Search Results

This article will discuss background-specific tips for landing your first SOC Analyst role. The four audiences are college graduates, IT career changers, Veterans, and the Autodidact. Each one has its nuance, making it worthwhile dedicating this article to your roadmap to success. Roadmap to Success This series has given you insight into what a SOC Analyst does on a day-to-day basis and general strategies for finding your first job in cybersecurity as a SOC Analyst. It was written to target four key audiences: the recent college graduate, those who are career-changing from other areas in IT, the transitioning military, and those who are self-taught. This article will give background-specific tips on things you need to know that apply directly to you. I will repeat myself through these four sections,  driving home the idea that you have to prove your interest and back it up with examples, which is in addition to hard technical skills. Veterans have extensive networks of people and partnerships just waiting for them to plug into, the college graduate has career services with their school to leverage, people transitioning from other areas of IT already have real life experience often in domains that overlap with cybersecurity, and lastly, the auto didactic’s strongest selling point is their projects and involvement with the community at large. I recommend that students of all backgrounds who are worried they don’t have much to talk about in an interview deploy a few honeypots. Then, take the data from them and analyze it. In the article The SOC Analyst Method, I explain how to analyze a security event. Practice this method on the honeypot attackers and find interesting things to discuss in the interview. One more plug. I will mention in this article how you should write your resume based on your particular background. Give it your best shot to write your resume, but just starting, it can be difficult to highlight what you know. I have worked out a deal with Resume Raiders on your behalf to offer a 20% discount on services, just use the coupon code SOCANALYSTNOW. I receive zero commissions or discounts, saving you about $60 for a complete resume rewrite. Dave also offers services for resume revision if only smaller changes are needed at a lesser price. He will share your resume on a Google Doc, and you will collaborate back and forth as he asks you questions. You answer them in comments, and then he will pen your resume. I use him myself; that’s the only reason I recommend him. So let’s get started. Recent Graduate Congratulations! You have or are about to graduate from college. It’s a monumental achievement, and I hope you’ve learned a lot. Maybe you had an internship, and that’s great because what you’re fighting now is a lack of experience. Getting experience with commercial tools is one of the most challenging things. They cost millions of dollars and work in highly complex enterprise environments. But the hiring manager knows that. What he’s looking for is experience with any projects you may have had while in school, any personal projects you’ve had, and overall, checking to  make sure you’re not a commodity graduate with zero interest in cybersecurity other than the paycheck. So many people graduate, don’t know anything, and have no real passion or interest in cybersecurity. That is the reputation you are fighting against concerning recent college graduates. Your resume should reflect the projects that you’ve worked on during school. Explore your career services from your school to see if they have people who know how to write your resume in a way that highlights the experience you gained from your curriculum. This should be your first stop, as they see what you’ve learned while in your program. And then maybe poke Resume Raiders for a revision if you’re not having any luck. You need a project to talk about. The question of why you like cybersecurity is inevitable, and you should be fully prepared to give them examples of the projects you’ve been a part of that you truly enjoyed. Eventually, what you want to do in cybersecurity will come up. One thing you have on your side from a formal education is experience with a variety of things, and you probably already know what you like and don’t like. So talk about the classes and projects you truly enjoyed and say you’d like to work in the SOC for a few years to get even more breadth of experience before deciding on a specialty. When you’re finally in the SOC, you’ll see how we do things in the real world. And it’s often much different than the Ivory Tower you’ve learned about in college. Sometimes it’s messy with lots of red tape, and your dream isn’t what it pans out to be. That is what happened to me as a penetration tester. I loved hacking around and had been doing it for years, and I thought all through college that this was precisely what I wanted to do, and I was so sure of myself. I started in the SOC, worked hard, became a pentester, and then learned I hated it. It was the worst! Luckily, I was already qualified to be a SOC Analyst, so I regrouped and found my way into Security Engineering with nothing lost. I haven’t strayed too far from the SOC ever since. Your degree is not going to get you a job alone. It’s an essential step in any career, but significantly less critical today than a while ago. Most big companies have removed the requirement to have a college degree but there are still some that require it. Those that require it, they should be your first applications while applying for jobs. Less people have college degrees so there might be less competition. From IT So you want to join the exciting world of cybersecurity. As you might know already, a SOC Analyst might be on temporary pay depending on their seniority in IT. You’re looking at around $80- $100k starting. But you might be considering it because you’ve hit the glass ceiling in IT, done your research, and know the glass ceiling is higher in cybersecurity. You might just be more interested in a domain in cybersecurity and need the SOC Analyst to get there. Whatever the reason, you’re reading this piece, and being a SOC Analyst is on your mind. There are a few things you need to know. It’s a lot like IT. The same problems you’re having in IT, you’re going to have in cybersecurity. On-call is typical; it changes rapidly, and there is a glass ceiling you’ll inevitably hit. After a while, you realize it’s a glorified customer service position. You might already have certifications that apply to cybersecurity, like any networking or Microsoft certifications, which are a plus; any CompTIA certifications are good, too. In general, you’re familiar with the certification game. You may be past the certification game in your career in IT, but be prepared to start it all over as an SOC Analyst. It almost sounds like I’m discouraging you from becoming a SOC Analyst, but I’m not. I know how important it is for us to do stuff we like. The only reason I’m writing a book is that I enjoy writing. It’s so challenging to be stuck doing work you don’t like, and to make it worse, you probably won’t be good at it. I would only suggest this path to someone from IT if they like cybersecurity. The reason doesn’t matter; just be prepared to discuss that in an interview. I recommend going to the ISC2 website, finding the domains of cybersecurity,  and writing your resume with skills and experience you gained at your previous employers in those domains. There will be a lot of overlap. Anyone with a significant amount of experience in IT is qualified for a SOC Analyst job, and since you picked up this book, you already know why you’re interested. Out of all the backgrounds this book applies to, your background will be the easiest to find work in cybersecurity. Experience trumps everything. Auto didactics Calling all hackers. You only really end up in this category if you’ve been hacking around at things for years and are sitting around thinking how it’d be great to do this for a living. Well, good news - it happens constantly, but there are some things to consider. How do you quantify experience with something you’re not supposed to be doing? First off, congratulations on staying out of jail, and I say that assuming you’ve kept your nose clean. If you haven’t, there aren’t many people who will hire you. It does happen, and some companies will employ extremely talented felons, but it’s rare, and what happens is they create their own companies, and other companies hire them as contractors. But that’s so rare, I won’t cover it in detail. Here’s what you do for those hacking away on their own. You play Capture the Flag competitions and set up labs. When asked what experience you have, tell them you set up labs and give the spiel about your lab environment before they can ask. You get a bug bounty and put it on your resume. You contribute to a community project or improve on a standard tool. You write your blog and publish articles about your research. It’s significantly more difficult for you to get a call back from a job posting and compete with all the other applicants with your resume alone. The tips for attending conferences, hackerspaces, makerspaces, and meetups are critical. You need to be at every single one and start contributing. Pick a topic and give presentations, or just make the coffee. Get on LinkedIn and add SOC Analysts, join a group, and contribute. You need a resume, but you also need to know someone on the inside to pick your resume from the pile and give you an interview. Out of all the backgrounds this book covers, it is the most difficult to land a job in cybersecurity because you need twice the skills as a college graduate, and excellent luck. However, you’ll likely succeed in the long run because you can’t teach passion. You’ll have to do a lot of work for free before you build the reputation to get paid for it. Veterans Veterans can access complimentary cybersecurity training and scholarships, enabling them to acquire the necessary knowledge, skills, and abilities (KSAs) for entry into the cybersecurity sector. The CyberCorps®: Scholarship for Service (SFS) initiative, a collaboration between the Department of Homeland Security (DHS) and the National Science Foundation (NSF), extends cybersecurity scholarships to exceptional undergraduate, graduate, and doctoral students. Eligible individuals can receive financial support ranging from $27,000 to $37,000 for their studies at participating institutions. SFS scholarships cover the typical expenses of full-time students at participating institutions, encompassing tuition and related fees for a maximum of two years. When combined with the Post-9/11 GI Bill, which provides up to 36 months of financial assistance for education and training in various fields, including cybersecurity, veterans may have the opportunity to earn a cybersecurity degree without incurring costs. The DHS facilitates training through the Federal Virtual Training Environment (FedVTE) platform, an online, on-demand training resource accessible to government employees and veterans. FedVTE offers over 800 hours of free training on cybersecurity and IT topics, ranging from beginner to advanced levels. The courses cover diverse areas such as ethical hacking, risk management, surveillance, and malware analysis. Additionally, they align with certifications like Network+, Security+, and Certified Information Systems Security Professional (CISSP). The  SANS Institute’s VetSuccess Academy  is tailored to support veterans in their cybersecurity endeavors; however, it has been mentioned that this SANS program should be