What do I need to do to land a job in an SOC as a relative beginner?
I want to work in an SOC. Until recently, I was a physical "SOC Analyst" for a Fortune 50 company. My department was odd in that we looked for physical threats to assets rather than cyber threats, and now I'm looking to bridge the gap between that and normal SOC skills and break into the cybersecurity/typical SOC field. I have the smallest touch of coding experience - I understand all of the logic and basic types of functions at least - and a decent degree of IT & troubleshooting, and have security experience.
After doing some exploring, I've learned:
- Blue team is what we call the "defense" team. I think this is the side I'm looking to join.
- I need to know EVERYTHING about DNS.
- I should be able to read logs.
- I need to work on home labs at a minimum and possibly certs as well to demonstrate competency at an entry level
My immediate questions are mostly focused on how/where can I learn these skills (or any other necessary skills I missed):
- Is there anything else that I need to do to get an SOC job?
- Where's the best place to learn? Are there any "roadmap to SOC" type courses or guides? I'm a little intimidated.
(sorry this took so long @weet! I wanted to read up a bit so I knew what to ask)
13 Replies
Oooh thanks for the information! This is a super good post, so lemme eat dinner real quick so I can give it my full attention.
Alrighty. You chose the right server to come to. I used to train SOC analysts and worked for some big companies, like Deepwatch and 11:11 Systems as a SOC analyst. If you ever have any questions, I can definitely help.
Also, that's super interesting. Physical testing sounds like a blast! I'm sure how it sounds and reality is different but still, good skills!
Networking and systems (definitely DNS) are important to know. One thing people skip over a lot, is reading previous high profile breaches and malware. Understanding how they work and cross referencing that in your mind with how networks and systems work will make you a great defender.
The other thing is process genealogy, especially with Windows. As much as I hate Windows, it's here to stay and used by everyone, so understanding how it works and how processes work is crucial. For example, I had an analyst mark false positive on LSASS spawning cmd processes to make temp directories. I didn't have to dig any further to know that machine was compromised but the analyst didn't because he didn't know the basics of LSASS, which is a critical part of Windows. If my boss hadn't referred the case to me to double check, it wouldn't have been caught. Now, that's not to say "oohoh scary scary, git gud or git gone" because I've missed things before. But learning how these things work is the best way to defend them.
Now as far as training goes, you're right on the money with a homelab. Even if it's a bunch of AWS instances or a few VMs from our partner Catalyst Cloud. Splunk is a fantastic log ingest tool and can be used as a SIEM. You can get a dev/free license that'll give you enough capacity to play with.
Another great resource is TryHackMe. They've really stepped up their blue team content lately and it's really good. However, their offensive red team stuff is great as well and I highly recommend you "learn how to hack". After all, the best way to defend is to know exactly how attackers attack.
For certs, right now this is sort of the "go to" as a cert roadmap. I love it!
https://pauljerimy.com/security-certification-roadmap/
I would probably recommend getting your Security+ and CySA+. I actually just wrote a blog post recently about these, too: https://cyber.info/blog/top-cybersecurity-certifications-for-aspiring-professionals-2023
Paul Jerimy
Paul Jerimy Media
Security Certification Roadmap - Paul Jerimy Media
IT Security Certification Roadmap charting security implementation, architecture, management, analysis, offensive, and defensive operation certifications.
Cyber Info
Top Cybersecurity Certifications for Aspiring Professionals in 2023...
In this blog post, we will explore the top cybersecurity certifications that provide you with a competitive edge in the job market. Specifically, we will discuss CompTIA's Security+, Pentest+, CySA+, eJPT, and GSEC and their unique features that make them stand out from other certifications.
I need to reword that excerpt lol
This has got me thinking about a homelab youtube series for defenders or something of that sort
That's awesome! (And my SOC monitored world events and evaluated potential threats to our sites & personnel, and we were often the first point in the incident response chain. For instance - my team was monitoring the Covid outbreak in China for a while and knew it was probably going to be a big thing at least a week before it was announced. It was a fun job!)
So now I have some very basic comprehension of cybersecurity jargon, some resources, and a better (though still not terribly clear) vision of what I need. Thankfully, I appear to be looking at a mountain of data and resources, but I'm rather lost as for how to climb it. In terms of goals, what I know is:
1. I want to land a job in SOC ASAP.
2. A major goal is to work remotely relatively soon (I'd like to travel)
3. I believe I'd like to work in blue team defense. Possibly in incident response - I have enjoyed jobs that were "on call," so to speak, until I needed to put out fires or take fast action. But realistically, the first priority is to get in the door as soon as possible.
