Search Results

A practical guide for the age of AI. π Shaped A few months ago, I was mentoring a junior security analyst who had just landed their first SOC role. How to Succeed in Cybersecurity Over the Next 5 Years. Bright, hardworking, and technically sharp. But during one of our sessions, he asked, “Is cybersecurity even a safe career anymore with all this AI stuff?” That question stuck with me. Not because it is something I get asked every other week. Because beneath it was a real fear that many professionals are feeling right now. Let’s be honest - AI is changing everything. It’s automating routine tasks, reshaping job descriptions, and shifting expectations across every tech discipline. First, it was GenAI, but now it is Agentic. But here’s the good news: cybersecurity isn’t going away. It’s evolving. If you know how to adapt, this era of disruption might be your most significant opportunity yet. This article explains precisely how to position yourself to succeed in cybersecurity over the next five years, based on real-world advice, not hype. Whether you’re just starting or have years of experience, here’s your practical playbook. This is How to Succeed in Cybersecurity Over the Next 5 Years. 1. Partner with AI - Because Competing Against It Is a Losing Game You’ve heard it before, and yes - it’s still 100% true: AI isn’t coming for your job. But someone who knows how to use AI is. AI already powers today’s cybersecurity workflows - threat detection, alert triage, anomaly spotting, vulnerability analysis, and even phishing simulations are being driven by intelligent systems. But that’s just the beginning. We’ve entered the Generative AI (GenAI) and Agentic AI era. GenAI tools like ChatGPT, Claude, Gemini, and Security Copilot can write playbooks, summarize incidents, generate security policies, and even simulate attacker behavior in natural language - all at speed and scale. Agentic AI goes a step further. It doesn’t just suggest - it acts. These are AI systems embedded into SOAR platforms or security pipelines that autonomously execute tasks, make decisions, and interact with systems, often with minimal human intervention. Imagine an agent that not only detects a threat but also contains it, updates IAM policies, and notifies stakeholders, without waiting for you to approve every step. If you’re still doing things manually - investigating tickets line-by-line, writing policy documents from scratch, or searching logs - you’re competing with tools that don’t sleep, scale instantly, and get smarter every day. Practical Action: Choose one GenAI tool - like Microsoft Security Copilot, ChatGPT, or Gemini - and start using it in your daily workflow. Automate one repetitive task this week: generate documentation, summarize threat intel, or auto-draft alerts. Explore a low-risk Agentic AI use case in your environment (e.g., SOAR automation, scripted containment actions, or self-healing cloud controls). Track the time saved or the accuracy improved. That’s your AI ROI. Present it to your team or manager - it builds credibility and shows leadership. 2. Focus on Roles Where Human Judgment Still Wins AI is fast, tireless, and getting better by the day. But there’s one thing it still can’t do: be human. Even the most advanced Generative AI can write policy drafts or summarize alerts, and Agentic AI can autonomously remediate threats - but neither can truly understand context, make ethical tradeoffs, navigate ambiguity, or build trust. That’s your edge. Cybersecurity roles that require judgment, discretion, leadership, and empathy are not just surviving - they’re thriving in the AI era. These include: Security Architects who make contextual design decisions across complex cloud environments Threat Hunters who intuit patterns beyond signatures or models Governance and Compliance Analysts who map abstract regulations into specific organizational realities Incident Commanders and Crisis Leads who manage uncertainty, calm stakeholders, and make time-critical decisions These aren’t tasks you automate. These are roles where you add irreplaceable value. Even the most capable agent can’t explain a nuanced risk decision to a nervous boardroom or weigh the legal vs. reputational tradeoffs during a breach. That’s all you. Practical Action: Choose a domain where human reasoning, not just execution, matters - like IAM strategy, breach response coordination, or interpreting legal frameworks like GDPR/NIS2. Write a case study or breakdown post (LinkedIn, blog, internal wiki) that describes how you solved a complex problem - not just what you did, but why you made your own decisions. Highlight the ambiguity, judgment calls, and stakeholder collaboration involved. This shows your value in a way AI tools never can. 3. Speak the Language of Business Risk You could be the best vulnerability analyst on your team, but if you only discuss CVEs and exploits, you’ll be ignored at the decision-making table. Today, cybersecurity is business-critical. It’s about revenue protection, customer trust, regulatory exposure, and operational continuity. You need to connect your technical insights to these business drivers to lead. This has become even more important in the age of GenAI and Agentic AI. The pros who will thrive are the ones who can bridge the gap between SOC dashboards and boardroom concerns - those who can say: “This vulnerability won’t just trigger an alert. If exploited, it could delay our product launch, violate GDPR, and cost us €300K in fines.” That’s not a technical description - that’s a business case. Practical Action: Take a recent incident, finding, or audit report you were involved in. Now rewrite it for an executive audience: remove jargon, highlight business impact, and explain the “so what.” Practice delivering that summary in under 60 seconds. Bonus: try it out with a non-technical peer or manager and ask, “Did that make sense?” Create a “Business Risk Deck” for your team: a set of real examples where technical threats were mapped to outcomes like financial loss, regulatory breach, or brand damage. It becomes a reference — and a learning tool for others. 4. Build a Second Specialization - Because Single-Skill Careers Are Going Extinct In cybersecurity, depth still matters. But in the AI era, depth alone isn’t enough. Over the next five years, the most successful professionals will be π-shaped - not just cybersecurity experts, but also fluent in a second domain like AI, cloud, privacy, DevOps, or even product strategy. Why? Because hybrid roles are exploding in value. Emerging roles include: AI Security Advisors who understand both model risks and enterprise controls Cloud-Native GRC Consultants who apply compliance in AWS or Azure infrastructure Privacy Engineers who embed data protection principles directly into AI and app design These aren’t niche. These are the roles that future CISOs and security leaders are currently groomed for. Sticking to one lane might feel safe, but it’s the fastest way to get left behind. Practical Action: Choose a second specialization that complements your core. Some examples: If you’re strong in threat detection, explore AI prompt safety or LLM red-teaming. If you’re a GRC pro, dig into data protection law or privacy-by-design for GenAI. Explore Kubernetes security or cloud service control policies if you're into infrastructure. Block off 1 hour weekly to learn through labs, case studies, or real-world scenarios - not just reading. If you can, publish what you know to solidify your understanding and build your brand. Look for intersection projects where your two skill sets overlap. Even a small internal tool, threat model, or AI use case audit can be powerful proof of your future readiness. 5. Make Your Skills Publicly Visible In the next five years, your personal brand will be your biggest asset. Quiet talent won’t cut it anymore — you need to be discoverable. Hiring managers want to see how you think, not just what your résumé says. Sharing your insights online gives you leverage and opportunities. Practical Action: Post once a week on LinkedIn or a blog: breakdowns of incidents, tools you’ve tested, or lessons from real-world work. Create a public GitHub, Notion page, or portfolio to showcase your side projects, lab environments, or security playbooks. 6. Shift from Job Titles to Skills Thinking Job titles are increasingly vague and inconsistent. What matters more is what you can do and how well you do it. A “security engineer” could be doing policy-as-code or threat modeling, or babysitting legacy firewall configs. Think in skills, not titles. Practical Action: List your top 5 cybersecurity skills. Now, map each to a business outcome or a problem it solves. Build a “skills radar” for yourself - identify gaps and explore what’s next in each area (e.g., zero trust design for IAM, or AI safety testing for app sec). AI can detect threats. But it can’t calm a panicked stakeholder, motivate a security team during a breach, or balance ethics in a gray area. Roles that require emotional intelligence, trust-building, and influence will grow in value. The skills you have today won’t be enough tomorrow. What sets top cybersecurity pros apart is their mindset — curious, adaptable, and relentless learners. In a field evolving this fast, your greatest asset isn’t what you already know — it’s how quickly you can learn and apply new things. So the question isn’t “Is my job safe?” anymore. The real question is: “Am I building the kind of skills that AI can’t easily replace?” “Am I visible, valuable, and adaptable?” Note from the editor: Taimur's point about quantifying how you're using AI to make your own role more efficient will position you as a leader.

