SOC Analyst 101 Part 0: Overview & Prerequisites

Disclaimer

This blog series is not representative of processes or procedures that are unique to my employer or any other company. This article series is meant to provide information that is agnostic and to educate those who aspire to be a cybersecurity analyst.

Overview

Purpose of This Blog

The goal of this series to provide insight into working in cybersecurity (specifically an analyst role) to anyone, technically skilled or not. I was inspired to write this blog series after having many people inquire about how to get into working in the defensive side of Cybersecurity which is commonly an analyst role, which has been my first position in security. I was confident coming into the role from previous work experience, certifications, and schooling. However, once I started the role itself was very overwhelming and even with prior education, I felt unprepared. So, this blog is also meant to be a resource for new analysts like I was, to give a good overview of what to expect. As stated in the disclaimer, this series is not going to contain specific methods or procedures but it meant to cover the theory and mindset of working as an Analyst. I hope you find this useful and if you have any recommendations or questions, feel free to reach out to be with the provided info in the about me section.

What’s a SOC Analyst?

To explain what a SOC Analyst does, it is first best to explain why the role even exists. Our lives have become digital as much as they are now physical. It can be argued that any company, organization, or government has a digital infrastructure that is required to operate, even small business owners. I believe that people are the first lifeblood of an organization and the second lifeblood is the technology that allows them to function and connect. Not only do organizations need to technology to function, but there is many other considerations such as intellectual property, digital currency, and much more that need to be protected.

Now that we know what SOC analysts protect, next we need to understand why the role itself is valuable. To understand this, imagine one of your accounts (email, Netflix, ect.) has been logged into from someone in another country. Upon seeing this notification, you immediately know this is suspicious and need to take action to remediate the intrusion. Now imagine you received the same alert for an organization you work for with tens of thousands of employees. Or imagine you work for a company that manages security for a few hundred organizations that have tens of thousands of employees. This is the value of an analyst provides an organization, the ability to analytically process information to know when something is suspicious or malicious. Sure, analysts get to play with cool tools such as SIEMs or EDRs but a tool is only as good as the analyst who is using it.

Metaphor

Throughout this blog series, I’ll be utilizing a metaphor to be able to help visualize different concepts. Imagine that we work for a Jewlery storage facility called “Crown Jewels Inc.”. This company houses valuable assets that are required to remain safe for the business to operate. Crown Jewels Inc. Has an internal security team and has also hired an external security team called “Jewel Protect” that specialized in monitoring and detecting break-ins by jewel thieves. These two different security positions (internal vs. External) are like positions a security analyst could work for. One being with a company directly for their security team, the other is a Managed Security Service Provider (MSSP) that provides security services to a company.

Now to expand this metaphor the analysts have many tools to monitor and detect suspicious activity. They have doors that provide access logs, trip wires that are like Intrusion Detection Systems (IDS or IPS) , Cameras that are like End Point Detection and Response (EDR) platforms, and logs of all actions that have taken place in the facility. The goal of the external security team is to analyze alerts when something suspicious happens and determine if it needs to be escalated to the internal team to further be investigated or determine it to be a false positive (like a mouse tripping a laser). The downside of working as an external team is we do not have much knowledge of the facility we are protecting which requires careful analysis. All these acronyms may be new at this moment but I will be explaining them more in depth in future posts.

Prerequisites

Mindset

In my opinion, I believe that anybody can obtain technique knowledge or learn any skill they desire. However, I do believe that we have certain personality traits that can be a reason if someone succeeds in specific situations. The following are certain traits that I believe to make an effective SOC analyst-

1. You like to learn.

First to become a SOC analyst, your knowledge will be thousands of miles wide. Not only do you need to know networking and computing concepts, you will also need to know enterprise networks and security concepts. Then once you do learn these fundamentals, you will then need to learn more and more advances attacker techniques, blue team tools, new exploits, and much more. There will be a mountain of information to learn and once you arrive it will never stop. With this, you must be someone who enjoys learning new things and studying.

2. You perform well under stress.

To be an effective incident responder you must be able to work calmly and effectively. Let’s say you are triaging an incident that is a true positive, will you get nervous and not be able to think? Or you receive a critical priority alert, will you be intimidated by it? Or you must talk in a meeting to the internal security team, would this be stressful for you? You must be able to work calmly under pressure and stress.

3. You like to help people.

As a blue team defender, we get to do many cool things on a day-to-day basis, but at the end of the day we are helping an organization and its people. If you find it rewarding to provide help to others, this job itself will feel rewarding to you.

4. You know when to ask for help.

The first thing is you need to be able to not ask for help right away and try to solve problems yourself. This helps you become more self-sufficient and be able to research topics. Next, it is good to know when to ask for help as remaining stuck on something ca have a negative impact.

5. You are an effective communicator.

Lastly, I believe a good analyst is efficient at written and oral communication. You will need to be able to write technical reports and then be able to give non-technical explanations in a way that’s easy to understand. One moment you’ll be talking to a highly skilled malware reverse engineer and then a non-technical operations manager. To be a good analyst you must be able to explain things technically or conceptually.

