Security Analyst Interview - Some of what you need to know:

YFZblu

Hey all,

Security is such a hot topic here in terms of getting in, certs, knowledge, etc. that I thought I would create a thread on my most recent interview for a Security Analyst position. This is for what they call an 'L1' interview; for those who may have little or no experience in security but have shown interest/understanding of security and bring knowledge to the table that would be useful in a security environment - or in my case having even a little experience gets me calls for new infosec jobs all the time.

In my case I have a small amount of experience working in a SOC doing network log analysis (SIEM), proxy changes, and firewall changes. Here are some of what was asked of me in an interview I had last week:

-First and foremost, Linux. It's everywhere in infosec as many of you know. I won't get too specific on this, but definitely dig in and learn Linux.

-Incident Response methodologies - Which IR methodology do you subscribe to, and please explain it. Can certain steps of your IR methodology be skipped or combined? Give examples.

-Name some infosec conferences you have attended. What security blogs do you review? Where do you get your security news? Who do you look up to in security and why?

-TCP/IP - What is TCP/IP? Explain how TCP works and be as detailed as possible. How does that differ from UDP? Explain from end-to-end how DNS works. Name as many protocols and their corresponding ports as you can. What is the difference between active and passive FTP, and how is it relevant to a stateful firewall? What is the difference between a stateful firewall and a packet-filtering firewall? What is the difference between IDS and IPS? Explain how each one might have an advantage over the other. As you can see, questions evolve from other questions, and the interview was very dynamic in the sense that new questions also stemmed from some of the answers I gave.

-Behavioral / point of view / maturity questions - One might be told that Company A wants to "downgrade" from Windows to Linux and asked how to go about doing that. These types of questions are geared toward weeding out the fanboys who cannot rise above their lust for a certain technology to admit that all platforms have advantages. Event if you don't truly believe all platforms have advantages it is vital to accept that the business runs the show, not the security department and sometimes we don't always get what we want.

-Experience questions: The interviewers handed me a piece of paper with a log on it. I was asked what kind of log it was and to analyze what it was telling me. From there, I was asked to make determinations about this traffic and explain exactly how I got to those conclusions. The reason I call this an "experience" question is because if one has never seen that type of log in their life, they may have no idea what it was or how to approach it. This is where manufacturing experience comes into play - setup different types of logging at home, review it, analyze it, etc. That way if you have never worked in security and someone hands you that log you can at least begin to assess what's going on. We do it for Cisco with our labs and the same holds true here. Examples of this are firewall logs, proxy, windows logging, linux.

-Code: I said this in a post the other day - Do yourselves a huge favor and learn to script and at least learn to read some code. I put it off forever and it is biting me in the butt. I'm basically drinking from the firehose trying to get up to speed. Much like the Linux thing I won't get too detailed about why/how, just learn it.

-Last but not least know what you claim to know. This applies to all jobs of course, but do not put anything on your resume that you cannot defend in detail with specific examples. This interviewer did an excellent job of attempting to weed out any BS. If I didn't know something, I flat out said I didn't know it. In cases like that showcase your resourcefulness and demonstrate how you go about finding the right answer. If you bomb an interview because you were asked a ton of application security questions, when you never claimed to know appsec in the first place, move on without dwelling on it - IMO that is a bad interview setup by people who did not properly match candidates with the job responsibilities.

There was much more to this interview, it was basically rapid fire for an hour and a half. I did want to put a high level overview out there of what I see / what is expected of me as an L1 in security. This is my perspective as a relative newb in security and I'm sure the more tenured and knowledgeable security people here will disagree with some things or maybe have more to add. I hope this helps some of you.

JasminLandry

WOW! Thanks a lot, hopefully this will help me in the future!

docrice

Good post. I sometimes perform the role of the technical interviewer for infosec roles and I agree with the content. I look for biases, approach/logic to different subjects, and (what I perceive as) honesty/transparency in the candidate's self-assessment of his/her abilities. Security staff tend to have direct access to a lot of sensitive information so determining the character of the individual as well as the hard skill set are big factors.

cyberguypr

Great insight man. I see the question "how do I get into InfoSec" pop up all the time and this is golden. Thanks for sharing.

joneno

Dude,
I actually printed this out for my coworkers. Good job!