Peer-Ra-Mid The whole point of side hustles is to help Cybersecurity professionals build additional income streams alongside their 9-to-5 jobs. This is Here Are My Cybersecurity Side-Hustles. This is becoming increasingly critical as Cybersecurity is no longer the layoff-proof, recession-proof haven it used to be. This week, I thought I would start listing down every single one of my income streams and side hustles that I have built beside my 9 to 5 I have tried many cybersecurity side-hustles over the years. Some of them worked, while some of them flopped into the black void of the Internet. In this post, I plan to list my current ones and then deep-dive into each in the coming weeks. I hope this gives you some insights and shows you what is possible with monetizing your cybersecurity knowledge. Let’s see how it goes! How I Chose These Cybersecurity Side-Hustles I started experimenting with cybersecurity side hustles in 2022 and used these criteria to choose the ones to focus on: I would enjoy doing them in my spare time. Staying consistent is tough, so you want to choose something you enjoy instead of getting burned out. They would have the potential to be completely passive over time. While no side hustle is 100% passive, these income streams should have the potential to become increasingly passive over time. I do not want to exchange my time for money as I already have a 9-to-5 job. These streams should have the potential to compound over time and increase momentum, i.e., the snowball effect. For example, Freelancing on Fiverr is not scalable, as 10x the order means I have to put in 10x the effort! My 2024 Income Streams Udemy courses Self-Publishing One-to-One Mentoring YouTube Medium Income Stream 1 - Udemy Udemy is like YouTube for online courses. I have always been a massive fan of this platform, as anyone can make a course and upload it to Udemy to make some $$$ The downside is that Udemy is massively saturated with thousands of courses uploaded daily. I have been creating courses since 2022, and if you do the proper research, you can still make a good income with Udemy. But not as much today as you used to. My initial courses sank like stones, but these failures helped improve the subsequent courses, with incremental improvements happening over time. Income Stream 2 - Self-Publishing Income stream #2 is about self-publishing cybersecurity books on Kindle Direct Publishing (KDP). I have over five books (one under a pen name not shown here). KDP is a great way to make money as a cybersecurity professional, where you can monetize your knowledge by writing books. But full disclosure in that I have not made much money directly through this side hustle, i.e., through the KDP royalty program itself. Indirectly, though, there is a lot of $$$ to be made. Many CEOs have contacted me and paid me a lot of cash to ghostwrite cybersecurity books for them. Self-publishing is a great way to stand out in the industry and gives you a lot of street cred that you can leverage to make some serious $$$ Income Stream 3 - One-to-One Mentoring Over time, if you establish a name for yourself, people will pay you for your time. If someone had told me many years back, people would have paid me a hundred dollars for an hour of my time. I would have laughed. But many people in Cybersecurity are willing to pay to get access to your knowledge and skills. I use Topmate , which allows people to block slots in my calendar after paying. I like it more than Calendly because it does not charge you every month. I have shared this on my LinkedIn Profile so anyone visiting it can use it to book a 1-1 with me. I have over 115 bookings and am featured in their top 1 percent. Income Stream 4 - YouTube I got into YouTube not to make money, honestly. The platform is massively competitive right now, and earning good money via adsense is no longer what it was a decade ago (or during the pandemic). Yet despite this, it is a great way of sending traffic to my courses, books, and other side hustle profiles. I started YouTube as it is the second biggest search engine in the world and cannot be beaten as a traffic generation method. My Channel has over 5K subscribers, and I make sure to link my courses and profile in every video Income Stream 5 - Medium I think it is fair to say that Medium’s glory days are behind it. The Medium Partner Program (MPP) is no longer the cash-generating machine it once was, and the days of writers making thousands of dollars every month are pretty much finished Not to mention the ridiculous changes to the algorithm they make every few months, which destroys views and earnings, however, just like YouTube, it is a great way to drive traffic to your side hustles and generate money. I have over 9.6K followers on Medium and still love writing on the platform ( although that love is increasingly one-sided!) Income Stream 6 - My Flagship Course I created a flagship course called The Cybersecurity Career Accelerator in 2023 The goal was to make a course to help people land cybersecurity jobs in the industry. While I still make sales .. this is one of my lower performing side-hustles, as I have to do all the marketing and traffic generation. I can potentially make more money self-hosting this course than placing it in a marketplace like Udemy … but driving traffic toward it is a major pain! Generating traffic to your products/courses/website is not easy, and it takes significant upfront investment and capital. This article concludes. If you are wondering why I omitted Substack, the answer is that it is not a side hustle for me. I am still learning the ins and outs of the platform. I plan to show the different methods I use to generate traffic for these side hustles soon, which can be the most challenging part of creating a side income. No one will buy your stuff if they cannot find you!

Heidi and I Scuba Diving in Maui Hey there, fellow digital warriors! Imagine this: You're huddled in your dimly lit room, fingers flying across the keyboard, cracking codes and outsmarting virtual bad guys like you're Neo in The Matrix . Cybersecurity started as your ultimate hobby – that thrilling side gig where you'd tinker with firewalls, dive into ethical hacking tutorials, or even build your own mini home lab just for kicks. It was pure passion, right? No bosses breathing down your neck, no deadlines – just you, your curiosity, and an endless stream of caffeine-fueled "aha!" moments. But here's the plot twist: That hobby-level fire? It can rocket you straight through the front door of a real career. Picture yourself landing that entry-level gig as a SOC (Security Operations Center) analyst. Suddenly, you're monitoring alerts at all hours, triaging threats like a cyber superhero. Your motivation from those hobby days becomes your secret superpower, proving to hiring managers that you're not just another resume robot – you're the real deal, ready to defend the digital kingdom. Fast-forward a bit, and boom! You've nailed your first intermediate certification. Maybe it's a cloud security badge (hello, AWS or Azure wizardry), a CEH (Certified Ethical Hacker – because who doesn't want to hack legally?), or one of those beastly SANS certs that make you feel like you've leveled up in an RPG. Congrats! You're officially "in" – studying pays off, and you're climbing that career ladder like a pro. But wait – don't let the honeypot trap you! As tempting as it is to let cybersecurity swallow your entire life, pump the brakes. A killer career in this field isn't just about slaying vulnerabilities; it's equally about slaying burnout. Think of it like a video game boss fight: If you're always on "expert mode," you'll eventually glitch out. Sure, there'll be those intense crunch times. You're grinding for a tough cert that feels like decoding an alien language, or work's a total chaos storm because the team's short-staffed and alerts are popping like popcorn. You've gotta go full throttle for a while – late nights, extra shifts, zero social life. That's the game. But here's the pro tip: You can't run at 110% forever. Your brain's not a machine (even if you're surrounded by them); it needs recharge time, or it'll start throwing errors. And let's talk about those sneaky employers who don't get it. Some spots are straight-up burnout factories, playing the "burn-and-churn" game. They'll pile on the workload until you're toasted like overcooked ramen, then boot you when your performance dips because, surprise, you're human and need rest. It's like they're the phishing scammers of the corporate world – luring you in with promises of glory, only to drain your energy and discard you. Don't fall for it! Spot those red flags early and protect your sanity like you'd protect a network. The real hack for long-term success? Carve out balance by chasing hobbies that give you that sweet personal satisfaction – intellectual, physical, or just plain fun. And no, this isn't your family time or parental duties (those are non-negotiable quests, of course). This is your  time. Something selfish, something where you can pour your attention into a pursuit that's not work-related and not family obligations. It could be frustrating at times (hello, growth!), but ultimately joyful. Get selfish, folks! Build that epic man cave stocked with retro consoles for marathon sessions of tough games like Elden Ring  – where dying a hundred times is weirdly therapeutic. Or create a she-shed oasis for planting flowers, watching your garden bloom as a low-stakes win against life's weeds. Maybe it's hitting the trails for a hike that clears your head better than any firewall rule, or diving into woodworking to craft something tangible (because sometimes, you need to build with wood, not code). Why bother? Because hobbies are your ultimate antivirus against life's malware. They keep your mind agile, your spirit sparked, and your burnout levels in check. In cybersecurity, where threats never sleep, your hobbies ensure you  do – refreshed and ready to fight another day. So, cyber pals, log off occasionally and log into life. Your career (and your sanity) will thank you. What's your go-to hobby escape? Drop it in the comments – let's build a community firewall of fun ideas! Amateur radio Audiophilia Aquarium keeping Baking Baton twirling Basket weaving Bonsai Computer programming Cooking Creative writing Dance Drawing Embroidery Basketball Gardening Genealogy Jewelry making Knapping Lapidary Locksport Musical instruments Painting Punch needle rug making Knitting Reading Scrapbooking Sculpting Sewing Singing Sleeping Watching movies Watching television Woodworking Origami Air sports Board sports Cycling Freerunning Hunting Hiking Jogging Kite flying Kayaking Motor sports Mountain biking Parkour Playing with a pet Photography Rock climbing Running Sailing Sand castle building Sculling Rowing Skating Surfing Swimming Tai chi chuan Conservation and restoration of road vehicles Water sports Yoga Stamp collecting Vintage books Vintage clothing Record collecting Trading Cards collecting Bread tag collecting Crayon collecting Antiquing Art collecting Coin collecting Element collecting Antiquities Auto audiophilia Fossil hunting Insect collecting Leaf collecting and pressing Metal detecting Mineral collecting Petal collecting and pressing Rock collecting Seaglass collecting Seashell collecting Wrestling Bowling Boxing Chess Cheerleading Cubing Bridge Billiards Darts Fencing Gaming Handball Martial arts Table football Airsoft American football Archery Association football Auto racing Badminton Baseball Climbing Cricket Disc golf Equestrianism Figure skating Fishing Foot-bag (also known as hacky sack) Golfing Gymnastics Ice hockey Kart racing Netball Paintball Racquetball Rugby league football Shooting Squash Table tennis Tennis Volleyball Outdoors Foot-bag (also known as hacky sack) Microscopy Shortwave radios Amateur astronomy Amateur geology Bird watching College football Geocaching Meteorology People watching Travel

