Becoming an Information Security Analyst

Everclear05 · September 2010

Hello all,

I would like to ask the forum what certifications would help an individual seeking a career path as an Information Security Analyst. I have the A+ cert already and I'm working on Security +.

I have 7 years of experience in IT as a helpdesk support troubleshooting hardware/software. Also have experience in moves/add/changes on Active directory accounts & MS exchange. I have little over a year experience in troubleshooting FP, MX, and DC servers.

Any help you can provide is appreciated.

rogue2shadow · September 2010

First things first, welcome to TE!!!

Thank you for the reppin' the DMV (DC/MD/VA). I'm from Maryland

.

1. Certification wise you will definitely want to look into the Security+. This exam build upon the Network+ so I would probably suggest grabbing that while you're at it. This book is the rave of the forum in terms of passing it:

Amazon.com: CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide (9781439236369): Darril Gibson: Books

You may want to look into Microsoft certs as well as you have experience with AD and Exchange. Look into the MCITP line (for 2008 Server) or the MCSE/MCSA line (for 2003 Server).

2. I would say at this point in the job market, apply anywhere you can and network network network. You never know who might get your foot in the door with a defense contractor.

3. Figure out where in InfoSec you want to end up (Consultant, Manager, Pen Tester/Auditor, etc.). With every sunrise comes an expanding of this new field and the title "InfoSec Analyst" is a lot more general than we may have thought a year ago.

dynamik · September 2010

Welcome to the forums. You really need to work your way into more advanced position on the systems and/or networking side of things (or development, databases, web apps, etc. if you want to go off in a different direction).

I'm not trying to be harsh, but given your knowledge and experience, what do you feel like you'd be qualified to analyze from a security perspective? I'd come up with a 3-5 year plan for beefing up your current skill set and than trying to transition that into a security-related role.

(and everything that r2s said)

Everclear05 · September 2010

Thanks to all for your replies.

I currently work at a military base as a helpdesk analyst trouble shooting servers, workstations and user account issues. I was previously in the military as an IT doing mostly the same thing I have not been a manager in terms of planning & development. I have already ordered the Security+ book you recommended from reading other posts in the forums.

My 3-5 year plan is that I want to move into security policy or certification and accreditation. I just trying to make sure I get the proper foundation to understand how all the systems interconnect and how to view that from a security perspective.

tpatt100 · September 2010

Get the Security+ and focus on moving into a sysadmin role. There focus on becoming a damn good sysadmin and take a security mind set when you do things. Depending on where you work you can then find ways to make things more secure and document/write policies. You will be surprised how many places have some crappy out of date policies that nobody enforces. They just have them in case they get sued or something.

Anyways when I worked for the City I volunteered to update/write/implement basic security for the network. Used Active Directory to push out basic security must haves according to CERT/NSA and Microsoft guides. Then I rewrote all the policies and got HR and the Union to sign off on them after checking with Legal.

Then I got permission to send out a weekly city employee wide email with basic tips and how to and I put this under the "security training" heading on my early resumes. I used this to get my name out there with everybody as the "security guy".

colemic · September 2010

Everclear05 wrote: »

Thanks to all for your replies.

I currently work at a military base as a helpdesk analyst trouble shooting servers, workstations and user account issues. I was previously in the military as an IT doing mostly the same thing I have not been a manager in terms of planning & development. I have already ordered the Security+ book you recommended from reading other posts in the forums.

My 3-5 year plan is that I want to move into security policy or certification and accreditation. I just trying to make sure I get the proper foundation to understand how all the systems interconnect and how to view that from a security perspective.

For the C&A side, find out when your organization's ACA evaluation is, and volunteer to work with them and help the out with gold disk, retina, etc... then stay in their back pocket and ask every question you can think of! A lot of them have a very specific skillset and won't know the answers, but I just had a spectacular team out here and really learned a lot from them.

Chris:/* · September 2010

Welcome to the forums,

Most people that are Security Analysts have really are not required to have a specific certification but building on a myriad of skills. Those skills are used as a combined approach to understanding the purpose of the organization and what really needs to be protected. To do that you must have a working understanding of operating systems, wired and wireless networks, programming and scripting, current threats, policy management and training.

Primer: You know A+ and you are moving to learn Security+ but you must also understand networking and Network+ can give you that base level knowledge.

Programming & Scripting: Most really good Security Analysts need to know how to program and script. To take advantage of current known vulnerabilities and test them an Analyst often has to create custom test scripts. You do not have to start with programming, there are many mid-level and entry level Analysts that do not know how to program. To really move forward as an Analyst though you at least have to know Python and you are better off if you know Java and C++ in addition.