YFZblu

docrice wrote: »

Good post. I sometimes perform the role of the technical interviewer for infosec roles and I agree with the content. I look for biases, approach/logic to different subjects, and (what I perceive as) honesty/transparency in the candidate's self-assessment of his/her abilities. Security staff tend to have direct access to a lot of sensitive information so determining the character of the individual as well as the hard skill set are big factors.

Thanks - That's another good point regarding sensitive information and I would like to expand on that because it could certainly come up in an interview. Think about why it might be importation to act with discretion from both a technical standpoint and a non-technical standpoint. A couple of stories on that:

Non-technical standpoint: Where I work we use an internal ticketing system only the Security people have access to for documentation, and an "external" ticketing system which is used by the entire organization for when Security needs to interface / send a request to admins or local technologists. If a VP gets caught performing unscrupulous activities (bittorrent, pr0n, etc) it is in the organizations best interest to keep it private for a variety of reasons. Of course there are times when an organization is legally bound to disclose, but that's a different story.

Technical reasons: We don't want too many hands in the cookie jar when something goes down. Unfortunately my security team's leadership did not define a small group to be part of the Incident Response team where I work. So when something big happened, a security manager reached out to an admin, who told another admin, who told an entire NOC, who told the data center operations team, and suddenly we have 60+ people on a bridge call and everyone is asking "who, what, when, where, why" questions. This was extremely unproductive during an Incident because people began to go rougue, started unknowingly destroying evidence, and generally creating a massive cluster of fail.

Bill3rdshift

Agree fully, excellent post my fellow security enthusiast The interviews seems to be very methodical and if one prepares properly, the candidate should have a leg up on the competition. IMO the time spent preparing will pay dividends and should exude confidence.

I bought and used this IT Security Interviews Exposed book: IT Security Interviews Exposed: Secrets to Landing Your Next Information Security Job: Chris Butler, Russ Rogers, Mason Ferratt, Greg Miles, Ed Fuller, Chris Hurley, Rob Cameron, Brian Kirouac: 9780471779872: Amazon.com: Books

It's not the best security book but it's affordable. It gave me a guideline so-to-speak to follow and keep focused. The information in the book is straight forward security technologies and such. They could have went more in depth but for $20 it should do the trick.

I also use Hacking exposed 6 and the college book for security +. Good luck to future interviewee's

Again, great thread!!

Master Of Puppets

Great post!This is the first time that I'm congratulating someone on something other than getting a job/cert but..Congrats!IMHO, you got everything spot on, I don't know how we can disagree with you. While there may be some stuff that can be added, what you shared is true and I think it will be useful to many people.All of these and more happened to me when I was applying for my job. I had a little trouble with the logs because, frankly, I never took the time to deal with them. The total lack of real world security experience almost cost me the job so I had to think outside the box. Here in this industry that matters quite a lot, if you ask me. So to compensate I took a risk - I asked if I can take out my laptop and show them exactly why they needed me. A little more than an hour later I was getting introduced to the security staff and was given my first task - to show them what they did wrong The moral of the story is that sometimes the experience barrier may seem to tough to break but if you have the skills there is a way(the hardest thing was getting an interview in the first place). Following the great things in this post, you should be able to get the ball rolling.

docrice

I second the IT Security Interviews Exposed book (mine is actually about five feet away from me at the moment). I went through that book within a day some years back. It's a good overview. Certainly not deep, but it does cover a lot of points employers might look at.

I just wanted to add a little more to the thread since I understand the desire to get into the seemingly fancy-sexy world of digital "cyber" security with all the talk about vulnerability assessments, intrusion detection, firewall evasion, traffic interception, social engineering, penetration testing, risk analysis, incident response, malware eradication, target reconnaissance, disk forensics, advanced persistent threats, next-generation prevention systems, and whatever other meaningless marketing-speak that's deployed as verbal spam at conferences like RSA in order to impress CIOs who will recommend their IT managers to buy the latest PacketPewPew Appliance which will identify/contain/eradicate the threat agent.

While I don't speak for the profession nor the industry since I'm just another guy on the front lines, I will say that if you like the subject matter, this stuff can be both fun and frustrating. It's frustrating because it's 1) high maintenance, 2) you'll never get it perfect, 3) sometimes the work can be enormously tedious, 4) there are never enough hours in the day, and 5) many people, including management, will never really "get it" except for the purposes of regulatory compliance and therefore general support for your efforts might be lacking.