A SOC Analyst’s Guide for Secure Malware Research Malware analysis remains one of the most valuable skills in cybersecurity. Whether you're reverse engineering payloads, building YARA rules, or testing sandbox performance, hands-on access to real malware  is critical. To support deeper threat research, I’ve curated a repository of 250+ functional, tagged malware samples —available now for verified professionals. But before downloading, it's essential to follow strict operational rules to protect yourself, your infrastructure, and the broader security community. Why Live Malware? Real malware teaches more than threat reports ever could: Build detection logic  based on actual behaviors Understand attacker persistence and evasion tactics Improve your incident response  and sandbox fidelity Train junior analysts with realistic threats But misuse can cause serious damage. That’s why secure handling isn’t optional - it’s operationally critical. Rule #1: Isolate Your Environment Use only hardened systems for malware work. Recommended setup: Virtual Machines Snapshots enabled  for easy rollback No internet access  unless testing C2 behavior C lipboard, drag-and-drop, and folder sharing disabled Never run malware on your personal machine or on a production network. Rule #2: Label, Hash & Track Everything Each sample in the repository includes: SHA256 & MD5 hashes Malware family identification Before executing anything: Hash the sample Log file details, behavior, and metadata This supports proper attribution and future detection rule tuning. Rule #3: Monitor Behavior, Not Just Code Use dynamic analysis tools  to observe malware in action: Category Tools Network FakeNet-NG, INetSim, Wireshark System ProcMon, Process Hacker, Sysmon Memory Volatility, Rekall Static Ghidra, Detect It Easy, PEStudio This is where you learn how malware really behaves: spawning, injecting, contacting domains, or encrypting files. Rule #4: Never Use Live Infrastructure Do not test on: Corporate machines Production servers Open networks Use either: Air-gapped test labs Restricted cloud instances (e.g., AWS VPCs with blocked egress) Even minor mistakes can have operational or legal consequences . Rule #5: Store & Share Samples Securely If you redistribute any malware samples: Use .zip archives with the password: infected Label files clearly and consistently Share only with verified researchers or internal teams Avoid uploading samples to public sites (like VirusTotal) unless anonymized We have a responsibility to prevent misuse. What’s in the Repository? The live malware is built for: SOC teams Threat hunters Red/blue/purple teams Malware reverse engineers This is a working research set - not a random dump. Every sample is verified and labeled. Who Can Access It? Access is limited to: Verified security professionals MSSPs & IR consultants Academic researchers Malware analysts & RE specialists Final Thoughts There’s no safer way to understand modern threats than analyzing real malware. But there’s also no faster way to compromise your own systems than mishandling it. Work smart. Follow operational best practices. Treat malware as a real threat, even in research. 💬 “You don’t learn to fight fires by reading about smoke. You go where the fire is.” – A security analyst probably

In today’s digital world, cloud computing has become the backbone of many businesses. As organizations increasingly rely on cloud services, the need for robust security measures grows. Professionals must stay ahead by gaining the right skills to protect cloud environments from evolving threats. This blog post explores comprehensive cloud computing security courses designed to equip professionals with the knowledge and tools necessary to secure cloud infrastructures effectively. Why Cloud Computing Security Courses Are Essential Cloud computing security courses provide a structured path to understanding the complexities of securing cloud environments. These courses cover a wide range of topics, from basic cloud concepts to advanced security protocols. Here’s why they are essential: Rapid Cloud Adoption : Businesses are moving workloads to the cloud faster than ever. Security professionals need to understand cloud-specific risks. Complex Threat Landscape : Cloud environments face unique threats such as data breaches, misconfigurations, and insider threats. Compliance Requirements : Many industries require compliance with regulations like GDPR, HIPAA, and PCI-DSS, which demand cloud security expertise. Career Advancement : Cloud security skills are in high demand, opening doors to better job opportunities and higher salaries. For example, a security analyst working in a healthcare company must understand how to protect sensitive patient data stored in cloud databases. Cloud computing security courses teach practical methods to implement encryption, access controls, and monitoring to meet these needs. Professional configuring cloud security settings Key Topics Covered in Cloud Computing Security Courses Cloud computing security courses typically cover a broad spectrum of topics to ensure comprehensive learning. Some of the core areas include: Cloud Security Fundamentals Understanding cloud service models: IaaS, PaaS, SaaS Cloud deployment models: public, private, hybrid Shared responsibility model in cloud security Identity and Access Management (IAM) Implementing strong authentication and authorization Role-based access control (RBAC) Multi-factor authentication (MFA) Data Protection Encryption techniques for data at rest and in transit Data loss prevention (DLP) strategies Secure data storage and backup Network Security Virtual private clouds (VPCs) and subnetting Firewalls and security groups Intrusion detection and prevention systems (IDPS) Threat Detection and Incident Response Monitoring cloud environments for suspicious activity Incident response planning and execution Using security information and event management (SIEM) tools Compliance and Governance Understanding regulatory requirements Implementing cloud governance frameworks Auditing and reporting These topics are often taught through a mix of lectures, hands-on labs, and real-world case studies. For instance, learners might practice configuring IAM policies in AWS or Azure to restrict access to sensitive resources. Cloud security monitoring dashboard on laptop How to Choose the Right Cloud Computing Security Course Selecting the right course depends on your current skill level, career goals, and the cloud platforms you work with. Here are some tips to help you choose: Assess Your Skill Level Beginners should look for foundational courses that cover cloud basics and security principles. Experienced professionals might prefer advanced courses focusing on specific cloud providers or certifications. Check Course Content Ensure the course covers essential topics like IAM, encryption, network security, and compliance. Look for hands-on labs and real-world scenarios. Consider Certification Preparation Many courses prepare you for industry-recognized certifications such as: Certified Cloud Security Professional (CCSP) AWS Certified Security – Specialty Microsoft Certified: Azure Security Engineer Associate Look for Updated Material Cloud technology evolves rapidly. Choose courses updated regularly to reflect the latest security trends and tools. Read Reviews and Ratings Feedback from past students can provide insights into course quality and instructor expertise. Evaluate Delivery Format Decide if you prefer self-paced online courses, live virtual classes, or in-person training. For example, a cybersecurity professional aiming to specialize in AWS security might select a course focused on AWS security best practices and certification preparation. Practical Benefits of Cloud Security Training Investing time in cloud security training offers tangible benefits for professionals and organizations alike: Improved Security Posture Trained professionals can identify vulnerabilities and implement effective controls, reducing the risk of breaches. Faster Incident Response Knowledgeable teams can detect and respond to threats quickly, minimizing damage. Cost Savings Preventing security incidents avoids costly downtime, fines, and reputational damage. Enhanced Compliance Proper training ensures adherence to legal and regulatory requirements, avoiding penalties. Career Growth Professionals with cloud security expertise are highly sought after, leading to promotions and salary increases. To gain these benefits, consider enrolling in a reputable cloud security training program that offers practical, hands-on experience. Professional participating in an online cloud security training session Next Steps to Advance Your Cloud Security Skills Once you complete a cloud computing security course, continue building your expertise with these steps: Practice Regularly Use cloud provider free tiers to experiment with security configurations and tools. Stay Updated Follow cloud security blogs, forums, and news to keep up with emerging threats and solutions. Join Professional Communities Engage with peers through LinkedIn groups, cybersecurity meetups, and conferences. Pursue Certifications Validate your skills with certifications that boost your credibility. Apply Knowledge at Work Implement best practices in your current role to gain real-world experience. By following these steps, you can maintain a competitive edge in the fast-changing cloud security landscape. Cloud computing security courses are a vital investment for professionals aiming to secure cloud environments effectively. With the right training, you can protect your organization’s data, meet compliance requirements, and advance your career in cybersecurity. Start your journey today by exploring comprehensive cloud security training options tailored to your needs.