Degree: You need to start your formal education, a BS in Computer Science or Computer Information Systems followed by an MS in Information Security and Assurance (or any form of that MS) will move you forward. You will rarely meet people in this field who do not have at least a BS. Companies typically do not put trust in someone who does not have a formal degree. Most companies like having that paper to back up your trust when we talk about security testing.

Operating System experience: If you are going to be a Security Analyst you have to become the expert on your team of one OS flavor and have a working knowledge of other OS. You will be working on teams typically with people who will balance out your skills or lack there of market yourself to the rare skill sets and you can earn a better salary. Just be cautious if you type cast yourself you may have trouble finding work. You should practice with VMware Workstation or Virtual Player using different OS at home. Complete some Microsoft Certs, Linux+, Red Hat Certified Technician and even Sun Certified System Administrator. These administrator certifications will not only show you how to configure the OS properly by the company it will also help show you what things are often missed in terms of security.

Networking: There is more to the world than Cisco Routers and Switches running just TCP/IP. You have to become familiar with wireless, ATM, TCP and UDP. Start with Network+ (since it sounds like you have limited networking experience), then move to CCNA, CWNA and possibly earn the security flavor of each. The knowledge you gain from pursuing these certifications will only help when examining networks.

SAN: Most companies store lots of juicy data on the iSCSI for Fiber Channel storage device so at least get a working knowledge of these systems. Server+ will provide you the basic knowledge for SANs. If you want more knowledge look at EMC and NetApp. You cannot suggest means of protecting enterprise data if you do not understand how these systems work.

Security: EC-Council and GIAC both offer fantastic certifications for a Security Analyst. EC-Council requires you to memorize a lot of information for a test and GIAC requires you to really understand and apply the information in an open book environment. You will find opinions on both sides of the aisle for or against these certifications. I believe each has its role and I myself am currently working through both paths. Start with GIAC Security Essentials Certification (GSEC) and Certified Ethical Hacker (CEH), followed by EC-COUNCIL Certified Security Analyst (ECSA) and GIAC Certified Incident Handler (GCIH), then move to Licensed Penetration Test (LPT) and GIAC Certified Intrusion Analyst (GCIA). Lastly GIAC Security Expert is really the top level application security certification. If you can earn that mark you will really understand what you are doing. These security certifications are your working certifications but you will need to know how to speak to the leadership within a company. The Certified Information Systems Security Professional (CISSP) is the cert that allows you to talk to MBAs and move into a consultant role after all the geek work is done.

Roll Up:
I am not suggesting to earn every one of these Certifications but this is a path of learning you can look at and generate ideas from. A Security Analyst does not have to earn a lot of Certifications he or she just has to have the knowledge and the certs that are required by the company he or she works for. To be an Analyst you have to understand the technology below the world in which you work otherwise you will not know how to secure it. Being an analyst is not all about hacking in fact that is a very small part of it, you are finding what is wrong with a situation and helping the organization figure out how to correct or mitigate the problem.

This is a very big birds eye view of security analyst work and there is a huge amount of detail I skipped but it should give you an idea.

Food for Thought: You have to love computers and know the security threats out there and how to duplicate them. Being a really good Security Analyst is about finding the problems that cause catastrophic damage before someone else does. That means you will spend an good portion of your time just staying up to date possibly more than any other IT career field.

pml1 · September 2010

Epic post Chris. Thanks for all the info!

Asif Dasl · September 2010

pml1 wrote: »

Epic post Chris. Thanks for all the info!

+1 Thanks for that

Chris:/* · September 2010

Glad I could help.

Cheers

Bl8ckr0uter · September 2010

Chris:/* wrote: »

Glad I could help.

Cheers

Awesome post. Rep for you!

Paul Boz · September 2010

If you want to get into security, do as others have suggested and find an area of focus which you can become expert in. If you can’t even set up a Windows domain how can you really understand how to secure it? The same can be said for just about anything in security. You have to know how something works before you can break it or make sense of how to secure it. Security is more than just locking down systems and services though. It’s an entire mindset that you have to take. Security is buying a paper shredder for your house and shredding everything identifiable which may go in the trash. Security is looking for camera coverage when you’re at Subway restaurant. Security is observing a clean desk policy, not because there is one, but because you care about protecting data at your source. I’ve found that “thinking like a security professional” is often the hardest part for someone to grasp. You have to actually care about hardening a system and not taking short-cuts.