viewed as more of a lottery ticket because they rarely see anyone get picked for any particular cohort. However, there is a success rate to have the GI bill pay for a SANS degree, which bundles individual certifications into a degree program. The certifications themselves are highly regarded in cybersecurity and very expensive. However, I have recently heard that the GI bill may no longer pay for SANS courses. One problem that is common with military folks is that they focus heavily on certifications but don’t get the hands-on experience and deep theory that they need for entry-level technical positions. To make matters worse, the people I’ve talked with don’t feel that cybersecurity degree programs prepare the transitioning military well, as they focus on high-level policy. The military trains you to look for qualifications and meet service ribbons/medals requirements. And since certifications don’t matter as much as practical hands-on project work, veterans fall prey to predatory bootcamps at an above-average rate, leaving them still unqualified to do the work or pass the interview. Note: They recommend a general computer science degree program at a brick and mortar college if you choose to go the degree route. Before you transition, be aware of Skillbridge . Essentially, it allows military members on active duty to spend the last 180 days of their time on active duty working (for free to the business) for a company  as an intern.  They maintain their military pay and benefits. The company gets a free intern. This often can pivot into a full-time offer upon separation from the service, but if not, it will give you a little experience and someone to vouch for you. Furthermore, VeteranSec serves as an online community for military veterans engaged in or interested in information technology and cybersecurity. The platform provides a private networking channel of over 7000 veterans, free training videos, partnerships with companies to take advantage of, and an informative cybersecurity blog with tutorials to aid veterans in their professional development. Summary I hope this article has provided a few additional helpful strategies for your road to success. Each of these backgrounds presents an opportunity for us to provide insights into the challenges, even reputations, that you are fighting against and need to be aware of as you trudge the road ahead. Use the tools given to you in this book, with the additional insight from this article to form a plan of attacking your job search and if you’re lucky, interviews. Not everyone will have the same experience with their journey to success. Some will be more difficult than others. We’re not all on the same playing field. I know that may not be what you want to hear, but corporate America, and capitalism in general, is a game. Once you learn the rules and what moves you forward, you can strategize what makes you desirable to employers. You build a brand for yourself. For me, it was certifications and education to start with, but after some years, I fail even to mention it during interviews, and I’m never asked about it because we’re too busy talking about experience. If you have experience, it trumps everything. If you don’t yet, you need a formal school, the community, your friends, any internships, former employers, and even yourself to vouch for you and provide examples to show your potential value. And for the lone hackers, the autodidacts, the self-taught, let’s all remember that, for whatever the case may be, they are the underdogs, but they are the few and the proud. Be nice to them and make friends, you’ll thank me later.

This article will discuss the maturity models of Security Operations Centers, how to know where your SOC is at, and how to embrace SOC automation and stay ahead of the curve. Automation within the Security Operations Center (SOC) is generally referred to as Security Automation and Orchestration (SAO) or Security Automation, Orchestration, and Response (SOAR). As an analyst, it has become increasingly more common to encounter some type of security automation within organizations. To what extent may depend on the maturity of your organization and its SOC. We will dive into maturity models and how those relate to automation a bit later in this article. First, what is security automation? What Is SOC Automation? No, SOC automation does not refer to robots becoming self-aware. Threat intelligence feeds do not suggest that “judgment day” is close on the horizon. Simply stated, automation is the machine implementation of low- level security-related actions. These actions are small pieces of a larger task. Generally, a task will be made from a number of actions. Similarly, a process will encompass a number of tasks. Tasks can be partially or fully automated with the goal of reducing human intervention in security operations. Orchestration, while very closely tied to automation, takes advantage of multiple automation tasks across multiple systems or platforms. Orchestration is used to automate or semiautomate more complex workflows and processes. We have heard criticism from SOC analysts and others in the security community regarding automation. The overwhelming theme seems to be that analysts are worried that automation will take their job. At first glance I can see where they are coming from. If a machine can do it faster and more efficiently, then what is the analyst to do? Believe me, I get it! As a SOC lead, I want to challenge my analysts to do a detailed analysis of events. This takes a good amount of time and is not possible with the volume of events seen on a daily basis. I want them to look for trends, examine data over a larger period of time, and then find the reason that these events are taking place. To ask themselves questions like: “Is the reason I have