As a network security engineer for a company in the information security industry, I'll say that the life can potentially be very fast-paced, demanding of perfection, and yet will always default to some degree of less-than-perfect compromise. Infosec is typically tasked with many corporate secrets and responsibilities that if not handled properly means damage to a business' brand and thus market position. To the business you're just another line-item expense unless you're in a consultant type of role which helps the organization profit. There's never a trophy waiting for you. Just more work. But that's okay if you love this stuff and don't mind constantly putting in the effort to stay up on the world developments around you.

This is why interviews for security positions can involve a lot of heavy scrutiny while a large magnifying glass scrolls over your person. Your skills, ability to adapt, comfort zones, awareness of self-biases, personal interests, social interaction, communication abilities, presentation quality, career hopes, and ultimately trust in character all factor in. While technical skills are important, someone's candidness and honesty is perhaps even more important. Your objective sense is crucial.

When I conduct interviews, my questions are sometimes simple ... but not easy. They're designed to invoke discussion so I can see how someone thinks, the kinds of assumptions which are made, the approach one takes to solve a problem, and how they react when they hit a brick wall. I've done interviews on my own that lasted over an hour, perhaps two and the time flew by.

At the end of the day, often times specific technical skills can be trained. Character flaws or other mental limitations, however, cannot. We security people can be an impatient bunch and very scrutinizing for a good reason - we have to trust you if we're going to work with you. That's why going through the ringer in an infosec interview can involve a lot of pressure. If you don't know something, just admit it. There's nothing wrong with it. No one knows everything and it becomes a question of how motivated you are and how well you can deliver.

And don't brag about certifications. We won't always give you the same level of credibility as you might hope.

paul78

@docrice - great points and I wanted to add on as well.

docrice wrote: »

.... many people, including management, will never really "get it" except for the purposes of regulatory compliance and therefore general support for your efforts might be lacking...

Well... I can assure you that I get it. It largely depends on the industry that the company operate in. For regulated entities, it's not just about regulatory compliance but there are some business drivers such as reputational damage and competitive advantage as well. In the EU and US, at least, the risk of not having an adequate information security and risk management program can be a death-toll for the business.

docrice wrote: »

... always default to some degree of less-than-perfect compromise....

That's an important trait that I would expect hiring managers look for - it's not always about having the right solution or control to be applied to a security problem. But it's about understanding the business context and having the judgement to apply appropriate risk response measures. Too often, I come across eager but very technically competent security professionals that want to deploy some control or remediate some security issue understanding if it will actually reduce the threat.

There is always a level of risk that a business is willing to accept. Otherwise, the activity should not be conducted. When interviewing, there will always be soft questions which are scenario based.

docrice wrote: »

... And don't brag about certifications. We won't always give you the same level of credibility as you might hope.

I couldn't agree more. I think in the company that I work at, we are probably 50/50 in terms of people with zero certifications that work in security.

dou2ble

This is good stuff. As someone who's been involved in interviews for 3 years I have two things to add.

1. Read and reread the description of the job so that you can somewhat guess what type of questions you'll get based on the environment you're going into. Is it DOD DIACAP, SOX, GLB, NIST, etc...

2. When they ask you when security should be implemented (ie SDLC) always say - at the beginning. This doesn't mean it will be, but it will be a battle never won completely and continually fought.

GreenHornet

I just ordered this book from amazon. I've been trying to get hired working in security type job role. It's been difficult for me since I don't have any experience working in a soc environment, and I have some basic linux skills. That's why I dedicated at least 2 months to researching specific job roles focusing on their requirements, experience, required skills, description (job role), which cities were in demand for them, and salary. In 2014 I decided to focus on Network Security Analyst job role.

White Wizard

WOW.

Is this kind of questioning common for infosec jobs in an interview?

Most of what you said I could answer solely off my Security+ knowledge.

Was this a government position? Wondering if government infosec jobs have tougher interviews to weed out candidates.

YFZblu

Not a government job - This was for a large financial firm.

Master Of Puppets

Again - in my experience showing them your skills with projects/work/whatever you have on the spot does the trick. This way there is no bullshitting and your true level becomes clear. That applies to the highly technical interviews.

geek4god

You mention coding/scripting a couple times. I assume bash for Linux do you see PowerShell being used from a security standpoint on the windows side? Python seems to be the default language for security would you agree with that or are you/would you recommend another language. Is there a Linux distro that is more popular than others?

