retaining soc analysts

DarkReading article, 3 Ways to Retain Security Operations Staff, is actually really good. I imagine the work of a typical tier 1 SOC analyst is much the same as NOC staff and probably in a similar vein (managerial-wise) as front line technical support teams. I imagine they have the same challenges and same expectation of burn and churn (aka either get burnt out and leave or get that first year or two of experience and leave). The article cites average retention span of a junior analyst to be 12-18 months. That sounds pretty accurate, especially when reading the description of the tier 1 and tier 2 roles. And I totally buy the fact that right now, after 1-2 years of SOC work, you can jump to something better and see a decent bump in pay now that the candidate is essentially a seasoned professional (so to speak). To be honest, even C- and D-players can coast along and them get more progressive roles after a couple years. (Arguably, you shouldn’t mind if they cycle out, as you’d rather keep your A- and B-players as much as possible.)

The author’s 3 steps are rotation of duties, aggressive training, and step-up retention bonuses so you keep “seasoned” analysts rather than have them jump to those other jobs.

I like these steps, and the solution of rotating duties is sound enough to combat monotonous duties, oddball shifts, on-call demands, and lack of challenging work to learn from (aka be stimulated by). The downside to this is you might still lose people due to rotating down into the tier 1 duties on a regular basis. You might also run into the common rotation problem where tasks at one tier just don’t get done by one person since they know they’ll rotate out of it next week, so it gets left undone. This does help hide underperformers a bit. Another downside is when shift roles are too rigid such that oddball shifts don’t get to rotate.

Of course, these solutions and situations are all variable based on the organization in question. If the organization is just serving tier 1-3 MSSP/SOC functions, maybe it will have to live with the churn and burn process. But if the SOC is part of a larger organization with roles to transition into over time, that should be tapped as a valuable source of promotion and talent retention.

cisco cyber ops scholarship experience

A few months ago I tossed my name into a sign-up for a Cisco Cyber Ops Scholarship program which provides training for qualified individuals to achieve the Cisco Cyber Ops certification. This certification, unlike everything else with Cisco, does not require having another Cisco cert under one’s belt already. A week ago, I received an email stating I could finally start the next step, which is look over the rules and fill in a small “candidate intake survey.” A few days later, I received a link to take a “prequalification” exam. A few more days after that, I received a note that I was accepted and had to take another small survey. At this point, I’m awaiting more feedback on when I can start the training. I’m hoping to kick this off through Q1 and Q2 of 2018.

What is the Cisco Cyber Ops certification? Stealing from someone on Techexams who put it very succinctly: “The CCNA CyberOps is for someone who wants to be a SOC analyst, examining packets and flows on a dashboard.” By contrast, there is also the CCNA Security certification. “The CCNA Sec is for someone who wants to be a network security admin, setting up appliances and firewalls.” Honestly, this sounds like Cisco’s play into the cybersecurity world, and a good one, as otherwise you need to slog through all the courses and studying to implement devices, when many analysts just want to be able to use, tune, watch, and wield the tools once deployed. On a more detailed level, the Cyber Ops cert is the combination of two tracks/exams: Understanding Cisco Cybersecurity Fundamentals (210-250 SECFND) and Implementing Cisco Cybersecurity Operations (210-255 SECOPS).

Are there requirements? Yes, you’ll have to check the rules. I qualify for having an old Security+ certificate in my name. Plus I passed the prequalification exam and accepted the terms/conditions.

What’s the prequal exam like? Clearly I won’t get into details, but the exam was something like 60-ish questions over 45 minutes and covered topics in the course: Windows, Linux, Cisco/Networking, and Infosec topics. Honestly, I found this pretty challenging as my Cisco-centric networking is rusty. I’d honestly say about 50% of the exam covers CCENT and CCNA R&S topics. So plan and study accordingly.

Do I expect to learn much from this? As far as Windows, Linux, and Information Security topics, I honestly doubt I will learn too many new tricks or information; keeping in mind that I’ve done troubleshooting on both platforms for many years as a sysadmin. However, I hope to brush off plenty of Cisco networking rust and bone up on that more than I am today. I think I’ll probably learn the terminology Cisco wants to use for security topics. I also would like to know more about the actual course details, as I can then properly recommend the certification for those looking to possibly get into infosec and want to know what else to look into besides the normal Security+ -> self-study route. The entry level route is one that is difficult to prove or know you’re ready for, especially since infosec is cross-disciplinary. If a cert can demonstrate knowledge in the above 4 categories without needing x years of job experience or 4 other separate certs (Linux+, CCENT/CCNA, Windows something, Security+), that can be a good thing.