You also have to understand that ethics is everything in security. Many security professionals have made a name on touting their exploits but just about every one of them has done so legally. It’s actually very rare for an unethical hacker/security guru to make it in the legit security industry. I would suggest you familiarize yourself with at least the ISC2 code of ethics and treat them as something which you should follow and respect and not “start of the CISSP book fluff.” Beyond ethics, you have to understand that security and business clash more frequently than not, and to be a good security practitioner means you have to be able to push your security agenda without **** off everyone or being too strong-handed. You may find yourself working for a very large company which separates security operations from infrastructure and system administration. The sysadmins are under a tight deadline to get something implemented and they operate under a “fastest way to results” methodology. From a security standpoint this is wrong, but how do you convey that with the sysadmin while respecting their deadlines?

These are the types of things you should consider when thinking about a security profession. You won’t find these types of things in books.

gateway · September 2010

Paul Boz wrote: »

The sysadmins are under a tight deadline to get something implemented and they operate under a “fastest way to results” methodology. From a security standpoint this is wrong, but how do you convey that with the sysadmin while respecting their deadlines?

+1

I'm up against this all the time. Hard balance to achieve. That was nice to read!

Everclear05 · September 2010

Chris:/* wrote: »

Welcome to the forums,

Most people that are Security Analysts have really are not required to have a specific certification but building on a myriad of skills. Those skills are used as a combined approach to understanding the purpose of the organization and what really needs to be protected. To do that you must have a working understanding of operating systems, wired and wireless networks, programming and scripting, current threats, policy management and training.

Primer: You know A+ and you are moving to learn Security+ but you must also understand networking and Network+ can give you that base level knowledge.

Programming & Scripting: Most really good Security Analysts need to know how to program and script. To take advantage of current known vulnerabilities and test them an Analyst often has to create custom test scripts. You do not have to start with programming, there are many mid-level and entry level Analysts that do not know how to program. To really move forward as an Analyst though you at least have to know Python and you are better off if you know Java and C++ in addition.

Degree: You need to start your formal education, a BS in Computer Science or Computer Information Systems followed by an MS in Information Security and Assurance (or any form of that MS) will move you forward. You will rarely meet people in this field who do not have at least a BS. Companies typically do not put trust in someone who does not have a formal degree. Most companies like having that paper to back up your trust when we talk about security testing.

Operating System experience: If you are going to be a Security Analyst you have to become the expert on your team of one OS flavor and have a working knowledge of other OS. You will be working on teams typically with people who will balance out your skills or lack there of market yourself to the rare skill sets and you can earn a better salary. Just be cautious if you type cast yourself you may have trouble finding work. You should practice with VMware Workstation or Virtual Player using different OS at home. Complete some Microsoft Certs, Linux+, Red Hat Certified Technician and even Sun Certified System Administrator. These administrator certifications will not only show you how to configure the OS properly by the company it will also help show you what things are often missed in terms of security.

Networking: There is more to the world than Cisco Routers and Switches running just TCP/IP. You have to become familiar with wireless, ATM, TCP and UDP. Start with Network+ (since it sounds like you have limited networking experience), then move to CCNA, CWNA and possibly earn the security flavor of each. The knowledge you gain from pursuing these certifications will only help when examining networks.

SAN: Most companies store lots of juicy data on the iSCSI for Fiber Channel storage device so at least get a working knowledge of these systems. Server+ will provide you the basic knowledge for SANs. If you want more knowledge look at EMC and NetApp. You cannot suggest means of protecting enterprise data if you do not understand how these systems work.

Security: EC-Council and GIAC both offer fantastic certifications for a Security Analyst. EC-Council requires you to memorize a lot of information for a test and GIAC requires you to really understand and apply the information in an open book environment. You will find opinions on both sides of the aisle for or against these certifications. I believe each has its role and I myself am currently working through both paths. Start with GIAC Security Essentials Certification (GSEC) and Certified Ethical Hacker (CEH), followed by EC-COUNCIL Certified Security Analyst (ECSA) and GIAC Certified Incident Handler (GCIH), then move to Licensed Penetration Test (LPT) and GIAC Certified Intrusion Analyst (GCIA). Lastly GIAC Security Expert is really the top level application security certification. If you can earn that mark you will really understand what you are doing. These security certifications are your working certifications but you will need to know how to speak to the leadership within a company. The Certified Information Systems Security Professional (CISSP) is the cert that allows you to talk to MBAs and move into a consultant role after all the geek work is done.

Roll Up:
I am not suggesting to earn every one of these Certifications but this is a path of learning you can look at and generate ideas from. A Security Analyst does not have to earn a lot of Certifications he or she just has to have the knowledge and the certs that are required by the company he or she works for. To be an Analyst you have to understand the technology below the world in which you work otherwise you will not know how to secure it. Being an analyst is not all about hacking in fact that is a very small part of it, you are finding what is wrong with a situation and helping the organization figure out how to correct or mitigate the problem.