to respond to 50 events per day on an IPS signature due to the fact that the webserver is vulnerable?” Present that data back to your SOC leadership, and take initiative to get the business to patch the vulnerability. What we are attempting to convey is that SOC automation should not be seen as a limitation to your career, rather a springboard which can help you become a better analyst. We will go over a number of reasons for automation in the next section that should paint a clearer picture of the benefit of automation not only to the SOC but to the individual analysts as well. Let’s dig into why automation is a positive addition to any SOC. Why Automate? There are a number of reasons for a SOC to automate, but be assured that replacing analysts is generally not the goal. The SOC analyst is a valuable resource which will always be needed to perform where machines cannot. Whether part of a maturity initiative or new business requirements, leadership is often left taking on additional services with the same or fewer resources Taking into account that SOC leadership is being pressured to deliver more, combined with the shortage of skilled cybersecurity professionals, it is easy to see why automation is a no-brainer. I have spent time in the trenches working through an endless queue of events. When I was a junior analyst, there were times when I would have a number of events that were generated for antivirus detections where the files were quarantined. Over half of the events in that day were “potentially unwanted applications” (PUA) which were adware/toolbar related. The tool did its job, the files were quarantined, yet I still had a number of events that needed to be addressed. I had to manually add the appropriate notes and close each ticket. If I had automation in place, then it would have made my life a lot easier. I would have been able to focus on more in-depth analysis and look for a common source of the adware, but due to the sheer volume of events, it was not an option at that time. For me, automation is a force multiplier when it comes to helping analysts with the flood of events they handle on a daily basis. By eliminating the need for analysts to do monotonous tasks, they are free to spend more time performing higher-level analysis of events. Senior analysts will have more time to dedicate to training junior analysts and more time can be spent on developing documentation. With the ever- changing pace of a SOC, we all know this is always needed. One of the first reasons a SOC may choose to automate is to streamline existing processes. Many SOAR platforms have C-level dashboards that are designed to show the amount of time and money saved by automating actions. While I do agree to an extent that this can be important, focusing on this alone may not necessarily be the best fit for all organizations. There are a number of other reasons that I believe are equally important to the operation of a healthy SOC. One of my favorite reasons for automating is to reduce analyst fatigue. I cannot be the only analyst that has ever spent what seems like hours a day pressing “Ctrl+C” and “Ctrl+V.” I have gone home at the end of the day brain-fried, wondering if a monkey could do the job just as well. As I mentioned earlier, security analysts are the most important resource that a SOC has. These analysts are inundated day-in and day-out with an abundance of information that needs to be collected, categorized, classified, analyzed, and interpreted. Reducing the volume of events that need to be analyzed is one way to achieve this. Reducing analyst fatigue benefits the SOC by reducing overall stress and making it a fun and challenging place to work. Isn’t the saying: “Happy SOC, Happy Life”? Good leadership should strive to do all that they can to promote morale and a healthy workplace environment. Doing the same repetitive actions day-in and day-out will desensitize you and cause you to skip steps or cut corners. This fatigue increases the possibility for mistakes to be made. Reducing mistakes leads me to another popular reason for automating, which is standardizing processes. Analysts can get trapped in an endless screen-switching cycle during an investigation by checking documentation, following defined steps, and moving between multiple consoles. When automating security-related tasks, we drive consistency and reduce the likelihood for errors. Consistency is key in security operations. During incident response when we implement automation, we can ensure that processes are consistently followed. As a SOC analyst, it is very easy to cast wide nets in order to collect as much information as possible. Sometimes the rules we write just need to be broad. The events generated by a rule may only be an indicator when correlated to another event or other condition. Sure, you could write a correlation rule, but maybe you are in the infancy of tuning a rule, and thus analysts receive a large number of false-positive detections. What if we could use automation to tune out these false positives? Reducing the overall volume of false positives is one such use case that I have spent a good amount of time automating. I will give an example of this later in the article. Each analyst has their own preference for sources of information, and this can sometimes create false positives or lead an analyst down the wrong rabbit hole. As mentioned previously, consistency is important for a number of reasons, but in addition to those already mentioned, another reason to automate is for the reduction of information bias. There are some reputation and intelligence data sharing services that are higher fidelity than others. Open source feeds can be a double-edged sword. On one side they may have larger reference sets and are good quality, but on the other side, I have