Required Knowledge

If you have little to no technical ability, it is possible to work in Cybersecurity with some education. You will need to start with a strong foundation to understand what you are protecting and how they can be attacked. This includes learning computing concepts, operating systems, and basic networking. Next, you will need to dive deeper into networking and understand each layer of the OSI model. Next you will need to deeply understand how the internet works and how enterprise networks operate (such as Active Directory). Lastly, you will need to understand security concepts. Some these include the CIA triad, principle of least privilege, and then secure computing/networking principles. Some of these include defense in depth, segmentation, and more. For the first part of studying from scratch I highly recommend the CompTIA “trifecta” which is the A+, Network +, and Security +. These certifications are boring but provide a great foundation and help build your resume.

Now that you have a technical foundation and knowledge of security concepts, next comes learning more of the fun stuff; malware, attacks, phishing, ect. I will be covering these in later blog posts but I’ve included some recommended resources below.

Do I Need To Know How To Program?

Short answer- no not at all. As a SOC Analyst you will not be programming all day but will be investigating incidents. I do believe that having some basic programming knowledge is very useful though. You do not need to know how to build something complex but understand the basic logic of a program. This will help you when you encounter Powershell scripts or get more into malware analysis later.

School vs. Certifications vs. Projects vs. Bootcamps

Lastly, I would like to provide my experience and advice on different paths one can take to educate themselves. I have had experience gaining certifications, self-studying/projects, and formal schooling. I have not finished school though due to the high costs but I plan to in the future.

School

I have finished about 3 years of a online Bachelor’s degree which is titled “Cyber Operations – Defense and Forensics”. The degree costs about $3,000 per class plus other added on expenses. The classes were “okay” and did not go deep into topics but merely touched on them. The benefits of school though are it does expose you to many topics even though you might not use it as an analyst. For example, I learned the basics of Android malware, iOS forensics, and digital forensics to collect evidence like law enforcement. Lastly, school if useful if you like a structured learning path and provides the resume benefit of a degree. I do not think a degree is necessary though as I and many other people I know have gotten jobs without one.

Certifications

Certifications are one of my personal favorites. I thrive on a structured learning path with marked goals to accomplish. The other pro/con is there are many certifications in this field which allows one to study any subject, but it can be overwhelming. Certifications can range in cost from a few hundred dollars to a few thousand. I recommend gaining some certifications if possible and continuing to gain more in areas of your interest.

Self-Study/Projects

Self-study/projects is the act of educating yourself about certain topics and coming up with projects. For example, you could get some cheap networking equipment and build a small networking lab or build a small website and host it to learn more about the internet. My main advice for this area is to make sure it is marketable and can be added to a resume. Make a website and blog about your projects, compete in CTFs and increase your rank, make YouTube videos as you progress, learn to code and make some security tools to add to GitHub. Any of these can be added to a resume and talked about in an interview. There are also so many new platforms to study with compared to when I first started in this field which lowers the need for formal schooling. In my opinion, self-study and certifications are the best combination.

Bootcamps

I can speak little to none on this area. I have met people that have gotten hired straight out of bootcamps and others who struggle to find a job. Your milage may vary shrug.

Recommended Resources

CompTIA Certifications https://www.comptia.org/home

I recommend starting from the A+ certification if you are new to this industry, otherwise the Network + and Security + are very good.

TryHackMe https://tryhackme.com/

Has modules that cover the very basics such as “complete beginner”, “pre-security”, and “SOC level 1”. This is good for starting out but once you get a firm grasp they become quickly outdated.

Hack The Box Academy https://hacktheboxltd.sjv.io/jrv7q5 (affiliate link)

This is my personal favorite study resource. The modules go very in depth about different topics like networking, Active Directory, red team techniques, and is now having blue team topics now added.

Blue Team Labs https://blueteamlabs.online/

Blue Team Labs do not cover basic foundational concepts like networking, Linux, ect. but have hands on analyst challenges.

Lets Defend https://letsdefend.io/

Lets Defend is basically like Blue Team Labs with analyst challenges.

TCM Academy https://academy.tcm-sec.com/?affcode=770707_o6lvcuwx (affiliate)

Another one of my personal favorite resources and I am not just saying that because I am an affiliate. TCM Academy currently does not have foundational courses but does have Linux 101 and Python 101 which are fantastic courses to get started with Linux and programming. The courses are some of the best priced on the market at only $30 each.

Your Homework

Your homework now is to first determine if this job does sound right for you. Try some of the resources above and see if it grabs your interest. If so then make a plan to get a few certifications to get started. Come up with some cool sounding projects and complete some courses. This will give you a good foundation before moving forward.

I hope you found this post useful, I will continue to write more as I get the chance. Feel free to follow me with the links below-

Instagram: https://instagram.com/cybersec.reviews

Twitter: https://twitter.com/CybersecReviews

YouTube: https://www.youtube.com/channel/UCVzwIAJplnpwm-56g9cYqFA