In today's digital age, the role of a Security Operations Center (SOC) analyst is more critical than ever. Cybersecurity threats are continuously evolving, and organizations need skilled professionals to defend against these threats. For those considering a career in this field, understanding the essential skills required to succeed as a SOC analyst is vital. This blog post explores the key competencies that aspiring SOC analysts need to develop. SOC Roles Before diving into the skills required for a SOC analyst, it is essential to understand the various SOC roles. A SOC team typically consists of several positions, each with distinct responsibilities. Tier 1 Analyst : This is often an entry-level position responsible for monitoring security alerts and conducting initial investigations. They are the first line of defense against potential threats. Tier 2 Analyst : These analysts take on more complex incidents. They possess deeper technical skills and are responsible for investigating and responding to security incidents identified by Tier 1 analysts. Tier 3 Analyst : Often regarded as the experts in the SOC, Tier 3 analysts handle the most complex security threats and vulnerabilities. They may also work on developing security policy and procedures. SOC Manager : Responsible for overseeing the entire SOC operation. They coordinate team efforts, manage budgets, and communicate with upper management about security needs. Understanding these roles will help clarify which skills are essential at different levels within the SOC. A modern SOC control room with multiple monitors displaying cybersecurity data. Key Skills Required for SOC Analysts Technical Proficiency One of the most critical skills for any SOC analyst is technical proficiency. A solid understanding of IT infrastructure and security principles is paramount. Key areas to focus on include: Networking : Grasping how networks operate and the common protocols (like TCP/IP, DNS, and HTTP) is crucial. Operating Systems : Familiarity with different OS environments, primarily Windows and Linux, is indispensable, as these are the platforms many organizations use. Security Tools : Proficiency in various security tools such as SIEM (Security Information and Event Management) software, firewalls, IDS/IPS (Intrusion Detection/Prevention Systems), and endpoint protection tools. Having a hands-on experience with these technologies will enhance your capabilities and make you a more competitive candidate in the job market. A cybersecurity analyst closely monitoring data for potential threats. Analytical Thinking SOC analysts must possess excellent analytical thinking skills. This means the ability to recognize patterns in data and think critically about potential security threats. Incident Response : Knowing how to analyze an incident effectively and determine the appropriate response is vital. This includes understanding Indicators of Compromise (IoCs) and tracking malicious activity. Risk Assessment : Being able to identify potential vulnerabilities in the organization’s systems and provide actionable recommendations is a skill that can set you apart. Communication Skills Despite being a mostly technical job, effective communication skills are equally important. SOC analysts often collaborate with other IT teams, share findings with management, and even interact with clients. Reporting : Writing clear and concise reports detailing incidents and responses is necessary. Security documentation must be comprehensible even to those who may not have a technical background. Collaboration : Working as part of a team is crucial in a SOC environment. You must communicate findings and coordinate efforts during incident response situations. How to Start as a SOC Analyst? Starting your career as a SOC analyst can be daunting, but with the right approach, it can also be rewarding. Here are actionable steps you can take: Educational Background : While a degree in computer science or a related field may be preferred, practical experience often outweighs formal qualifications. Consider cybersecurity courses or certifications such as CompTIA Security+, Certified Ethical Hacker (CEH), or GIAC Security Essentials (GSEC). Hands-On Experience : Seek internships or entry-level roles to gain experience. Participating in Capture The Flag (CTF) events can also help hone your skills in a practical setting. Networking : Attend cybersecurity conferences, workshops, or meetups to connect with professionals in the field. Networking can lead to job opportunities and professional growth. Continuous Learning : The cybersecurity landscape is always evolving. Stay updated with the latest threats, technologies, and best practices through online courses, webinars, and cybersecurity publications. By following these steps, you can set a strong foundation for your career as a SOC analyst. Relevant Certifications Acquiring relevant certifications can significantly improve your chances of landing a job as a SOC analyst. Some of the most recognized certifications in the industry include: CompTIA Security+ : An entry-level certification that covers essential security concepts. Certified Information Systems Security Professional (CISSP) : A more advanced certification that proves your expertise in information security. Certified Information Security Manager (CISM) : Focused on managing and governing an organization’s information security program. Investing time in obtaining these certifications will not only improve your knowledge but also enhance your employability. A group of cybersecurity professionals discussing security protocols and strategies. Developing Soft Skills In addition to technical expertise, developing soft skills can significantly benefit aspiring SOC analysts. Some important soft skills to focus on include: Problem-Solving : As a SOC analyst, you will encounter various challenges that require quick and effective solutions. Developing your problem-solving skills will help you navigate these situations. Attention to Detail : Cybersecurity involves meticulous work. Minor mistakes can lead to significant security breaches. Focusing on details can prevent errors and improve the overall quality of your work. Time Management : Managing multiple tasks and incidents is common in a SOC. Developing strong time management skills will help you prioritize effectively. Staying Current in Cybersecurity Given that the cybersecurity landscape is ever-changing, keeping up with the latest trends, threats, and technologies is essential for aspiring SOC analysts. Follow Cybersecurity News : Subscribe to reputable cybersecurity blogs, podcasts, and newsletters to stay informed about the latest developments. Join Online Communities : Participating in forums like Reddit, Twitter, or LinkedIn can help you connect with other professionals and share knowledge. Attend Workshops and Conferences : Many organizations host events to discuss the latest trends in cybersecurity. These can be excellent opportunities to expand your learning and network with other professionals. Final Thoughts The role of a SOC analyst is both challenging and rewarding. By developing the essential skills discussed in this article, you will be well on your way to launching a successful career in cybersecurity. Remember, entry level soc analyst positions are an excellent starting point. Emphasize continuous learning and skill development to propel yourself in this fast-paced field. With determination and dedication, you can become a vital asset to any organization's security operations team.

In today's digital age, cybersecurity has become a crucial part of any organization's framework. As cyber threats evolve and organizations recognize the importance of security, the demand for Security Operations Center (SOC) analysts is on the rise. This blog post will serve as an informative guide to help you understand the SOC analyst role, the necessary skills required, and how to embark on your career in this exciting field. Understanding SOC Jobs SOC analysts play a vital role in monitoring, detecting, and responding to cybersecurity incidents. Their primary responsibility is to keep a watchful eye on an organization's network for any signs of suspicious activity. With the increase in cyber attacks and data breaches, SOC jobs have become highly sought after. According to recent statistics, the cybersecurity industry is projected to grow to $345.4 billion by 2026, making it one of the fastest-growing sectors. This growth indicates a high demand for professionals who can protect sensitive data and maintain organizational security. A modern server room showcasing cybersecurity technology. In a typical day, a SOC analyst may perform tasks such as analyzing security alerts, conducting threat hunting, and collaborating with other IT professionals to implement security protocols. The work is dynamic and requires a strong problem-solving mindset. The Skills Required for a SOC Analyst Role To thrive in the SOC analyst position, certain skills and qualifications are essential. Here are some of the fundamental abilities and know-how you should develop: 1. Technical Proficiency A solid understanding of networking concepts, security protocols, and IT infrastructure is necessary for this role. Familiarity with tools like SIEM (Security Information and Event Management) systems, intrusion detection systems, and firewalls is critical. 2. Analytical Skills SOC analysts often sift through vast amounts of data to identify anomalies and potential security threats. Having strong analytical skills allows you to make sense of this data, draw conclusions, and take action accordingly. 3. Problem-Solving Abilities Cybersecurity incidents can occur unexpectedly, requiring quick thinking and effective problem-solving skills to mitigate risks. Being level-headed and having the ability to think critically under pressure is crucial for SOC analysts. 4. Communication Skills You will often need to communicate your findings to various stakeholders within the organization. Clear communication is essential, whether you're writing reports or collaborating with other team members. 5. Continuous Learning The cybersecurity landscape is constantly changing. To stay relevant, SOC analysts must engage in continuous learning and professional development. Attending workshops, obtaining certifications, and staying updated with the latest trends can significantly enhance your career. An individual focusing on cybersecurity training materials for skill development. How to Start a Career as a SOC Analyst? Starting a career as a SOC analyst requires a strategic approach. Here are some actionable steps to help you break into this field: Step 1: Educational Background While a formal degree in computer science, information technology, or a related field is beneficial, it is not always mandatory. Many SOC analysts come from diverse educational backgrounds. You can also pursue specialized certifications, such as CompTIA Security+, Certified Information Systems Security Professional (CISSP), or Certified Ethical Hacker (CEH). Step 2: Gain Relevant Experience Internships and entry-level positions in IT or cybersecurity will provide you with the practical experience needed to transition into a SOC analyst role. Look for opportunities that allow you to work with security technologies or assist in incident response teams. Step 3: Networking Connecting with cybersecurity professionals can open doors to job opportunities. Attend industry events, join professional organizations, and participate in online forums to build relationships with others in the field. Step 4: Apply for Entry-Level Positions Once you've acquired the necessary skills and experience, start applying for entry-level positions. Focus on soc analyst jobs entry level as they provide an excellent foundation for career growth in this field. Step 5: Specialize As you gain experience, consider specializing in areas such as threat intelligence, incident response, or compliance. Specialization can elevate your career and open new pathways within the cybersecurity industry. The Tools of the Trade Being prepared with the right tools is essential for SOC analysts. Here are a few tools commonly used in the industry: 1. SIEM Tools Security Information and Event Management (SIEM) tools aggregate and analyze security data from numerous sources. Examples include Splunk and IBM QRadar. 2. Threat Intelligence Platforms These platforms help analysts collect and analyze data regarding ongoing cyber threats. Tools such as Recorded Future and ThreatConnect are instrumental in this area. 3. Incident Response Tools During a security breach, having the right incident response tools is critical. These include carbon black, Resilient, and the TheHive Project. A digital dashboard displaying various cybersecurity metrics and alerts. Opportunities for Advancement The field of cybersecurity is filled with growth opportunities. After starting as a SOC analyst, you can work towards higher positions such as: Senior SOC Analyst : In charge of mentoring junior analysts and handling more complex cases. SOC Manager : Responsible for overseeing the SOC team, managing incidents, and ensuring compliance. Security Engineer : Focuses on designing and implementing security solutions. Chief Information Security Officer (CISO) : A senior executive responsible for an organization's information and data security. The Importance of Ethics and Compliance in SOC As a SOC analyst, maintaining high ethical standards and awareness of compliance regulations is crucial. You must understand the legal implications of cybersecurity measures and ensure that your organization adheres to industry guidelines. Work with compliance frameworks such as: NIST Cybersecurity Framework ISO/IEC 27001 General Data Protection Regulation (GDPR) Being well-versed in these regulations can differentiate you from your peers and contribute to your competence as a SOC analyst. Final Thoughts The path to becoming a SOC analyst is challenging yet rewarding. With the right skills, education, and experience, you can successfully navigate this career journey. Multitudes of organizations are seeking professionals to safeguard their digital assets, making the prospects in SOC jobs bright. By following the outlined steps, remaining adaptable, and committing to continuous learning, you'll position yourself for success in the ever-evolving cybersecurity landscape. Embrace the opportunity, and you can build a fulfilling and impactful career as a SOC analyst.

In today’s digital world, protecting information is more important than ever. Cyber threats are evolving, and so must your skills. Whether you are starting a career in cybersecurity or looking to improve your current abilities, gaining the right knowledge is essential. This article will guide you through the benefits of cybersecurity skills training, how to get started, and practical steps to advance your expertise. Why Cybersecurity Skills Training Matters Cybersecurity skills training equips you with the tools and knowledge to defend against cyber attacks. Organizations worldwide face threats like data breaches, ransomware, and phishing scams. Skilled professionals are in high demand to protect sensitive information and maintain trust. Training helps you understand: Threat landscapes : Learn about different types of cyber threats and how they operate. Security protocols : Master the best practices for securing networks, systems, and data. Incident response : Develop skills to detect, respond to, and recover from cyber incidents. Compliance and regulations : Understand legal requirements and industry standards. By investing time in training, you increase your value in the job market and contribute to safer digital environments. Cybersecurity professional working on laptop Exploring Cybersecurity Skills Training Options There are many ways to enhance your cybersecurity skills. Training programs vary in format, duration, and focus areas. Here are some common options: Online courses - Flexible and accessible, these courses cover fundamentals to advanced topics. Bootcamps - Intensive, short-term programs designed to build practical skills quickly. Certifications - Industry-recognized credentials like CompTIA Security+, CISSP, and CEH validate your expertise. Workshops and seminars - Hands-on sessions that provide real-world experience. Degree programs - Formal education in cybersecurity or information technology. When choosing a program, consider your current skill level, career goals, and learning style. For example, beginners might start with foundational courses, while experienced professionals may pursue specialized certifications. To get started, explore reputable platforms offering cybersecurity training that fit your needs. Computer screen showing cybersecurity code How do I train to be a cyber security? Training to become a cybersecurity professional involves a combination of education, practice, and continuous learning. Here’s a step-by-step approach: Build a strong foundation Start with basic IT knowledge, including networking, operating systems, and programming. Understanding how systems work is crucial. Learn cybersecurity fundamentals Study core concepts such as encryption, firewalls, malware, and risk management. Gain hands-on experience Use labs, simulations, and real-world projects to apply what you learn. Platforms like Capture The Flag (CTF) challenges are excellent for practice. Earn certifications Certifications demonstrate your skills to employers. Begin with entry-level ones and progress to advanced credentials. Stay updated Cybersecurity is a fast-changing field. Follow news, attend webinars, and participate in professional communities. Specialize Choose an area like penetration testing, incident response, or cloud security to deepen your expertise. By following these steps, you can build a rewarding career in cybersecurity. Cybersecurity training session with participants Practical Tips to Maximize Your Cybersecurity Training To get the most out of your training, consider these actionable recommendations: Set clear goals : Define what you want to achieve, such as mastering a specific skill or earning a certification. Create a study schedule : Consistency is key. Dedicate regular time to learning and practicing. Engage with communities : Join forums, attend meetups, and network with professionals to share knowledge and opportunities. Use multiple resources : Combine books, videos, courses, and hands-on labs for a well-rounded approach. Practice real-world scenarios : Simulate attacks and defenses to understand practical challenges. Seek feedback : Participate in peer reviews or mentorship programs to improve your skills. Applying these tips will help you retain information and build confidence in your abilities. The Future of Cybersecurity Skills The demand for cybersecurity professionals is expected to grow rapidly. As technology advances, new threats emerge, requiring ongoing skill development. Areas like artificial intelligence, cloud computing, and the Internet of Things (IoT) are creating fresh challenges and opportunities. Investing in cybersecurity skills training prepares you for a dynamic career with strong job security and competitive salaries. Employers value professionals who can adapt and innovate to protect digital assets. Whether you are just starting or looking to advance, continuous learning is essential. Explore training programs, stay curious, and embrace the evolving landscape of cybersecurity. Enhancing your cybersecurity skills is a smart move in today’s digital age. With the right training and dedication, you can build a successful career and contribute to a safer online world. Start your journey today by exploring trusted cybersecurity training options and take control of your professional future.