This is a very big birds eye view of security analyst work and there is a huge amount of detail I skipped but it should give you an idea.

Food for Thought: You have to love computers and know the security threats out there and how to duplicate them. Being a really good Security Analyst is about finding the problems that cause catastrophic damage before someone else does. That means you will spend an good portion of your time just staying up to date possibly more than any other IT career field.

Chris thank you for this wealth of information. I will concentrate on finding my niche that will allow me to focus my education in the correct direction

-Foxer- · October 2010

Some really great advice in here! Thanks.

I'm just starting my MS:ISA at WGU, and hope to get into the information security field over the next couple of years.

veritas_libertas · October 2010

@Paul: I know that your experience (at least this what I'm assuming) has been mostly Cisco. How has that benefited, or hurt you moving from Network Administration to IT security?

Paul Boz · October 2010

veritas_libertas wrote: »

@Paul: I know that your experience (at least this what I'm assuming) has been mostly Cisco. How has that benefited, or hurt you moving from Network Administration to IT security?

To be honest the Cisco stuff was generally out of interest in networking technology than anything else. I've never actually been a straight up network engineer. I got several Cisco certs when I worked in the NOC center of an ISP because I wanted to show initiative to move into engineering. Company laid off about 60% of the workforce so I was stuck in the NOC for life. I moved on. I looked for networking jobs but a security gig landed in my lap so I went in that direction. I continued working on the Cisco stuff for a while then went full-in with security. I've had interest in computers since I was a little kid and have always liked trying to find ways to do interesting things with them so security came natural. The networking side has definitely been beneficial though because without a strong knowledge of how networks work its difficult to see "the big picture." I'm sure I see the network where I'm employed differently than the server administrators because I've got a trained networking point of view. I honestly like security architecture more than anything and will probably focus on that moving forward. Currently I'm working on several rapid-development large-scale system and software deployments to 25k+ systems that require complete architecture designs (both topological and security requirements) from the ground up and its the most enjoyable thing I've ever done from a job perspective

Bl8ckr0uter · October 2010

If you had to restart today Paul, would you go for as many cisco certs would you go for SANS directly?

Paul Boz · October 2010

Bl8ckr0uter wrote: »

If you had to restart today Paul, would you go for as many cisco certs would you go for SANS directly?

I'd do the Cisco stuff first because the networking knowledge is the foundation that I've built my security experience on. At my last employer I could tell a marked difference between those with networking experience and knowledge and those without. Even Dynamik felt his skills drastically improve when he did some Cisco stuff over the last year.

For some perspective, I'm currently working with the lead network engineer at my company to implement QoS for pushing McAfee policies and .dat files over T1's to 600+ field locations. If I walked into a meeting with him and said "We need to use QoS to do this, make it work" he would not respect my wishes nearly as much as if I said "here's our current QoS configuration and here's what I'd like to do to include McAfee updates." I can look at a policy map and a class map and make sense of it. That means a lot to the networking team that I have to interface with because I "get it." Its much more difficult to push your agenda when you're basically repeating googled buzz words.

Bl8ckr0uter · October 2010

I was just wondering because that's sort of what I see myself doing within the next few years (Cisco/Juniper/Checkpoint networking and SANS certs). I was just curious if you feel the cisco certs were "worth it".

Paul Boz · October 2010

Bl8ckr0uter wrote: »

I was just curious if you feel the cisco certs were "worth it".

100% worth it.

Bl8ckr0uter · October 2010

Paul Boz wrote: »

100% worth it.

I figured you'd say that. CCNP R/S and Sec here I come.

veritas_libertas · October 2010

Thanks for answering my question Paul. One other question if I might, how respected do you think Cisco certifications are in the security world? I seem to see MCSE matched with C|EH or GIAC in security job listings than I do Cisco. This could just be my experience though.

Bl8ckr0uter · October 2010

I agree v. I see the same thing in my neck of the woods.

Synthros · October 2010

veritas_libertas wrote: »

Thanks for answering my question Paul. One other question if I might, how respected do you think Cisco certifications are in the security world? I seem to see MCSE matched with C|EH or GIAC in security job listings than I do Cisco. This could just be my experience though.

I've seen this a lot too, and I've often wondered if it's a good idea to buffer one's resume with Microsoft certs (MCSE/MCITP) if attempting to get into the realm of network security.