found that it is easier for one wrong attribution to skew a full dataset. When the sources for which data is ingested and consumed are defined by the team, reputation checking and intelligence enrichment can be easily automated within your playbooks. Every few months, it seems like there is a new attack pattern and threats are becoming more complex each and every day. Organizations need to be prepared for this evolution of complex threats. Adversaries today are utilizing automation to conduct attacks against your organization. Security operations need to keep up with the speed at which attackers are evolving, and the only way to do this is through automation and orchestration. As you implement new automation playbooks, the end goal should be to reduce the mean time to detection (MTTD) and mean time to response (MTTR). Each step that is automated shaves fractions of seconds from these SOC metrics. While at first glance it may not seem that a machine could save much time per single action, the culmination of all of these small actions over time will add up to significant time savings. The decrease of these metrics will satisfy senior management while also providing the numerous benefits mentioned previously. SOC Maturity I would like to preface this section by stating that I do not think many organizations would expect that they could fully automate every process from beginning to end. I believe there are just so many situations that require an analyst to make a decision that a machine just cannot do. There have been many horror stories of automation putting blocks in place based upon the wrong classification of the data. These instances have had catastrophic effects on businesses and their reputations. Until an organization has a high confidence level with the data being provided, I would personally suggest adding in some checks and balances into automation processes. These checks and balances should require human interaction and approval before blocking controls are put in place. All of these steps can be built into your playbooks to ensure that you can not only take advantage of automation to the fullest extent possible but also keep automation from taking an incorrect action. The goal of this article is not to go into a deep dive on the topic of maturity models. There are a few different ways to go about measuring the maturity of your SOC. You can write your own framework or use an industry standard framework to accomplish the same goal. The benefit to using a standardized framework is that it is recognized and probably being used by other organizations within your industry. Both solutions are designed to provide a situational summary of where the SOC is in their maturity taking into account all of its processes. Figure 1–1 Sample Maturity Phases When assessing the maturity of the SOC and its automation, it’s easy enough to start with a staged approach similar to the one shown in Figure . I put this graphic together to illustrate that once you have completed an inventory of the processes and actions that your SOC is doing today, you can then map your current state and measure your progress toward your goals. Set small goals to get you to the next phase. If you have not begun your automation journey, don’t be afraid of starting now. With each action you automate will get you closer to your goals. As a junior analyst, you will begin to see areas for improvement in the processes that you and your team use every day. Document any process gaps and look for actions that can be automated. Take time to gather all of the appropriate data, and do the analysis. Can any of these actions be automated? What benefit do you see it providing the team? Be able to articulate how you believe automating an action will improve the function. By presenting a process improvement or resolution to a problem and not just the gap, you will set yourself as a leader among your peers, and SOC leadership will see you as a true problem solver. How to Start Automating There is no one-size-fits-all solution for every organization. In my experience, it has been the most beneficial for analysts within the SOC that are intimately familiar with their processes and procedures to spend a little bit of time analyzing the work they perform each day. Categorize your tasks by the time required to complete them, and then by the complexity of the task. Start with the tasks that are simple, and do not take a lot of time to complete and leave the complex tasks for after you are comfortable with the process flow. Chances are that there are a number of these simple tasks, and by automating them you will make a good amount of progress. Figure may help you categorize your tasks and allow you to focus on automation tasks that will provide the most value up front. Figure 1–2 Security Task Categorization When starting with a simple task that takes a short time to complete, look for repetitive actions without complex conditions. If you have different actions that you take based upon the output of an action, it will add complexity to the playbook. I have found that it is very easy to start working through a use case, only to find out halfway through it that one small attribute changes the whole thing. Spend time dissecting the actions and whiteboard the process flow. Make every effort to break it down to the smallest steps that you can. A very simple example of automating a task such as this may be getting the reputation of a file. This might make it a bit easier to help you envision the steps taken. Figure 1–3 Simple use case of getting a file reputation In this simple example, I have broken down the task into four small actions that an analyst would need to take: 1. Gather the file hash. 2. Open a web browser. 