YFZblu

geek4god wrote: »

You mention coding/scripting a couple times. I assume bash for Linux do you see PowerShell being used from a security standpoint on the windows side? Python seems to be the default language for security would you agree with that or are you/would you recommend another language. Is there a Linux distro that is more popular than others?

My team doesn't use Powershell, but I can see how it could be useful; especially if performing Incident Response on a large scale Windows compromise. I learned Python for automating tasks, creating things, and understanding the basic logic of writing code. I learned JavaScript to help reverse eng a lot of what we see in terms of exploit kits. But it doesn't have to be Python, Perl is a great language as well. Next up will be C, because I want to get closer to the hardware and shore up a lot of the weaknesses/dependencies I was left with by the high-level languages - and because eventually I would like to help perform some of our initial malware analysis. Reading assembly language is somewhere on the horizon I suppose, but that's not something I'm thinking about yet.

In terms of Linux, we work on Ubuntu desktops and servers of varying *nix flavors. Start with the basics, which is all pretty generic. A year ago I started with the Linux+ material. I didn't get the cert though, I didn't feel it was necessary for me.

lsud00d

White Wizard wrote: »

Most of what you said I could answer solely off my Security+ knowledge.

I'm not sure what your background/experience is beyond S+ but it is a far cry from technical Security positions...I think it's most helpful for ports and general concepts but it won't take you as far as these interviews go.

the_Grinch

Port numbers and the services that run on them. Haven't had a information security interview that didn't ask me what port belonged to which service.

wes allen

10 ways to prep for – and ace – a security job interview - CSO Online - Security and Risk

LinuxNerd

Great advice in this thread. Thanks to everybody who contributed. Another way of landing a good security gig is to code a decent program, publish some good white papers and develop relationships over time with different individuals in the security industry. If you know your stuff, you're in.

macsmalls

Thanks guys, ordered that InfoSec Interview book from Amazon.

New2Network

Thanks, Ill definitely be ordering this book & researching the information on the thread. I've got 5 months in a S.O.C & will keep on researching

alias454

Nice Post. What can an "L1" expect to make?

CIO

Excellent post. Like yourself, i also placed programming and linux on the back burning now I'm playing catch-up in order to break into the security field.

YFZblu

Man - I vividly remember writing this post. A lot has changed, a lot has stayed the same. If there's interest, I could write a follow-up post in this thread based on my experiences over the last 3-4 years.

alias454 wrote: »

Nice Post. What can an "L1" expect to make?

In 2013 when I got my first security job (as an L1), I made $55,000. The interview I posted about here, also for an L1 analyst role, bumped me to something like 70k. These days I routinely see L1 Analysts just starting out making 75k+

NavyMooseCCNA

My goal is to get into IT Security and I just ordered this book. Thank you for posting it!

Kiyori

I just found this thread....I have about 4 months experience as a Service Desk Analyst, and looking to try to break into the InfoSec field. The latest certification I have is Associate of (ISC)2 SSCP, and working on CISSP; I also go to school full-time, working on my BS in IT Security.

I would love it if you could renew this topic, and write about what you see these days. Your original post was more than a few years ago. How have you progressed so far, do you get to look at candidates' profiles for positions, other than a general knowledge what kind of skills should a tier 1 be bringing to the table....these are some of the more particular questions I have.

THanks!

Kiyori

I just found this thread....I have about 4 months experience as a Service Desk Analyst, and looking to try to break into the InfoSec field. The latest certification I have is Associate of (ISC)2 SSCP, and working on CISSP; I also go to school full-time, working on my BS in IT Security.

I would love it if you could renew this topic, and write about what you see these days. Your original post was more than a few years ago. How have you progressed so far, do you get to look at candidates' profiles for positions, other than a general knowledge what kind of skills should a tier 1 be bringing to the table....these are some of the more particular questions I have.

THanks!

kabooter

Even though this thread is a year old, it is one of the best and unique thread here as it touches real life scenarios. I am looking some similar examples on youtube but have not found much stuff. It will be nice if more folks here can contribute something from their recent interviews.

kabooter

YFZblu
Can you please post some more info if possible? Thanks in advance.