Paul Boz · October 2010

Cisco certs are highly respected regardless of the industry. No one's ever seen my list of Cisco certs and said "man, you're really lacking MS."

Bl8ckr0uter · October 2010

Paul Boz wrote: »

Cisco certs are highly respected regardless of the industry. No one's ever seen my list of Cisco certs and said "man, you're really lacking MS."

I think your experience has a lot to do with that as well. I was looking at entry level security analyst positions yesterday and most of them required S+ and/or SSCP and MCSE would be "nice to have". A lot fewer cisco infosec positions and most of them didn't even mention cisco certs, just cisco firewalls and such.

veritas_libertas · October 2010

Paul Boz wrote: »

Cisco certs are highly respected regardless of the industry. No one's ever seen my list of Cisco certs and said "man, you're really lacking MS."

Well that response was short and too the point! Thanks Paul, the more I'm reading up on Cisco and playing with switches/routers the more I get addicted. Somehow CLI always feels more pure.

Man, your'e really lacking MS certs...

JK

I think your experience has a lot to do with that as well. I was looking at entry level security analyst positions yesterday and most of them required S+ and/or SSCP and MCSE would be "nice to have". A lot fewer cisco infosec positions and most of them didn't even mention cisco certs, just cisco firewalls and such.

You may have a point. It's hard to say, and I wonder if has more to do with location, or if it's just the way it is in INFOSEC.

Bl8ckr0uter · October 2010

veritas_libertas wrote: »

You may have a point. It's hard to say, and I wonder if has more to do with location, or if it's just the way it is in INFOSEC.

I think it has to do with the fact that there are more windows servers than cisco routers, switches and firewalls. In most companies, AD is probably going to change more than firewall configs. Which is why I am going to be doing a lot of labbing of windows stuff for the GSEC and in general simply because AD is very important.

ssampier · October 2010

Bl8ckr0uter wrote: »

I think it has to do with the fact that there are more windows servers than cisco routers, switches and firewalls. In most companies, AD is probably going to change more than firewall configs. Which is why I am going to be doing a lot of labbing of windows stuff for the GSEC and in general simply because AD is very important.

QFT. Windows is everywhere, but the switch and firewall in SME may not be touched much at all or is outsourced (and may not even be Cisco).

Firewalls are fun. I liked both Cisco and Juniper (and open source things like iptables). I am not sure what I like about them, they just click with me.

I am really considering doing the Cisco or Juniper security track; decisions, decisions.

L0gicB0mb508 · October 2010

I currently work as a security analyst, so I'm getting a kick out of these replies...

It seems to be a security analyst you need to have a broad understanding of different systems and how they function. You should know how to read the log files of platforms in your environment and make reasonable sense of them. Generally speaking in a large environment you will be using an Enterprise Security Management (ESM), that correlates the events and lays out the packet payload for you. In smaller environments you will be using an IDS, and you may be correlating events yourself. This makes it a lot hard to capture unusual traffic patterns. You may also be using sniffers such as tcpdump to capture the raw traffic and doing analysis on it. In larger environments (carrier class and large enterprise) raw packet capture is a bit more tricky and requires some intense hardware to pull it off, so you may not be doing quite as much raw traffic analysis.

With that being said, there are different levels of security analysts generally. It works up the tiered approach like any other IT job:

Level 1 - Mainly would be concerned with triage of events. They would pick out events of interest and forward them to the next level, and then continue on finding events. They will probably not be diving into deep packet analysis or even systems analysis.

Level 2- They will be the group that does your packet analysis and systems log file analysis. They are generally the group that determines if the event is real, and has succeeded. At this level some scripting knowledge comes in handy. You will also need a great deal of technical expertise on your platforms and the ability to use tools to analyze the event.

Level 3- this group is where you start gaining into engineer/ISO status. They are the ones who make system changes, and do the incident handling process. Honestly this is beyond what most security analysts do unless they are part of an incident response team.

Do you need to be and MCSE/RHCE/CCNP to be a security analyst? No of course not. Do you need to know a broad range of technology, you betcha. To be extremely good in this field you need to almost think like a criminal. You are defeating a human element, so it pays to think outside the box like them.

Also, you need to draw a line between security engineer and security analyst. Engineers will be configuring devices and making changes to the system. A security analyst will be doing none of those things. I realize that security analyst is kind of the defacto term anymore for anyone that does security, so you may do something entirely different with the title of security analyst. In its purest form you will not be making systems changes, exploit testing, or writing exploits.

I work on a huge network, with teams dedicated to everything, so your mileage may vary in smaller configurations.
\\My longest post I think\\

Becoming an Information Security Analyst

Comments