3. Paste the hash into the browser and submit it. 4. Make a decision based upon the file reputation. The decision made upon the file reputation may then feed another action or a process flow further downstream. A playbook can be this small. Keep in mind that it is possible to have a playbook that calls other playbooks synchronously, waiting for the first one to complete before calling another. At first glance, it may not look like that by automating this task, you would save much time. What if the hash was a false-positive detection? What if we could automatically close the event based on the file reputation? What if we could collect the false-positive file and submit it back to the vendor to be reevaluated? Not only would automation help by eliminating the noise of false-positive detections, but it would reduce the number of tickets you would need to respond to. Now, this short, simple action has saved a significant amount of time when scaled to the number of events that need to be investigated in a day. Sample Use Cases I have come across a number of use cases discussed in different articles around the Web. Maybe some of them will work for you, or maybe they will just spark some ideas on what can be done. Like I mentioned earlier in this article, there is no one size fits all. Vendors supply sample playbooks that are generally meant as teaching points to what their product can do. Unfortunately, not every solution will be able to be integrated with your automation platform. You will encounter situations that may not work in your environment, just as you will also encounter situations that the vendor has not specifically encountered before. This is to be expected and is all a part of the journey of SOC automation. I wanted to highlight a couple use cases that I have personally encountered that I have had good success with. They do not cover every use case or reason that a SOC may choose to automate; however, they may act as a starting point or inspiration for your automation endeavors. A use case that I have encountered was reducing a number of false- positive detections from an email hygiene provider. The team utilized a service that sends alerts for a malicious email that was delivered. There were times that after the alert was sent, the email was reclassified as clean. I wrote an automation playbook that would call the email hygiene provider’s API to check for the “false-positive” flag. If the alert was a false positive, an analyst ticket would not be created. Another use case which was a bit more advanced was providing paging to on-call analysts when critical events came in. We started by defining the type of events that would cause an analyst to be paged out. Once that was complete, we began to figure out how to collect the on-call person and their page address. This took a bit of custom python code using a plug-in called “beautifulsoup.” The playbook would scrape an intranet page and parse out the email address to page and send an alert to that analyst with the context of the critical event. Once that step was complete, the playbook would monitor a mailbox for a read-receipt for the page. If the page was not acknowledged within an hour, the playbook would send the same page to the on-call escalation point. The most common automation use case that I have helped to put in place is the enrichment of events with threat intelligence. In this environment, events are sent from the SIEM to the automation platform for processing, and a ticket is created in a temporary ticket queue. The playbook will extract indicators such as file hash, file path, source and destination IP addresses, etc. Depending on the event type, these indicators are enriched from various sources that are predefined by the SOC. The data is used to populate notes in the event and add context to the event for the analyst that works it. Once all of this enrichment is complete, the playbook will move the ticket from the temporary queue to the SOC analyst queue. The reasons for moving it to the analyst queue after all the enrichment is done are to prevent a ticket state change and to ensure that any error checking added to the playbook is complete first. I want the analyst to have all the data they need to make a decision on the event, instead of having only partially complete data. Summary Security automation is a tool that assists your SOC analysts and allows them to be more effective with their work. In my opinion, it is not designed to be a replacement for an analyst. We invest in automation technology to make us more efficient at our jobs, and we are going to be required to make decisions where a machine cannot. I don’t want to focus directly on best practices for writing automation playbooks, but more of the overall process and how it relates to the SOC. With that in mind, I want to leave you with a few tips for success. If you have not already begun your automation journey, talk with your team about the benefits of security automation. Get everyone on board with the idea and comfortable with how you envision the playbooks working for the team: Do a full inventory of the tasks your SOC performs. Break them down by the time required, and complexity to complete them. Define your use cases before automating any actions. Focus initially on tasks that are simple and can be completed quickly. This will provide you with some quick wins. Don’t write long complicated playbooks. Break them down to specific tasks as much as possible. You can use a parent playbook to call multiple child playbooks. Don’t be afraid to challenge the status quo. When you start automating processes, you may discover a new and better way to do something. Embrace these efficiencies, and automation will show its value to your organization. While security automation may be in its infancy, there is much that can be done to improve the operations within your SOC. I hope