By: Jay James
May 21, 2020
The Ever Expanding Scope of SOC Skills
By: Jay James
May 21, 2020
SOC Analyst. SOC Specialist. SOC Engineer. SOC Manager.
If anyone enters these titles into Indeed, LinkedIn, Career Builder, or any other primary job search website, individuals will get thousands of results for Security Operation Center (SOC) positions all over the country. One issue is that the majority of these positions' skillset requirements vary vastly from job to job. Those wanting to break into security operations or move to another role within a SOC may be overwhelmed by all of the buzzwords, technical jargon, and long job duty lists that contain a laundry list of job requirements.
It is important for SOC professionals to know the umbrella of skills and to build a foundation necessary to succeed. Below, SOC professionals will find a high-level list of Skills vital for SOC professionals to do just that.
Disclaimer: All SOC analysts and engineers do not have to know all of the following skills in-depth, but all should be considered when determining focus areas and personal goals. Strive to be "T-Shaped": an employee who has excellent skills in one area, while having a base knowledge of others in the industry.
Understanding Processes and Frameworks
Understanding processes and frameworks help Security Operation Center personnel find consistency and structure for actions that they take. They also help conceptualize the bigger picture in the technical skills that they learn. Here are a few examples:
Understanding the Cyber Kill Chain Methodology (trademarked by Lockheed Martin) provides a model for discovering and preventing malicious activity. It goes through the vital steps threat actors must take to achieve their goal. Understanding these steps can help a SOC know where in the process the attacker is. Doing so will improve prevention, discovery, and containment. The high-level steps include reconnaissance, weaponization, delivery, exploitation, installation, command-and-control (C2), and actions on objectives.
MITRE ATT&CK Framework
The MITRE ATT&CK Framework is a matrix that includes the tactics and techniques of threat actors. It goes one step further with the Cyber Killchain and provides descriptions, mitigation techniques, and detection capabilities – which is valuable information for those in a Security Operation Center.
Incident Response Process
The purpose of the Incident Response process is to have a structured way to identify incidents, slow or stop the damage, and fix issues to prevent further attacks. One of the most common is the NIST Incident Handling Processes found in NIST 800-61 Revision 2.
OWASP Top 10
Created by the OWASP Foundation, the OWASP Top 10 is a globally recognized list created to represent the top critical security risks to web applications. Knowing these top vulnerabilities can help equip those in a SOC to understand potential attacks from a web application security perspective and what to analyze further.
The current OWASP Top 10 are:
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access control
- Security misconfigurations
- Cross-Site Scripting (XSS)
- Insecure Deserialization
- Using Components with known vulnerabilities
- Insufficient logging and monitoring
Policy, Standards, and Procedures
Every organization will have its policies, standards, and procedures that will be specific to their organization. The best action one can take, as a SOC professional, is to understand what the documents are and read them to see how they affect one's day to day work. Just as a quick overview:
Policies: High-level statements that give direction for goals around cybersecurity. Standards: Provide how for the policies. They are defined as mandatory actions and rules to support policies. Procedures: Step-by-step instructions on how to implement the policies and standards.
Building Technical Skills
One may not know every technical detail of every technology, but having a high-level understanding of the basic concepts is vital to understanding the entire scope of cybersecurity. Below are several areas that SOC professionals should be familiar with:
Operating Systems Operating Systems include Windows, Linux, and MAC. A strong understanding of log files, the registry, processes, and permissions will be vital in everyday work.
Scripting Knowing one scripting language will help simplify tasks that SOC professionals will perform in a SOC. There are many options for scripting (Perl, PowerShell, Python, etc.)
Network Devices and Technologies Understanding how data flows through network devices (switches, routers, firewalls), and understanding how they work together in a system will help navigate how attacks can spread in an infrastructure. The content in the Network + course would be a good starting point.
PCAP and Log Analysis Analyzing data is the foundational task for many SOC Analysts. To further understand network data collection and analysis, one can freely use tcpdump and WireShark/Tshark to practice and develop those skills.
Network Application Protocols There are many protocols that one will use in the SOC. Some protocols that analysts will most frequently run into include DNS, SSH, HTTPS, DHCP, FTP, SSL, and SMTP. Begin by understanding those in-depth; then, the analyst can further expand into other protocols such as POP3, IMAP, and SIP.
IDS/IPS IDS (Intrusion Detection Systems) and IPS (Intrusion Prevention Systems) can both be host-based and Network-based. They also can detect malicious activity through various methods: Signature-based, anomaly-based, etc. Understanding how these systems and their respective tools will help when trying to reduce false positives (acceptable activity, miscategorized as malicious), and configure ways to catch more true positives (real malicious activity).
Cloud The major players for cloud services are AWS, Azure, and Google Cloud. Understanding Cloud basics and their security implications at a high-level will prep one as more and more companies move off-premise.
Developing Non-Technical Skills
Technical skills will give professionals the foundational skills as a practitioner for security operations. Still, non-technical skills are also valuable as well to thrive in the cybersecurity space. Three great examples include strong ethics, curiosity, and communication.
Ethics There are a few basic ethical behaviors that every SOC professional should know: knowing not to lie, don't fabricate, and work within one's realm – not afraid to ask for help or questions. Ethical behavior is so important that many professional cybersecurity organizations have their code of ethics. Examples include EC-Council's Code of Ethics 1 (known for certifications such as the CEH), and the Code of Ethics from (ISC) ²2 (known for certifications such as the CISSP)
Curiosity In cybersecurity, the rules change daily, threat actors get stealthier, and systems in organizations become more complex. Working in a SOC requires a strong desire to expand one's knowledge. It requires curiosity. To strengthen that curiosity, SOC professionals must develop daily routines of learning more. The more one knows the more one can question. The more one can question, the more one can grow.
Lastly, be sure to take advantage of online learning resources, such as Cybrary, to reach one's goals. Some courses I recommend include: Security Operations, Introduction to SIEM Tools, and their career path Become a SOC Analyst - Level 1.
Communication Effective communication is one of the top skills to develop. One could be interacting with fellow peers, coworkers, distributed teams and departments, managers, directors, employees, customers, and many other professionals in the SOC, depending on the exact role and SOC services that an organization provides.
One of the best ways to practice communication skills is by merely communicating. Join organizations, attend conferences, and interact with those not only in the cybersecurity field but also in the technology space. The more one communicates, the better one becomes. Anyone can also further develop skills by joining organizations such as Toastmasters, and reading books such as The Charisma Myth by Olivia Fox Cabane, How to win friends and Influence People by Dale Carnegie, and Crucial Conversations by Joseph Grenny, Al Switzler, and Ron McMillan.
Though the list may seem long – over time, developing the skills above will create SOC Rockstars. The key – as stated early – is to strive to become a "T-Shaped" professional.
Most importantly, note that this is not an all-inclusive list, and as time passes, this list will grow, technologies will become obsolete, and attackers' methods will change. The key is constant learning. Keep learning, and regardless of the expanding skills, you will be more than ready for the challenge.
Expand Your SOC Skills With These Courses: