After one week in the SOC, here are my takeaways...

Hey all - As some of you may know, I recently got a job working in a Security Operations Center. Not only my first security job, but my first systems job away from helpdesk and desktop support. Anyway after one week I saw some really great stuff and some really scary stuff. Here are a few takeaways:

-The senior guys are dedicated to truly helping the business succeed. This stuck out to me in spades. They live and breathe security for our company. I know a lot of us are career minded and are always striving for the bigger and better job; but it is important to do well where you are, too. Not really security related, but something valuable I took away.

-The pentesting guys for the organization find some really scary vulnerabilities constantly. It is crazy how many default settings/passwords are out there in the wild.

-Security certifications did almost nothing to help me perform my current job. I am doing L1 security work which involves viewing logs, reading packet streams (both with or without wireshark's help), analyzing the risk each alert presents to our organization and determining if it will result in an incident. Which leads me to my next point...

-Incident handling methodology could be a really valuable skill for someone looking to get into security. There are certain check marks that are included in running a good SOC, and knowing industry standard methodologies for incident handling could be really useful. Once again, not the kind of stuff taught in things like Sec+, CCNA: Sec, or even GSEC. Don't quote me on the GSEC one, I am not all the way through my books yet. I don't remember it being mentioned at the bootcamp though...

-Learn Linux. We are running Linux boxes as our primary desktops, and I had to sheepishly ask what command to enter to change my user password. Being able to identify command strings in packets will be uber useful as well obviously.

-Anti virus sucks. Last week I consistently found malicious software on User PC's before our AV solution. Which begs the question: Would the host AV have ever found it? Probably not. Either way if I'm finding it first, that's bad.

-OK, so this is sort of embarassing as well: I did not know that thousands of domains can occupy the same IP address. Perhaps that is a bad way of saying it. I knew that was possible, but I did not know it happens so much. I guess in my head the major websites/organizations host their own stuff which obviously isn't the case... I was constantly seeing alerts for IP matches to legitimate sites: Professional sports teams, banking, etc. Only to find the alert was generated because that IP linked to a malicious domain somewhere on that server. Example: A User's computer resolved to the Green Bay Packers website but that IP address also hosted thousands of other domains which included some pretty nasty looking URL's.

Anyway - That's all I have for now, I just wanted to share my experience with the group.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

MickQ

Very good stuff to know. Thanks for all that help in growing our own knowledge.

instant000

Since you mentioned that you didn't have much information on incident handling (prior to your current job), maybe these resources might assist you (at least, a little).

---

Publications (Free):

- http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf "Computer Security Incident Handling Guide"
- http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf "Guide to Integrating Forensic Techniques into Incident Response"
- http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf "Guide to Malware Incident Prevention and Handling"
- http://csrc.nist.gov/publications/drafts/800-83-rev1/draft_sp800-83-rev1.pdf "Guide to Malware Incident Prevention and Handling for Desktops and Laptops (Draft)

---

As far as certifications dealing with incident handling, I pulled these below out of the DoD 8570 matrix: (DoD 8570 Information Assurance Workforce Improvement Program)

- SEI Certification | Computer Security | CERT-Certified Computer Security Incident Handler | CERT-Certified Computer Security Incident Handler Exam - CSIH (CERT-Certified Computer Security Incident Handler
- https://cert.eccouncil.org/wp-contents/uploads/CEHv8-Exam-Blueprint-v1.1-17012012.pdf - CEH (Certified Ethical Hacker) [In my professional opinion, as someone who possesses this certification, I think they have just marketed this one very well.]
- Incident Handler Certification: GCIH - GCIH (GIAC Certified Incident Handler) [Don't have it, can't comment on it.]

^ Just really want to point out that I'm not sure how CEH got into the box for "Incident Responder" for DoD 8570, except via reputation. Even if you check the blueprint, "information security incident' is a sub-portion of a section, that's how far down the totem pole it is. Far superior EC-Council certs for incident response would be the CHFI (Computer Hacking Forensic Investigator) or, how about this one: ECIH (EC-Council Certified Incident Handler) ... that one sounds like it might fit a bit better, and has a better syllabus, at the least.

- ECIH Course Outline: http://www.eccouncil.org/Portals/0/docs/ECIH-v1-Course-Outline.pdf

---

- I have a book on my shelf: "Practical Packet Analysis", but it's very Wireshark-esque, and you mention that you don't necessarily use Wireshark. The website for the book is here: Practical Packet Analysis, 2nd Edition | No Starch Press

I believe the book is decent, but I don't do packet analysis full-time, so you might disagree.

Hope this helps.

---

YFZblu

Great info, thanks! The L1's were asked to begin preparing for GIAC GCIH, and the content for that looks good too.

Hypntick

I'm just wondering what type of qualifications they were looking for on that position? Anything you can let us know that helped you land that spot?

Mike-Mike

great post! keep the updates coming

docrice

There are security certifications and the material they cover, and then there's the real world. The latter tends to be much more complicated, entangled, messy, political, and with a lot of risk trade-off decisions that have to be made which aren't ideal on paper.

The GCIH is a very popular GIAC certification, along with the SANS SEC-504 course. As of this writing, there are almost 7500 GCIH-certified professionals:

http://www.giac.org/certified-professionals/directory/security-administration

kurosaki00

good read!
thanks and gratz on your job

MSP-IT

Hypntick wrote: »

I'm just wondering what type of qualifications they were looking for on that position? Anything you can let us know that helped you land that spot?

Also curious. If you could comment on this I would greatly appreciate it.

cgrimaldo

Great thread with valuable info so far!

YFZblu

Hypntick wrote: »

I'm just wondering what type of qualifications they were looking for on that position? Anything you can let us know that helped you land that spot?

It's tough for me to say, because I was an internal transfer within the company; so the tribal knowledge that I have of our organization may have played a part in my hiring. There were other analysts hired with me and both of them have four year network security degrees from a technical school in the area, they were external hires. They're pretty bright and really young. I do not hold a degree, and the security-centric certifications I hold are: Sec+ and CCNA: Sec. I think for the most part my security certifications got me the interview and having passion / knowing what is on my resume got me the job.

What I can tell you is this: During the interview it was very apparent they wanted to hire people who geek out on this stuff. I was asked who I look up to in infosec, what publications I read, and even what the current SANS Internet Storm Center Threat Level was at the time. I recently attended a SANS Institute bootcamp (GSEC) and listed that on my resume under formal education and I believe that was a huge reason the technical recruiter noticed my resume. You guys know how that goes...buzzwords and all...