AI for Security Cybersecurity with Labs Welcome & Install Jupyter Notebook Welcome to our new lab series, “AI for Security Cybersecurity with Labs.” This series of projects will help you understand how AI works by the only proper way to learn it: by doing it. Learning AI will help future-proof you in the changing industry we are in today. We are going to do some fun things; I’ll explain everything AI and the statistics you need to know along the way, so grab your lab coats and let’s get started! Installing Jupyter Notebook on a Mac The first thing you’re going to want to do is install brew on your machine if you haven’t already. /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" Follow the instructions on the output of that command; mine looks like this: echo >> /Users/tylerwall/.zprofile echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> /Users/tylerwall/.zprofile eval "$(/opt/homebrew/bin/brew shellenv)" And then we’re going to install Python brew install python Then we’re going to install Jupyter Lab pip3 install jupyterlab Finally, we’ll install Jupyter Notebook pip3 install notebook You add it to your $PATH, first, but you want to see what terminal you’re using. If you see /bin/zsh, you’re using Zsh (default in macOS Catalina and later). If you see /bin/bash, you’re using Bash. nano ~/.zshrc or nano ~/.bash_profile Add this line to the end of the file: export PATH="$HOME/Library/Python/3.9/bin:$PATH" Save the file and run this command source ~/.zshrc And to run Jupyter Notebook, you type jupyter notebook Installing Jupyter Notebook on Windows Install Python (if not already installed) Go to https://www.python.org/downloads/windows/ Download Python (preferably the latest version). During installation, check the box that says: [✓] Add Python to PATH Open Command Prompt Press Win + R, type cmd, and hit Enter. Run these commands: pip install notebook Once installed, you can start it by running: jupyter notebook It will automatically open in your default web browser. Wrapping Up Part I Now run this command because you’ll need these too: pip install pandas scikit-learn matplotlib seaborn flask Jupyter Notebook is a tool you can use in your web browser that lets you write and run code, see the results, and explain what you’re doing all in one place. It was initially designed for Python, but now it also works with many other programming languages. The notebook is split into sections called “cells,” where you can write code or text. This makes it easy to test your ideas step by step and see what works. It’s great for learning, teaching, and working on projects. Jupyter Notebook is especially helpful for artificial intelligence (AI) projects. It allows you to try out different models and see how well they perform with your data. You can also make charts and graphs to understand what’s going on. If something goes wrong, you can fix it right there without starting over. You can add notes and pictures to explain your work, which is useful when showing it to others. It also works well with tools like TensorFlow, PyTorch, and scikit-learn, which are popular for building AI applications. Because of this, it’s easier to develop and test smart programs that can learn from data. You can even save your notebook as a file to share with others or keep for later. Overall, Jupyter Notebook is an excellent tool for AI, as it enables you to try things quickly, learn from your results, and keep track of your work in a clear and organized manner. Let’s get started with a quick intro to AI. Intro to AI Artificial Intelligence, or AI, is a term you’ve heard a lot about. It pops up in discussions about the latest tech, sci-fi movies, and even in conversations about the future of work and everyday life. But what exactly is AI? How does it relate to machine learning, and what role does something like ChatGPT play? And what about automation? How does that fit into the picture? In part two, we’ll dive into these topics, breaking them down in a way that’s easy to understand. By the end, you’ll have a clearer idea of what these terms mean and how they’re shaping our world. To start, let’s understand what AI really is. Artificial Intelligence is the idea of creating machines or software that can perform tasks that normally require human intelligence. These tasks include things like understanding language, recognizing pictures, making decisions, and solving problems. Think of AI as a super-smart computer program that can learn and adapt. When you play a video game against a computer opponent that gets better the more you play, or when you ask your phone’s assistant to set a reminder, you’re interacting with AI. Levels of AI AI comes in different levels, based on the intelligence and capabilities of these systems. The simplest form is called Narrow AI. Narrow AI is designed to do one specific thing. It’s excellent at that one thing, but can’t do anything else. For example, the spam filter in your email that catches junk mail is a type of Narrow AI. It’s great at identifying spam messages, but it can’t help you with your math homework or play chess with you. Next up is General AI. This is the kind of AI that can understand, learn, and apply knowledge across a wide range of tasks, much like a human can. General AI doesn’t just excel at one task but can perform many different ones, switching between them as needed. Imagine a robot that can cook, clean, help you study, and even have a meaningful conversation with you about your day. As of now, General AI is still something we’re working towards and hasn’t been fully realized yet. Finally, there’s Super Intelligent AI. This is a level of AI that would surpass human intelligence in every aspect. It would not only perform tasks better and faster than humans, but also come up with ideas and solutions that exceed human capabilities. This kind of AI remains in the realm of science fiction for now, as we’re far from creating anything like it. Figure 2–1: Levels of AI Machine Learning Now, let’s talk about machine learning. Machine learning is a big part of AI, but it’s more specific. It’s a method for teaching computers to learn from data. Instead of programming a computer with exact instructions for every possible situation, we give it lots of data and let it figure out patterns and rules by itself. Imagine you have a computer program that you want to teach to recognize cars in pictures. Instead of telling it exactly what a car looks like, you show it thousands of images of vehicles and thousands of pictures of other things. The computer analyzes these pictures and learns the patterns that distinguish a car from other objects. This process of learning from examples is what machine learning is all about. ChatGPT ChatGPT is a specific type of AI. It’s designed to understand and generate human-like text based on the input it receives. If you’ve ever chatted with an online assistant that can answer questions or help you with tasks, it might be powered by something similar to ChatGPT. What makes ChatGPT unique is that it employs a technique called deep learning, a type of machine learning. Deep learning involves using extensive networks of computers to learn from vast amounts of data, kind of like building a very complex brain for the computers. ChatGPT is trained on a massive amount of text data from the internet. This process, called pre-training, helps it learn grammar, facts, and even some (minimal) reasoning skills. After this, it undergoes fine-tuning, where it improves at specific tasks by receiving feedback from developers and you. When you ask ChatGPT a question, it uses all this learning to generate a response that makes sense based on the context. It’s important to note that while ChatGPT is a form of machine learning, it’s specifically designed for working with language. Making it a Narrow AI. Not all machine learning models are like this. Some might be designed to recognize images, while others might predict weather patterns. ChatGPT’s primary function is to understand and generate text, making it a powerful tool for applications such as chatbots. Automation Automation is another concept that’s often mentioned alongside AI and machine learning, but it differs. Automation is all about making machines or software do tasks on their own without human help. These tasks are usually repetitive and follow a clear set of steps. For example, think about an automatic washing machine. Once you load your clothes and start it, the machine goes through a series of steps to wash your clothes without needing any further input from you. That’s automation. Automation doesn’t necessarily require AI. For example, a simple conveyor belt system in a factory that moves products from one location to another is automated, but it lacks intelligence. It’s just following a pre-programmed set of instructions. It can’t learn anything new on its own or adapt. So, how do AI, machine learning, and automation differ from each other? AI is the broad concept of creating intelligent machines. Machine learning is a specific approach within AI where machines learn from data. ChatGPT is a specific approach within Machine Learning called Deep Learning. Automation is about making machines or software perform tasks on their own, often without any need for intelligence. Automation is not AI. However, it’s being combined with AI every day in a thing called Agentic AI. Agentic AI is intelligence that can think and carry out tasks. Figure 2–2: Difference between AI and Automation When you put them together, you get robust systems that can do amazing things, like self-driving cars that navigate traffic on their own, or intelligent assistants that manage your daily tasks. AI Concerns As exciting as all these advancements are, it’s essential to think about the impact of AI, machine learning, and automation on society. One concern is job displacement. As machines become capable of performing more tasks, some jobs may become obsolete. For example, self-driving trucks could reduce the need for truck drivers, and automated customer service systems could replace human agents. However, new jobs will also be created in areas such as AI development, data analysis, and the maintenance of these systems. It’s essential for education and training programs to equip individuals for these emerging roles. Another concern is privacy. AI systems often rely on large amounts of data to function effectively. This data can include personal information, like your browsing history, purchase habits, and even your voice recordings. Companies need to handle this data responsibly and ensure that it’s protected from misuse. Regulations and policies are required to ensure that AI is used ethically and that people’s privacy is respected. This is an emerging field called AI Governance. There are also ethical considerations around AI decision-making. For example, how do we ensure that AI systems are fair and unbiased? If an AI system is used to make decisions about things like job applications, loans, or medical treatments, these decisions must be made fairly. Bias can creep into AI systems if the data they’re trained on contains biases. For instance, if a hiring algorithm is trained on data where certain groups are underrepresented, it might unfairly disadvantage those groups. Researchers and developers are working on ways to identify and mitigate bias in AI systems to ensure they’re fair and equitable. In addition to these concerns, there’s the question of control. As AI systems become more advanced and autonomous, how do we ensure that we remain in control? This is especially important when it comes to AI systems that can make decisions independently, such as self-driving cars or automated weapons. Establishing clear guidelines and oversight mechanisms is crucial to ensure that AI is used responsibly and safely. Wrapping up Part Two AI, machine learning, and automation are fascinating and transformative fields that are reshaping our world. AI is the broad concept of creating intelligent machines. Machine learning is a method that enables these machines to learn from data, and automation is about automating tasks without human intervention. As these technologies continue to evolve, they will bring new opportunities and challenges. Understanding them is the first step to being a part of this inevitable future. The next part of AI