So I guess my question is: If I want to go from where I am now to an SOC as soon as possible, how should I plan my step-by-step route from here to there?
I don't want to info dump too hard, but I can share what resoruces I've found so far if that's helpful - they're also in here where I'm keeping track of this learn-to-SOC project: https://bra.in/9q5eGV
The Try hack Me site looks great, maybe even a full road-map to SOC competency?
Hey! Sorry for the uber-late response.
Yeah, that Covid shit was wild. Nobody was talking about it when China was writing off whole entire cities.
A roadmap is a great idea, I should definitely make one. As far as first steps go, though, I'd definitely say grab a free Splunk license and get both the "InfoSec" app and "Enterprise Security Essentials" for it. If you ever want, I can go over it with you and show you how we run our Splunk environment.
But I think having a homelab with a Splunk box and all that will really show potential employers that you're serious.
No worries. And I'd love to see your Splunk environment if you have time! I've listened to a few Cybr podcasts with Bob Salmans - he heavily pushed Security Onion as a homelab environment, but most of the jobs I've seen posted (in the limited searching I've done) appear to specifically request Splunk experience. Does Security Onion do something that Splunk can't do?
I Also took your advice with TryHackMe and I'm going through the Pre Security Section to fill in the gaps - currently, my game tentative plan as I feel this out is:
1. Race through TryHackMe learning as fast as possible
2. Learn (or at least look into) how to start making a portfolio demonstrating what I know/learned & my activity, and possibly/eventually a social media presence of some sort. At minimum the homelab is going in the portfolio.
3. Set up a home lab of some sort (once I better grasp networking/SEIM & what a homelab is)
4. Perhaps this is the point where I can reasonably apply for jobs?5. Possibly get certificates while I figure out what else to do and/or learn next.
Otherwise, I'm not sure how important it is to figure out what company I'd like to work for at this stage, I just know I want to be a WFH Team Blue guy at this point. SOC I salaries are admittedly less than I hoped based on the TryHackMe pages, but it seems like there's plenty of opportunity for SOC II and branching out to other areas.
@weet Just wanted to ping you real quick
Hey, sorry for the delay! I'll read something, go wrap up a task and then forget about what I read in a heartbeat, so thanks for the ping LOL.
I'm currently about to get our Okta logs pushed into Splunk, so that'll be neato.
Honestly, that's a good plan so far. You may have to work some kinda crappy suck SOC positions but the experience can be worth it. I can give you some recommendations on where to apply too, if you want and reach out to the hiring managers for you!
And if you bust ass and make good lateral movements, you can work your way up to the 100Ks relatively easily.
And I wouldn't say there is anything Security Onion can do that Splunk can't. Probably the other way around, truthfully. You can get a 500mb ingest license for Splunk Enterprise for free, too!
I've been toying around with the idea of an extended CTF over the course of 6 months, with a blue team vs a red team, if you're interested. Not sure when it's happen because there's a lot of planning involved but the idea is to make it replicate the real world as much as possible.
Splunk
Splunk Certified Cybersecurity Defense Analyst | Splunk
Validate your security defense skills and become a Splunk Certified Cybersecurity Defense Analyst. Find out what it covers and how to prepare for this exam.
Just saw this on LinkedIn too
Lol no worries, I do worse all the time.
This looks great, lol and going to vegas for a test wouldn't be terrible. How important is a Splunk certification in your opinion?
I think this is the goal, work myself into a place that makes a lot of $ without tying me down physically too much. I'm not sure what busting my ass/lateral moves look like yet, but I can put in the work. I'm a decent presenter/public speaker and good at communicating with non-techies in layman terms, so maybe that'll help too. I might eventually want to try my hand at deep learning or AI or something of that sort, and I know Python is nice to know for SOCs so it'll be good either way.
Let me know when/if the CTF is happening, and I am all ears for recommendations! And I would certainly be grateful if you reached out to some hiring mangers. I've still got a bit to go, but I'm getting up to speed quickly. When you're learning, is having an idea who you want to work for a good idea, in general?
I think it can be pretty valuable! You'll learn a good product that a LOT of people use and those skills can more or less transfer to other SIEMs, as well
I'd say both yes and no. It can certainly help if you have direct experience with the tools an organization is using but I think most people understand that if you use CrowdStrike, you can probably slip into SentinelOne fairly easily, if that makes sense. So I wouldn't penalize you for not having used X product if you've been using Y product but they do mostly the same thing
I have only one piece of advice, and that is learn networking. And I mean LEARN NETWORKING.