retaining soc analysts

DarkReading article, 3 Ways to Retain Security Operations Staff, is actually really good. I imagine the work of a typical tier 1 SOC analyst is much the same as NOC staff and probably in a similar vein (managerial-wise) as front line technical support teams. I imagine they have the same challenges and same expectation of burn and churn (aka either get burnt out and leave or get that first year or two of experience and leave). The article cites average retention span of a junior analyst to be 12-18 months. That sounds pretty accurate, especially when reading the description of the tier 1 and tier 2 roles. And I totally buy the fact that right now, after 1-2 years of SOC work, you can jump to something better and see a decent bump in pay now that the candidate is essentially a seasoned professional (so to speak). To be honest, even C- and D-players can coast along and them get more progressive roles after a couple years. (Arguably, you shouldn’t mind if they cycle out, as you’d rather keep your A- and B-players as much as possible.)

The author’s 3 steps are rotation of duties, aggressive training, and step-up retention bonuses so you keep “seasoned” analysts rather than have them jump to those other jobs.

I like these steps, and the solution of rotating duties is sound enough to combat monotonous duties, oddball shifts, on-call demands, and lack of challenging work to learn from (aka be stimulated by). The downside to this is you might still lose people due to rotating down into the tier 1 duties on a regular basis. You might also run into the common rotation problem where tasks at one tier just don’t get done by one person since they know they’ll rotate out of it next week, so it gets left undone. This does help hide underperformers a bit. Another downside is when shift roles are too rigid such that oddball shifts don’t get to rotate.

Of course, these solutions and situations are all variable based on the organization in question. If the organization is just serving tier 1-3 MSSP/SOC functions, maybe it will have to live with the churn and burn process. But if the SOC is part of a larger organization with roles to transition into over time, that should be tapped as a valuable source of promotion and talent retention.

cisco cyber ops scholarship experience

A few months ago I tossed my name into a sign-up for a Cisco Cyber Ops Scholarship program which provides training for qualified individuals to achieve the Cisco Cyber Ops certification. This certification, unlike everything else with Cisco, does not require having another Cisco cert under one’s belt already. A week ago, I received an email stating I could finally start the next step, which is look over the rules and fill in a small “candidate intake survey.” A few days later, I received a link to take a “prequalification” exam. A few more days after that, I received a note that I was accepted and had to take another small survey. At this point, I’m awaiting more feedback on when I can start the training. I’m hoping to kick this off through Q1 and Q2 of 2018.

What is the Cisco Cyber Ops certification? Stealing from someone on Techexams who put it very succinctly: “The CCNA CyberOps is for someone who wants to be a SOC analyst, examining packets and flows on a dashboard.” By contrast, there is also the CCNA Security certification. “The CCNA Sec is for someone who wants to be a network security admin, setting up appliances and firewalls.” Honestly, this sounds like Cisco’s play into the cybersecurity world, and a good one, as otherwise you need to slog through all the courses and studying to implement devices, when many analysts just want to be able to use, tune, watch, and wield the tools once deployed. On a more detailed level, the Cyber Ops cert is the combination of two tracks/exams: Understanding Cisco Cybersecurity Fundamentals (210-250 SECFND) and Implementing Cisco Cybersecurity Operations (210-255 SECOPS).

Are there requirements? Yes, you’ll have to check the rules. I qualify for having an old Security+ certificate in my name. Plus I passed the prequalification exam and accepted the terms/conditions.

What’s the prequal exam like? Clearly I won’t get into details, but the exam was something like 60-ish questions over 45 minutes and covered topics in the course: Windows, Linux, Cisco/Networking, and Infosec topics. Honestly, I found this pretty challenging as my Cisco-centric networking is rusty. I’d honestly say about 50% of the exam covers CCENT and CCNA R&S topics. So plan and study accordingly.

Do I expect to learn much from this? As far as Windows, Linux, and Information Security topics, I honestly doubt I will learn too many new tricks or information; keeping in mind that I’ve done troubleshooting on both platforms for many years as a sysadmin. However, I hope to brush off plenty of Cisco networking rust and bone up on that more than I am today. I think I’ll probably learn the terminology Cisco wants to use for security topics. I also would like to know more about the actual course details, as I can then properly recommend the certification for those looking to possibly get into infosec and want to know what else to look into besides the normal Security+ -> self-study route. The entry level route is one that is difficult to prove or know you’re ready for, especially since infosec is cross-disciplinary. If a cert can demonstrate knowledge in the above 4 categories without needing x years of job experience or 4 other separate certs (Linux+, CCENT/CCNA, Windows something, Security+), that can be a good thing.

Why are Windows and Linux included? As an analyst, I believe the goal is to be able to investigate and troubleshoot alarms and events. This includes being able to log into some servers and run some troubleshooting tools and utilities to see what’s going on, like listing processes, ports in use, look at logs, and maybe do some scripting or command line kung-fu. It’s fine if you can watch a dashboard for events, but real value in security folks is a broad ability to troubleshoot and investigate platforms at least on a superficial level, and not accidentally break things operations depends upon in the process.

Am I so far interested and excited about the cert? For the industry, I actually am. Sure, it’s Cisco-centric, but this cert should demonstrate that someone is ready to put some boots on the ground in a SOC. Security+ and other certs are ok, but there’s lots of trivia and often not a lot of practical skills you can put to use in month 1 of an entry level job. For that alone, I’m pretty excited about this offering and what it means for our entry level tier of folks, who badly need better support to get ramped up out of school.

How do I plan to study for this? First, I’ve already been looking up experiences from others who have taken the course successfully. Seems there is material worth reviewing that lay outside the course materials themselves. Here’s what I’ve come up with so far to check out. I have also seen mention the ITProTV has videos on the course, which I might try to get access to (keeping in mind that November/Thanksgiving special deals are coming up!)

Whatever the scholarship-provided training materials/labs/access will be.
Regular Expressions:
Regulat Expressions:
NIST 800 61: [pdf]
NIST 800 86: [pdf]
Wireshark filters: [pdf]
CVSS Calculator:

microsoft advice on mitigating dde attack

It sort of flew under the radar amongst larger incidents and attacks over the past month, but the Microsoft DDE abuse popped up, which is essentially a feature in Office products that allows the execution of an application when provided the link to it in the doc. The feature is meant to allow a document to automatically update itself from external data sources. And, much like macros in the past, disabling DDE (and OLE) in Office could break features that some people do rely on. Nonetheless, there is advice out there from ThreatPost/Microsoft.

tools to aid investigating o365 email

I’ve only recently become a consumer of O365, and have not done any administration, investigation, or poking around on the undersides of it, but these two links came across on a local Slack channel and I wanted to pull them out and save them for future reference. Both of these github links offer support for investigating O365 phishing emails and shenanigans. First, one from LogRhythm and another by the OfficeDev crew.