for Cybersecurity with Labs focuses on the distinction between AI users and AI creators, with a world of many more users than creators and the skills needed for both. Take a quick interactive quiz AI Users vs. AI Creators People who use AI and people who make AI are different in many ways. AI users focus on using tools to help with their daily tasks. They might use apps like ChatGPT to write stories or emails, use image generators to create art, or get help from smart assistants to answer questions. They don’t need to know how the AI works; they just want it to work well and help them get things done faster. The people who make AI are the ones building those tools. They are engineers and researchers. They write code. They study math. They train AI models using powerful computers and huge sets of data. Their job is to make AI smarter, more helpful, and more reliable. While users explore what AI can do, makers explore how to make AI better. The tools they use are also very different. AI users usually work with websites and apps. AI makers use programming tools, coding environments, and special hardware that can handle lots of calculations. Users can do their work on a regular laptop. Makers often need servers or advanced machines to test and train their AI systems. Their responsibilities are not the same. AI users must be careful with how they use the technology. They shouldn’t use it to lie, cheat, or hurt others. AI makers have to make sure the systems they build are fair and safe. They have to think about privacy, bias, and long-term risks. The way they think is also different. People who use AI think about what it can do for them. They like finding new ways to solve problems or save time. People who make AI think about how it works and how to improve it. They are problem solvers. They are builders. The effects they have are different, too. AI users might impact their jobs or creative work. AI makers might impact entire industries or even the future of how we use technology. In simple terms, users are like people driving cars. Makers are like the ones building the engines. One group gets things done with the help of AI. The other makes sure AI is possible. Both are important. Both are part of the same story, but they play very different roles. Is Cybersecurity a User or Creator? Cybersecurity engineers often find themselves in a unique position - they are both users and makers of AI, depending on the task and the level of expertise they bring. As users, cybersecurity professionals rely on AI tools to detect threats, analyze logs, and respond to incidents faster than a human could alone. They might use AI-powered systems to spot unusual network behavior, identify phishing attempts, or classify malware. These tools help them sort through massive amounts of data quickly, making their jobs more efficient and their responses more accurate. In this way, AI becomes a powerful assistant - a second set of eyes that never gets tired. But cybersecurity professionals are also increasingly becoming makers of AI. Many of them are now building custom models for their specific needs. For example, they might train a machine learning model to detect a new kind of attack that’s unique to their network. They might write scripts that feed threat data into AI systems or build automation workflows that let AI take action on its own. This kind of work moves beyond simply using tools - it’s about shaping them. The more advanced a cybersecurity professional becomes, the more they shift into the maker role. They might experiment with anomaly detection algorithms, contribute to open-source security AI projects, or design entire AI systems for defense and offense. They understand how models work, how data flows through those models, and how attackers might try to trick or bypass them. So, in the world of cybersecurity, the line between using AI and making AI is blurry. Most professionals start as users, but over time, as they develop more skills in programming, data analysis, and machine learning, they take on the mindset and responsibilities of makers. They don’t just protect systems with AI - they build the AI that protects the systems. In the future, the best cybersecurity professionals will be those who can effectively utilize AI while also building it securely. How Cybersecurity Uses AI From your SIEM to your endpoint tool, they all seem to have some kind of AI built into them to make your job faster and more efficient. However, other ways Security professionals might utilize AI include using ChatGPT for writing scripts to modify, reducing work by 70%, or by asking it questions while troubleshooting, saving 40% of the time spent on Google. In the future, when Agentic AI arrives, a Security Engineer might be responsible for configuring the automations and building our own models for security. Personalized AI models trained on company data have a much higher accuracy rating. The cleaner the data it’s trained on, the better it will work. Everyone will need to learn to use AI in their favorite tools. However, there will only need to be a few people who are makers of AI, and Security professionals will be the ones to use AI. So, first things, how do I even start making AI? How to Start Making AI If you want to make AI instead of just using it, there are a few important things you need to learn first. At the most basic level, AI is about creating systems that can act smart - things like recognizing patterns, making decisions, or learning from experience. Most modern AI is built using something called machine learning, where a computer learns from data instead of being programmed with step-by-step instructions. To understand how AI works, you’ll need to learn some basic math. You don’t have to be a math expert, but you should be comfortable with algebra, statistics, and eventually some linear algebra. These help you understand how AI models process data and make predictions. Later on, if you want to dive deeper, some knowledge of calculus can also be helpful. Next, you need to learn how to code, and Python is the best place to start. It’s simple to read and has a lot of useful libraries for AI, like scikit-learn, TensorFlow, and PyTorch. You’ll use coding to load data, train models, and test their results. Along with coding, you’ll need to understand how to work with data - how to collect it, clean it, and analyze it. Data is what AI learns from, so learning how to handle it well is a must. Once you’re comfortable with code and data, you can start learning about models and training. An AI model is like a digital brain that gets smarter as you feed it data. We will begin with supervised learning to get our hands dirty quickly, where the model is trained with labeled examples, and work on basic tasks like classifying emails. You’ll also learn about important ideas like overfitting, where a model memorizes instead of learning, and underfitting, where it doesn’t learn enough. The best way to truly understand AI is to build projects. You can start simple - predicting house prices, filtering spam, recognizing handwriting, or even building a basic chatbot. These hands-on experiences will teach you more than reading alone. You can also learn a lot from the community. There are websites like Kaggle, where you can join data science competitions, and Google Colab, where you can write and run Python code in the cloud for free. Hugging Face is another great place to explore powerful AI models for natural language tasks. In short, if you want to make AI, we’ve started by learning what it is, now we will begin building simple projects. The more you build and explore, the more confident you’ll become. From this point forward, our learning will be in Jupyter Notebooks. How to Start a Jupyter Notebook Open your terminal (Mac/Linux) or Command Prompt (Windows). Navigate to the folder where your notebook is saved using cd, for example cd Downloads Start Jupyter by typing: jupyter notebook Your browser will open the Jupyter file explorer. Click the notebook file to open it. Run (Play) the Notebook Once the notebook is open: Click on a cell (a gray or white box of code or text). Run the cell by pressing: Shift + Enter (the most common) OR click the Run button (a triangle ▶ at the top) Keep doing this cell by cell. Watch the output appear just below each code cell. How to Reset (Restart) a Jupyter Notebook Inside the notebook (once it’s open), go to the menu at the top. Click Kernel → Restart. This clears all variables in memory (like starting over). It does not delete your code. After restarting, to re-run all your code: Click Cell → Run All, or Press Shift + Enter on each cell one by one.

Four traditional paths a SOC Analyst comes from What’s in this article? This article will discuss background-specific tips for landing your first SOC Analyst role. The four targeted audiences are college graduates, career changers from IT, Veterans, and the Autodidact. Each one has its own nuance to make it worthwhile dedicating this article to your roadmap to success. SOC Analyst Roadmap to Success I repeat myself through these four sections, driving home the idea that you have to prove your interest and back it up with examples, which is in addition to hard technical skills. Veterans have extensive networks of people and partnerships just waiting for them to plug into, college graduates have career services with their school to leverage, people transitioning from other areas of IT already have real-life experience often in domains that overlap with cybersecurity, and lastly, the auto didactic’s most vital selling point is their personal projects and involvement with the community at large. I recommend to students of all backgrounds who are worried they don’t have much to talk about in an interview to deploy The Modern Honey Network as a project to Azure with a few honeypots. Take the data from it and analyze it. In the article  The SOC Analyst Method,  I explain how to analyze a security event. Practice this method on the honeypot attackers and find interesting things to discuss in the interview. Recent Graduate Congratulations! You have graduated from college or are about to graduate. It’s a monumental achievement, and I hope you’ve learned a lot. Maybe you had an internship, and that’s great because what you’re fighting now is a lack of experience. Getting experience with commercial tools is one of the most difficult things to do. They cost millions of dollars and work in highly complex enterprise environments, but the hiring manager knows that. What he’s looking for is experience with any projects you may have had while in school, any personal projects you’ve had, and overall checking to ensure you’re not a commodity graduate with zero interest in cybersecurity other than the paycheck. So many people graduate without knowing a thing and have no real passion or interest in cybersecurity. That is the reputation you are fighting against concerning recent college graduates. Your resume should reflect the projects that you’ve worked on during school. Resume Raiders is a professional resume writing service I would recommend and have used before, but you have options. Explore your career services from your school to see if they have people who know how to write your resume in a way that highlights the experience you gained from your curriculum. This should be your first stop, as they know what you’ve learned while in your program. And then maybe poke Resume Raiders for a revision if you’re not having any luck. You need a project to talk about. The question of why you like cybersecurity is inevitable, and be fully prepared to give them examples of the projects you’ve been a part of that you truly enjoyed. Eventually, what you want to do in cybersecurity will come up. One thing you have on your side from formal education is experience with various things, and you probably already know what you like and don’t like. So talk about the classes and projects you truly enjoyed and say you’d like to work in the SOC for a few years to get even more breadth of experience before deciding on a specialty. When you’re finally in the SOC, you’ll see how we do things in the real world. And it’s often much different than the Ivory Tower you’ve learned about in college. Sometimes, it’s messy with lots of red tape, and your dream isn’t what it pans out to be. That