The Right Stuff: Staffing Your Corporate SOC
Building a Security Operations Center (SOC) from scratch or revamping an underperforming one is a daunting leadership challenge. If a cyber adversary gets past your SOC analysts, there is nobody else in the organization who can find them.
You can deploy all of the latest and greatest tools for your security stack, but if you don’t have the right people to run them and analyze the data they generate, you’re wasting your time. As you might expect, folks like these can be heard to come by, so let’s take a look at what makes a top-notch SOC analyst.
Let’s start with the perennial question over certifications. In the past decade our college and professional certification programs have strived to meet the demand for trained cyber-security experts. This has flooded the employment space with cyber-security wannabes who think a cyber-security certification from some reputable program or an Information Assurance degree qualifies them to sit in an SOC.
This couldn’t be further from the truth. In my experience, passing a certification exam or getting a degree simply shows that a potential employee is a good test-taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs.
Don’t get me wrong. Certification programs can be an important piece of a cyber-security practitioner’s complete education. A couple of certifications I do think SOC analysts should pursue are the CISSP certification and the many courses in the SANS Curriculum.
Passion and experience
The most critical attributes involve passion tempered by experience. SOC analysts have to deeply understand how computers and networks work at the ones and zeros level and be able to sling code into useful tools for analysis. They have to love this stuff and be able to explain what they know to all kinds of audiences: fellow geeks, IT management and the C-Suite. If they’re not playing with a Linux box at home, they are not qualified. In other words, they have to have a basic understanding of computer science, a passion for the craft, and an ability to explain what they know to anybody who will listen.
They also must have spent time in the IT trenches. A career path for my fantasy SOC analyst includes time on the IT help desk, managing servers in the datacenter, and finally, managing some of the security devices in the security stack. Once they’ve performed these functions, they’ll have some context when an adversary starts to work his way down the kill chain into your network. They will understand the impact to your network when a cyberspy bypasses your controls to target your CEO. They will understand what has to be done when a hactivist attempts to destroy your business’ reputation by leveraging a programming error on a public-facing website. And they will intuitively understand what the cyber criminal must do to steal your customer’s credit card numbers. Without that IT background, they can’t understand what they are seeing as incidents arise in the SOC.
That said, here are what I consider to be the top five skills an entry-level SOC analyst must have:
- Strong understanding of basic computer science: algorithms, data structures, databases, operating systems, networks, and tool development (not production-quality software but tools that can help you do stuff)
- Strong understanding of IT operations: help desk, end-point management, and server management
- Strong ability to communicate: write clearly and speak authoritatively to different kinds of audiences (business leaders and techies)
- Strong understanding of adversary motivations: cybercrime, cyber hactivism, cyberwar, cyber espionage, and the difference between cyber propaganda and cyber terrorism
- Strong understanding of security operations concepts: perimeter defense, BYOD management, data loss protection, insider threat, kill chain analysis, risk assessment, and security metrics
If you are hiring a more senior person, some specialties to look for include:
- Strong understanding of vulnerability management: what vulnerabilities are, how do we find them, and how do we mitigate them?
- Strong understanding of malicious ode: reverse engineering skills, practitioner tactics, techniques and procedures from common motivations (see above)
- Strong understanding of basic visualization techniques, especially big data
- Strong understanding of basic cyber-intelligence techniques
- Strong understanding of foreign languages: (First Tier: Chinese, Russian, Arabic, and Korean; Second Tier: Japanese, German, French, Portuguese, and Spanish)
Lost in translation
The skill that is the hardest to find in a potential SOC analyst is the ability to communicate: to write or present intelligence derived from raw information. I know this is not intuitive. I just outlined the set of complex technical skills that a SOC analyst needs to have, then said the rarest skill is the ability to write sentences. But it’s true because it’s tough to relate the impact of a security event to a business or government leader or a techie if the SOC analyst cannot effectively communicate relevant information. An individual can be the smartest malcode reverse engineer on the planet, but all that knowledge is useless if he or she can’t translate geek speak into a response.
As for compensation, SOC analysts who have the basics covered and one or more specialty skills are making north of $100K year, depending on where they live. You can pay less, but your analyst will likely not have the skills you need. This may not be a problem provided you already have qualified SOC analysts who can train the newbie.
As you build your shiny new SOC or upgrade your old one, don’t neglect the skill sets of the analysts you hire. And don’t be fooled by newly minted cyber-security professionals with their brand-new certifications or information assurance degrees. They are on the right path, but they need some seasoning first.
Have I missed anything? Let’s chat about it in the comments.
Rick Howard is Chief Security Officer for Palo Alto Networks, where he is responsible for internal security of the company as well as developing the Threat Intelligence Team to support the next-generation security platform. He previously served as Chief Information Security … View Full Bio