□□□
    Remedymp wrote: »
    Which area are you trying to get into, if you don't mind me asking?

    I'm just looking for a help desk/desktop support role. I have 10 years experience owning/managing my own business but none really in IT. I earned my A+ in January and I'm just looking for anything to get started into the field. I have a interview with a family friends MSP on Wednesday. Currently I'm working on my CCENT which I plan to take this month or EARLY next month and my security+.

    My end goal if you want to call it that is to be a Network engineer, I like to be the person that gets things done. I've done some general troubleshooting for helping people identify where a problem is on a network and it's something I've enjoyed doing. I had a lot of input and direction from some friends at my ISP who are managers/architects now to help me find a path.

    Time for another Nuggets video !
  • RemedympRemedymp Member Posts: 834 ■■■■□□□□□□
    Mike R wrote: »
    I'm just looking for a help desk/desktop support role. I have 10 years experience owning/managing my own business but none really in IT. I earned my A+ in January and I'm just looking for anything to get started into the field. I have a interview with a family friends MSP on Wednesday. Currently I'm working on my CCENT which I plan to take this month or EARLY next month and my security+.

    My end goal if you want to call it that is to be a Network engineer, I like to be the person that gets things done. I've done some general troubleshooting for helping people identify where a problem is on a network and it's something I've enjoyed doing. I had a lot of input and direction from some friends at my ISP who are managers/architects now to help me find a path.

    Time for another Nuggets video !


    Have you created a Linkedin account?

    When I first got started in IT, my opportunity was an IMAC role. (Install, Moves, Adds and Changes) for a Datacenter. Basically, I was responsible for helping building out a Data Center. Constructing the racks, adding the PDU's, adding the servers, wiring up the patch panels and switches. Loading the storage arrays. I did that as a contract for a month.

    By the time I finished that contract, I got my Server+ and was offered a another contract role working in another Data Center as a network tech. Did that contract for a few a month and soon after that I was offered a Desktop role doing migrations from Windows 2000 to XP. I have never worked help desk a day in my life and never will.

    So, my advice is to try and aim for short spurts on contract. That way, you can build a resume for yourself via linkedin and have something to discuss with a recruiter or talent acquisition from HR.
Sign In or Register to comment.