Why are Windows and Linux included? As an analyst, I believe the goal is to be able to investigate and troubleshoot alarms and events. This includes being able to log into some servers and run some troubleshooting tools and utilities to see what’s going on, like listing processes, ports in use, look at logs, and maybe do some scripting or command line kung-fu. It’s fine if you can watch a dashboard for events, but real value in security folks is a broad ability to troubleshoot and investigate platforms at least on a superficial level, and not accidentally break things operations depends upon in the process.

Am I so far interested and excited about the cert? For the industry, I actually am. Sure, it’s Cisco-centric, but this cert should demonstrate that someone is ready to put some boots on the ground in a SOC. Security+ and other certs are ok, but there’s lots of trivia and often not a lot of practical skills you can put to use in month 1 of an entry level job. For that alone, I’m pretty excited about this offering and what it means for our entry level tier of folks, who badly need better support to get ramped up out of school.

How do I plan to study for this? First, I’ve already been looking up experiences from others who have taken the course successfully. Seems there is material worth reviewing that lay outside the course materials themselves. Here’s what I’ve come up with so far to check out. I have also seen mention the ITProTV has videos on the course, which I might try to get access to (keeping in mind that November/Thanksgiving special deals are coming up!)

Whatever the scholarship-provided training materials/labs/access will be.
Regular Expressions:
Regulat Expressions:
NIST 800 61: [pdf]
NIST 800 86: [pdf]
Wireshark filters: [pdf]
CVSS Calculator:

microsoft advice on mitigating dde attack

It sort of flew under the radar amongst larger incidents and attacks over the past month, but the Microsoft DDE abuse popped up, which is essentially a feature in Office products that allows the execution of an application when provided the link to it in the doc. The feature is meant to allow a document to automatically update itself from external data sources. And, much like macros in the past, disabling DDE (and OLE) in Office could break features that some people do rely on. Nonetheless, there is advice out there from ThreatPost/Microsoft.

tools to aid investigating o365 email

I’ve only recently become a consumer of O365, and have not done any administration, investigation, or poking around on the undersides of it, but these two links came across on a local Slack channel and I wanted to pull them out and save them for future reference. Both of these github links offer support for investigating O365 phishing emails and shenanigans. First, one from LogRhythm and another by the OfficeDev crew.

can you distill cyber security into 10 steps?

Today saw an infographic fly across my LinkedIn news feed: 10 Steps To Cyber Security. Only 10? To achieve Cyber Security, not just the top steps? Sweet! To be fair, these are less steps as they are entire spheres to address with multiple controls and initiatives in each one. But, is anything missing? Just having 10 steps still seems awfully light.

Backups. No mention of backups, and I think every security strategy should have backups as step 0.

Data. None of the 10 steps given have anything to do with data. I imagine someone could say evaluating your data is part of the central risk strategies, but I don’t buy that. Know and secure the data that is important to your business. That should be a standalone strategy bubble.

Segmentation. I don’t really see anything that would pull in secure configuration of networks, namely segmentation. Sure, it’s more of a control, but I think it’s important enough to be up with these other 10 items. (Network Security may cover this, but I think it’s too easy to just read this item as perimeter only.)

Software. I was hoping to see Secure Configuration include software on systems, but really it’s not there, and no other items really gets into this.

Software Development. This is really close to software, but it has less to do with software installed on systems and more to do with software developed in house. While the items could read similarly, the approaches are done by entirely different teams with different projects.

Is there a list that includes these items and the ones in the above link? Actually yes, but it’s 20 controls, not 10 steps: The CIS Top 20 Security Controls list. Wow, that sounds like a marketing pitch…

top ten items for reducing insider threats

So much of IT and especially infosec is driven by checklists and top ten lists and such. It’s a great way to succinctly get a topic across to someone else, especially when the alternative is a 50 page paper on how, why, and what to fix and do. I saw this TechRepublic article on “10 Tips for Reducing Insider Security Threats,” and was ready to be annoyed at it, but I honestly found it to be a good little list. I would re-order it, personally, and swap out a few items, but overall it frames where this line of thinking should be.

1. Establish a security incident and response team – Is this necessary? Not entirely; but in cases where it’s not, that organization needs at least someone local who cares a little about security and at least thinks about the rest of these items. But in most cases, it’s probably necessary. Hunting insider threats means keeping tight control on permissions, access, and accounts, monitoring logs for weirdness, and staff to configure tools that go the extra (arguable) mile like DLP and egress firewall rules. Honestly, without the staff or team, the organization can only go so far.

2. Use temporary accounts – This is an excellent idea, as account control should be a priority, and no one remembers to remove all of the temporary accounts out there. It’s best to just put them in from the start as a temporary account (along with a description that includes who requested/owns the account). If the account expires and is still needed, it can be re-requested and even it’s password changed at that point. But accounts should neve just linger out there that are no longer needed. And most of the requests like this are for third party vendors or contractors.