I was able to provide some insight into why you need to begin automating sooner rather than later. I have highlighted a number of reasons for automating and provided some possible use cases for quick wins. Take the lead, and show the rest of your team that automation is not a limitation but a force multiplier that will help you all become better analysts. ARTICLE QUIZ (ANSWERS FOLLOW) _______ is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. Ⓐ SOC Automation Ⓑ Process Ⓒ Orchestration Ⓓ Inventory _______ takes advantage of multiple automation tasks across multiple systems or platforms. Ⓐ Automation Ⓑ Process Ⓒ Orchestration Ⓓ Inventory A _______ is made up of a number of actions that are fully or partially automated while a _______ encompasses a number of the former. Ⓐ process, task Ⓑ task, process Ⓒ process, response Ⓓ response, task All the following are true regarding automation except: Ⓐ It will replace analysts in the next five years. Ⓑ It streamlines existing processes. Ⓒ It frees up analysts from monotonous tasks. Ⓓ It manages the flood of events coming in daily. All the following are reasons to implement SOC automation except: Ⓐ Reduce analyst fatigue Ⓑ Reduce mistakes Ⓒ Reduce productivity Ⓓ Reduce labor hours to increase skilled training Which of the following is true regarding how to start automating the Security Operations Center (SOC)? Ⓐ Start with complex changes Ⓑ Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. Ⓒ Figure out who to fire first. Ⓓ Make tasks more complicated than they should be. All of the following are true about playbooks except: Ⓐ They can be small. Ⓑ They can call other playbooks synchronously. Ⓒ They’re only used in fantasy football. Ⓓ They should not cause incorrect or damaging actions. ARTICLE QUIZ SOLUTIONS _______ is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. Ⓐ SOC Automation SOC Automation is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. _______ takes advantage of multiple automation tasks across multiple systems or platforms. Ⓒ Orchestration Orchestration takes advantage of multiple automation tasks across multiple systems or platforms. A _______ is made up of a number of actions that are fully or partially automated while a _______ encompasses a number of the former. Ⓑ task, process Atask is made up of a number of actions that are fully or partially automated and a process encompasses a number of tasks. All the following are true regarding automation except: Ⓐ It will replace analysts in the next five years. Replacing analysts in the next five years is not entirely true. While SOC automation aims to reduce the amount of manual labor, SOC automation should be a springboard that frees up an analyst to work on more challenging tasks, preparing them to move out of the SOC into more advanced roles or to become a SOC Automation Engineer responsible for automating SOC Analyst tasks. Asmaller number of SOC analysts will always be needed to review the SOC automation’s work, assist in the SOC automation efforts, and handle exceptions. All the following are reasons to implement SOC automation except: Ⓒ Reduce productivity Reducing productivity is not a reason to implement SOC automation. Which of the following is true regarding how to start automating the Security Operations Center (SOC)? Ⓑ Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. All of the following are true about playbooks except: Ⓒ They’re only used in fantasy football. There are many constructive uses for playbooks other than in fantasy football, including in SOC Automation. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

If I was just graduating high school or deciding how to get started in cybersecurity, knowing what I know now, I wouldn’t ever consider a program that didn’t teach cloud skills (few of them do). By the time I would graduate, everything I learned would be obsolete. Within the next five years, most companies will have finished their migration to the cloud or at least close to it, or even just beginning on it; its the focus. This it Should Cybersecurity Degree Programs Have a Cloud Focus? Cloud skills are so difficult to teach because they change rapidly. Institutions have no way to keep their curriculum up to date. I have a cloud course and I’ve already had to go through and keep it updated. It changes so much that I put the year it was last updated in the title, just so that everyone knows its still relevant. Its super easy to update a course on a website or Udemy. Record a module and bam upload it. But updating a college course or program with students enrolled in it, that have all these accreditation requirements, has to be carefully planned and executed and by the time it all happens it needs to be updated again. If it doesn’t get easier to train for cloud skills, its perhaps the end of degree requirements for IT all together. Microsoft and AWS have the same problem. They need people trained on their platforms too and they know how difficult it is to do so they’re doing it themselves. I’ve taken some of the Microsoft Azure training and I liked it. It all works! That so hard to do. They keep it updated but the content is limited. Its not comprehensive by a long stretch. There are so many cloud fundamentals to learn that aren’t vendor specific that universities aren’t teaching. They could cover cloud fundamentals in one semester but they don’t. If you’re just starting out, I wouldn’t consider any program that didn’t teach you the cloud. And I mean it. Don’t do it. You’re probably going to get your degree and you’re not going to be able to find a job. Any program thats teaching you infrastructure or perimeter defense is obsolete by the time you graduate. It was a waste of your time and money (and you have to pay that back!) Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .