Security Folks (Question in regards to a position like this)

DatabaseHead

Just curious how realistic it is for someone to cross fields into a role like this?

The reason I ask, I see these positions pop up at my current place of employment but always gun shy to apply. It's either a total hit or a miss in regards to the bullets. Worst case we all get a good laugh!

RESPONSIBILITIES

• Analysis of security logs including data acquisition, data cleaning, and creating security alerts based on data I perform a lot of data cleaning, analysis, aquisition etc.... Nothing in the security space though
• Scripting, customization, and light application development within SIEMs (Splunk, etc.) No Clue
• Behavioral Analytics and search/query design involving very large security datasets Mine large sets of data for finance and supply chain. Nothing really in the behavioral realm
• Organization and manipulation of medium to very large data sets Oh yeah this is in my wheelhouse (Home run)
• Create written reports, dashboards, and visualizations Absolutely, I do this all the time it's 50% of my position.
• Analyze data for trends, statistical patterns, and intelligence See above***
• Develop security use-cases for Insider Threat activity and malware behavior No clue
• Incident and alert response No clue

　

EXPERIENCE/SKILLS

• Experience interpreting security logs and related datasets No
• Strong analytical skills Yes
• Windows events, endpoint processes, *NIX event logs Not really
• Knowledge of network design, security tools, and TCP/IP protocols Not really
• Excellent oral and written communication skills Yes
• Ability to excel in a team environment; self-starter Yes
• Strong ability to work without direction towards a desired outcome Yes
• Programming/Scripting – Python and XML preferred; R a plus XML and R ~2 years (PS R is pretty easy)
• Experience with APIs and moving data between databases and applications Yes
• SQL and SQL Databases YES
• Advanced Excel; Microsoft Office, Powerpoint, etc. YES
• Experience with Splunk (preferred) or other SIEM-type platform No Clue
• Must work well under pressure, multi-task, be dependable and accountable YES

I'm just curious what it would take for people from different spaces to transition? Thanks for any insights....

paul78

This looks like a tier-1 SOC position. Depends on what type of role you would be transitioning from - for someone coming from a NOC or a net/sys admin, I would imagine it would not be too much of a stretch to transition apart from learning the security related stuff.

DatabaseHead

I had no idea that was entry level position.

Danielm7

Depending on how many tiers you have I'm not sure a T1 person would be doing scripting and application development within a SIEM. Either way though, it's your current workplace, if you're trying to get into security and can even do some of those things and have desire I'd apply in a heartbeat.

UnixGuy

Since it's your current employer, they might be willing to take a chance. Be prepared to invest and upskill

paul78

DatabaseHead wrote: »

I had no idea that was entry level position.

I didn't mean to suggest it's entry-level. Only that it's read like a tier-1 position - meaning that it's a role where the analyst is doing the initial triage of SIEM events. I am guessing that the role probably includes scripting to integrate new data sources and other data analysis work. As @Danielm7 indicated - your best bet is to just ask since it's your current workplace.

DatabaseHead

paul78 wrote: »

I didn't mean to suggest it's entry-level. Only that it's read like a tier-1 position - meaning that it's a role where the analyst is doing the initial triage of SIEM events. I am guessing that the role probably includes scripting to integrate new data sources and other data analysis work. As @Danielm7 indicated - your best bet is to just ask since it's your current workplace.

If someone says Tier - 1 I automatically assume entry level. Former tortured help desk employee.

@Daniel7 - I'm just trying to ride the wave, make money.

TheFORCE

Depending on the SIEM in use, adding data sources i pretty easy, click click click ok. The hard part with the SIEM's is getting the correlations setup correctly and setting up meaningful alerts and reports and threat intelligence feeds if any. and then having the man power to actually review all the logs, that is insane! Dashboards help a bit, but still not very.

DatabaseHead: Stay were you are man, you are better working with the databases, all these software use databases, if you want to change roles, look at post-sales implementations of IAM tools and UBA( User behavior analytics). Plenty of companies out there looking for people that know how to configure, troubleshoot and correct database issues and those tools are heavy in databases.You will be making big $$$. I worked with few DBA's in my past job, the guys were working remotely building everything they actually taught me some stuff with SSIS also but since i left my job i've never had to use SSIS again and forgot everything.

jamthat

This reads like it's a Splunk-centric position (mentioned multiple times). If so, and you're into logs/data, it wouldn't hurt to try it out. The SIEM/UBA component may just be the Splunk apps (ES/UBA) that facilitate this functionality. It's all highly customizable, but works well out of the box.

Beyond that there is so much more to Splunk - especially if you're tasked with assisting other business units outside of just Security (making data meaningful, dashboards/visualizations, etc...).

It's also free to use at home with a cap of 500mb/day. Install it, throw some logs or test data at it, and go to town.