3. Conduct frequent audits to look for unused accounts and disable or remove them if possible – This should be done, and dormant accounts should be raised up for review. Just keep in mind there is a difference between user accounts and service-types of accounts, and perform due diligence when disabling these accounts to ensure critical services aren’t impacted. Just like the point of the above item, getting rid of unnecessary accounts is an important function.

4. Follow employee termination principles carefully – To me, once an employee is terminated, they are no longer an insider threat. However, if accounts and access are not terminated promptly, the risk does turn into one that mimicks an insider threat due to their lingering knowledge of internal systems and processes, but also their access to accounts they are already familiar with. A strong terminatation process needs to exist to shut terminated employees out of any and all access. If you trust your IT or infosec teams, they should get notified shortly before a termination and coordinate the timing. No one wants to find out a termination is happening at 5pm on a Friday when IT staff is already at home.

5. Identify unhappy employees – Whenever we talk about disgruntled employees, this really is an HR and managerial process. But it’s one that should also include infosec to some degree in a matured environment. Infosec is tasked with tracking and hunting threats, and an a disgruntled employee is a very big threat. Once a disgruntled employee has been identified, that process should include some sort of notification and some degree of enhanced monitoring or alarming on that employee’s activity. It might be nothing more than putting an account on some sort of yellow alert. Obviously, this is something that will only work in highly trusting environments where infosec has a mature process and heightened sense of integrity so as not to fall into the rumor mills or divulge that someone is flagged. Honestly, I think most of the time this is truly a manager and HR process and it pretty much stops there until an incident occurs and questions start getting asked. If nothing else, like the article states, it may be enough to just have HR/Manager tackle the source of the discontent and fix it.

6. Use two-factor authentication – This is an arguable item when it comes to insider threat, but I think it makes a good inclusion amongst a top 10 list of items. Internal employees will sometimes acquire or find out about account passwords for various other users (secretaries, or help desk staff, or uneducated supervisors…), and limiting the ability to commandeer someone else’s account to do nefarious things is part of the insider security tasks.

7. Use encryption of confidential data either in motion or at rest – Another somewhat arguable item, but again useful on this list in order to illustrate the risk of physical theft of devices or hard disks or backup tapes that contain retrievable data. I’d argue if someone is sniffing and capturing data in motion over the corporate network, there are deeper problems with application control in play.

8. Consider third-party products – The article points out IAM, DLP, and Tripwire as third party tools to fit into this arena, and honestly, that’s a good list to get started. The point is account control and access management, data loss detection, and monitoring for key internal files being accessed or changed. I’d throw in log collection and analyzing (or SIEM) as part of this bullet item, personally, in order to alarm on strangeness.

9. Don’t forget to guard your perimeter – For me personally, this bullet item is not so much an insider threat as it is an intruder that has gotten in. Granted, many of the controls at this point overlap, but I don’t think this bullet item completely fits in here.

10. Consider investments in products and staff more than just “insurance” – I agree with this bullet item, but I’d go beyond just saying this will lower costs of audits and possible impact of incidents. I’d also say that good security processes will help the business run more efficiently on the back end; this can include easier troubleshooting for operations, less hunting through old accounts, and less confusion and mis-handled security tasks that can easily land in a well-defined workflow with the security staff, keeping ops’ time freed up to do ops things. It can also provide better change mangement so that bad changes are more easily found and fixed.

I didn’t like item #9, and poked at a few others. I would personally add a few things as more important:

11 (new). Practice RBAC and document access needs. – This means documenting access needs, defining role-based access needs, and sticking to predictable pactices in regards to permissions and access. Everyone should know what they need access to and what they shouldn’t, and that should be predictable and defined so that things out of the ordinary don’t mysteriously occur that result in one employee having more access than they should and no one knows about it until they do something bad.

12 (new). Limit internal access to only what users needs, including workstation rights. – This follows the above item pretty closely in defining least privileges, but I prefer this to be a separate bullet in order to isolate the control over workstations rights and what someone can do on their workstation, such as installing Wireshark or some other nefarious tools that can turn an insider’s workstation into an insider attack platform.

good rules to live by to be yourself

Diving outside the norm again, I found this list of 8 Habits of Incredibly Interesting People to be, well, incredibly interesting. In the past 6 months, I’ve realized I’ve added a few people to a list I never really knew I had: People I admire, look up to professionally and personally, and whom I would love to share dinner and conversation with to learn from them and emulate them. And these persons really do match the below items pretty well.

They are passionate. (I would add that they are enthusiastic, and infectious!)
They try new things. Interesting people do what interests them.
They don’t hide their quirks. (Be yourself.)
They avoid the bandwagon.
They check their egos at the door. An egomaniac is never interesting.
They’re always learning. To interesting people, the world has infinite possibilities.
They share what they discover. The only thing interesting people enjoy as much as learning is sharing their discoveries with others.
They don’t worry about what others think of them. Nothing is more uninteresting than someone who holds their true self back because they’re afraid that other people might not like it.

Good rules to live by to be yourself.

lockpicking, work, gen con, and critical role

Activity got a little sparse here over the past few weeks. Part of the reason has been busyness at work. But another part of it has been tackling some personal activities. For the second year in a row, I went to the tabletop gaming convention Gen Con in Indianapolis. Between attending and preparing to go, that took quite a lot of my free time. Much of the rest of my free time has been spent trying to catch up on some new youtube channels and fitting them into my other habits and priorities. First, I’ve been turned onto BosnianBill’s YouTube channel which has 1000+ lockpicking videos. These are absolutely excellent; they’re small digestible videos and Bill talks wonderfully through everything he is doing while giving the viewer a very clear, close view of his work and clear audio of the progress as well. I’ve skipped around a bit to check other things out (I’m otherwise working backwards through his channel), and I found a tutorial video he did about picking spool pins and it’s absolutely invaluable and amazing how well he teaches lockpicking. Definitely a channel to subscribe to.

I’ve long been aware of the Critical Role show on Geek & Sundry since it began, but I’ve never taken the time to watch it since I knew it would be a timesuck. Essentially, the show is a group of voice actors playing D&D. I knew I’ve love it, and I finally started watching it a few weeks ago, and my fears were confirmed: I absolutely love it and need to keep watching to catch up. It’s also stoked my interest in D&D again, but not quite enough to pursue finding a group yet to scratch the lifelong itch. Maybe I’ll find a way to fit that in!

Lastly, I’m also watching some Linux courses over at Linux Academy, partly for my own learning, partly to normalize what I’ve learned over the years (and close some gaps), and partly to satisfy some training expectations at work. I’ll eventually be ready for, but won’t be taking, the Red Hat Certified Systems Admin test. Unless my title has “Linux” in it, I don’t think actually spending the money and time to take the test will be worth it to me, but the learning will be very nice to have. This sort of fills in my allotted personal learning time for the moment with something not terribly hard and with very little overhead pressure for the summer months.

Anyway, those have been my major timespends over the past month.

five signs of leadership in management

I love me lists, but I usually don’t delve too far outside of technical articles when I post things on here. However, an article I saw on my LinkedIn feed caught my eye and read really nicely: How Can You Tell Someone Has True Leadership Skills? Look for These 5 Uncommon Signs. I think these five items are all key items for a good manager, at least for me. And I like that the article doesn’t devolve into over-tried things that don’t apply to everyone like, “Good leaders reward their employees with recognition or gifts.” I do also like the way several items can spark more thoughts on what’s written between the lines, specifically the items to practice transparency and create psychological safety. The latter is a very interesting way to word this. Normally, I think about innovation and the flexibility to learn, make small mistakes, and come out better for it. A poor culture will be intolerant to mistakes. I like the idea of labeling this as creating psychological safety, since really, that’s what it is, and that term can encompass other things than just quelling the risk and pain of failures and mistakes.

being the expert of becoming the expert (or not at all)

Read an article this morning, Ten Unmistakable Signs You’ve Stayed At Your Job Too Long, which I thought I would comment about on here for each bullet point, but then I decided that was pretty boring. However, a few points kept bouncing around in my head. They are:

1. As you look ahead at your projects over the next 12 months, you don’t see anything that you haven’t already done a million times before.

4. You know every procedure in your company. You know every piece of software. You know the purpose (and the time and location) of every standing meeting. You know so much that people constantly ask you for advice — but knowing as much as you do, you should have a lot more influence than you have.

5. Your muscles aren’t growing. You can’t even remember the last time you did something really cool at work or learned something powerful. At this point, you are just treading water.

Now, this can easily dive deep into a conversation about innovation and corporate tolerance to (minor) failure. But I wanted to put that aside since that is a topic that is beaten to death (even in my own head). Even talking about corporate culture is a bit out of my scope (though very relevant).

But my main interest was this question:

Do you want an employee (or to be an employee) who is best at what they do and already an expert in their daily tasks, or one who is driven to learn, but not yet necessarily the expert at their daily tasks?

I’ve posted the question elsewhere, and gotten good, thoughtful answers. In the end, I don’t think it terribly matters as long as I’m happy in my self and job and progress. Be good at what I learn, and have enough latitude to learn (which implies not necessarily being good yet), with small non-fatal stumbles, when the opportunity arises. It’s possible being an “expert” is the wrong frame of mind to have, like saying your idol for CEO is Steve Jobs, which just isn’t realistic and will ultimately be unrequited.