is what happened to me as a penetration tester. I absolutely loved hacking around and had been doing it for years. All through college, I thought this was precisely what I wanted to do, and I was so sure of myself. I started in the SOC, worked hard, and became a pentester, but then I learned I wouldn't say I liked it. It was the worst! Luckily, I was already qualified to be a SOC Analyst, so I regrouped and found my way into Security Engineering with nothing lost. I haven’t strayed too far from the SOC ever since. Your degree is not going to get you a job alone. It’s an important step in any career, but it’s significantly less important today than a while ago. Most big companies have removed the requirement to have a college degree, but there are still some that require it. Those that require it should be your first application while applying for jobs. Fewer people have college degrees, so there might be less competition. From IT So, you want to join the exciting world of cybersecurity. As you might know, a SOC Analyst might be a temporary pay cut depending on your seniority in IT. You’re looking at around $80-$100k starting. But you might be considering it because you’ve hit the glass ceiling in IT, done your research, and know the glass ceiling is higher in cybersecurity. You might just be more interested in a domain of cybersecurity and need the SOC Analyst to get there. Whatever the reason, you’re reading this book and being a SOC Analyst is on your mind. There are a few things you need to know. It’s a lot like IT. The same problems you’re going to have in IT are in cybersecurity. On-call is typical, it changes rapidly, there is a glass ceiling you’re inevitably going to hit, and after a while you realize it’s a glorified customer service position. You might already have certifications that apply to cybersecurity, like any networking or Microsoft certifications are a plus, any CompTia is good too. In general, you’re familiar with the certification game. You may be past the certification game in your career in IT, but be prepared to start it all over starting as a SOC Analyst. It almost sounds like I’m discouraging you from becoming a SOC Analyst, but I’m not. I know how important it is for us to do stuff we like. The only reason I’m writing a book is because I enjoy writing. It’s so challenging to be stuck doing work you don’t like, and to make it worse, you probably won’t be good at it. I would only suggest this path to someone from IT only if they like cybersecurity. The reason doesn’t matter; just be prepared to discuss it in an interview. I recommend going to the ISC2 website , finding the domains of cybersecurity,  and writing your resume with skills and experience you gained at your previous employers in those domains. There will be a lot of overlap. Anyone with a significant amount of experience in IT is qualified for a SOC Analyst job, and since you picked up this book, you already know why you’re interested. Out of all the backgrounds this book applies to, your background will be the easiest to find work in cybersecurity. Experience trumps everything. Auto didactics Calling all hackers. You only really end up in this category if you’ve been hacking around at things for years and are sitting around thinking how it’d be great to do this for a living. Well, good news, it happens all the time, but there are some things to think about. How do you quantify experience with something you’re not supposed to be doing? First off, congratulations on staying out of jail, assuming you’ve kept your nose clean. If you haven’t, there aren’t many people who will hire you. It does happen, and some companies will employ extremely talented felons, but it’s rare, and what happens is they create their own companies, and other companies hire them as contractor. But that’s so rare I won’t cover it in detail. Here’s what you do for those hacking away on your own. When asked what experience you have, you tell them you set up labs and give the spiel about your lab environment before they can even ask. You get a bug bounty and put it on your resume. You contribute to a community project or enhance an existing standard tool. You write your blog and publish articles about your research. It’s significantly more difficult for you to get a call back from a job posting and compete with all the other applicants with your resume alone. The tips described in the article Job Attending conferences, hackerspaces, makerspaces, and meetups is absolutely critical. You need to be at every single one and start contributing. Pick a topic and give presentations or make the coffee. Get on LinkedIn and add SOC analysts, join a group, and contribute. You need a resume, but you also need to know someone on the inside to pick your resume from the pile and give you an interview. Out of all the backgrounds this book covers, it is the most difficult to land a job in cybersecurity because you need twice the skills as a college graduate, and good luck. However, you’ll likely succeed in the long run because you can’t teach passion. You’ll have to do a lot of work for free before you build the reputation to get paid for it. Veterans Veterans have the opportunity to access complimentary cybersecurity training and scholarships, enabling them to acquire the necessary knowledge, skills, and abilities (KSAs) for entry into the cybersecurity sector. The CyberCorps®: Scholarship for Service (SFS) initiative, a collaboration between the Department of Homeland Security (DHS) and the National Science Foundation (NSF), extends cybersecurity scholarships to exceptional undergraduate, graduate, and doctoral students. Eligible individuals can receive financial support ranging from $27,000 to $37,000 for their studies at participating institutions. SFS scholarships cover the typical expenses of full-time students at participating institutions, encompassing tuition and related fees for a maximum of two years. When combined with the Post-9/11 GI Bill, which provides up to 36 months of financial assistance for education and training in various fields, including cybersecurity, veterans may have the opportunity to earn a cybersecurity degree without incurring costs. The DHS facilitates training through the Federal Virtual Training Environment (FedVTE) platform, an online, on-demand training resource accessible to government employees and veterans. FedVTE offers over 800 hours of free training on cybersecurity and IT topics, ranging from beginner to advanced levels. The courses cover diverse areas such as ethical hacking, risk management, surveillance, and malware analysis. Additionally, they align with certifications like Network+, Security+, and Certified Information Systems Security Professional (CISSP). The SANS Institute’s VetSuccess Academy is tailored to support veterans in their cybersecurity endeavors. However, it has been mentioned that this SANS program should be viewed as more of a lottery ticket because they rarely see anyone get picked for any particular cohort. However, there is a success rate in having the GI bill pay for a SANS degree, which bundles individual certifications into a degree program. The certifications themselves are highly regarded in cybersecurity and very expensive. One problem that is common with military folks is that they focus heavily on certifications but don’t get the hands-on experience and deep theory that they need for entry-level technical positions. To make matters worse, the people I’ve talked with don’t feel that cybersecurity degree programs prepare the transitioning military well either, as they focus on high-level policy. The military trains you to look for qualifications and meet requirements for service ribbons/medals. And since certifications don’t matter as much as practical hands-on project work, this leads to veterans falling prey to predator boot camps at an above-average rate, leaving them still unqualified to actually do the job or pass the interview. Note: They recommend a general computer science degree program at a brick and mortar college if you choose to go the degree route. Before you transition, be aware of Skillbridge . Essentially, it allows for military members on active duty to spend the last 180 days of their time on active duty to work (for free to the business) for a company a s an intern. They maintain their military pay and benefits. The company gets a free intern. This often can pivot into a full-time offer upon separation from the service, but if not, it will give you a little experience and someone to vouch for you. Furthermore, VeteranSec serves as an online community for military veterans engaged in or interested in information technology and cybersecurity. The platform provides a private networking channel of over 7000 veterans, free training videos, partnerships with companies to take advantage of, and an informative cybersecurity blog with tutorials to aid veterans in their professional development. Summary I hope this article has provided a few additional valuable strategies for your road to success. Each of these backgrounds presents an opportunity for us to provide insights into the challenges, even reputations, that you are fighting against and need to be aware of as you trudge the road ahead. Use the tools given to you in this book, with the additional insight from this article, to form a plan of attacking your job search and, if you’re lucky, interviews. Not everyone will have the same experience with their journey to success. Some will be more difficult than others. We’re not all on the same playing field. I know that may not be what you want to hear, but corporate America, and capitalism in general, is a game. Once you learn the rules and what moves you forward, you can strategize on what makes you desirable to employers. You build a brand for yourself. For me, it was certifications and education to start with. Still, after some years, I failed to even mention it during interviews, and I’m never asked about it because we’re too busy talking about the experience. If you have experience, it trumps everything. If you don’t yet, you need a formal school, the community, your friends and internships, former employers, and even yourself to vouch for you and provide examples to show your potential value. And for the lone hackers, the autodidacts, the self-taught, let’s all remember that, whatever the case, they are the underdogs, but they are the few and the proud. Be nice to them and make friends; you’ll thank me later. ARTICLE QUIZ (ANSWERS FOLLOW) Which audience is not specifically targeted by the chapter on achieving success as a SOC analyst? Ⓐ Career changers from healthcare Ⓑ College graduates Ⓒ Veterans Ⓓ The Autodidact What is a recommended project for interview preparation mentioned in the chapter? Ⓐ Creating a personal blog Ⓑ Deploying The Modern Honey Network on AWS Ⓒ Developing a new cybersecurity tool Ⓓ Writing a thesis on cybersecurity trends Which service offers a 20% discount on resume services specifically for aspiring SOC analysts? Ⓐ LinkedIn Premium Ⓑ Resume Raiders Ⓒ Indeed Resume Review Ⓓ Monster Resume Writing Service What is identified as the strongest selling point for autodidacts seeking a SOC Analyst role? Ⓐ Their formal education Ⓑ Their professional network Ⓒ Their personal projects and community involvement Ⓓ Their military background For recent college graduates, what is considered a significant challenge when applying for SOC Analyst roles? Ⓐ Overqualification Ⓑ Lack of real-world experience Ⓒ Too many certifications Ⓓ Excessive specialization What is a common misconception about certifications according to the veteran’s section? Ⓐ They guarantee a job in cybersecurity Ⓑ They are not valued by employers Ⓒ They replace the need for a college degree Ⓓ They are more important than hands-on experience Which online platform is mentioned as a resource for veterans interested in cybersecurity? Ⓐ Coursera Ⓑ VeteranSec Ⓒ Udemy Ⓓ Khan Academy What advice is given to those transitioning from IT to cybersecurity regarding their resume? Ⓐ Highlight all previous job titles, regardless of relevance Ⓑ Focus exclusively on cybersecurity certifications Ⓒ Write about skills and experience in domains overlapping with cybersecurity Ⓓ Downplay any ITexperience to avoid being overqualified ARTICLE QUIZ SOLUTIONS Which audience is not specifically targeted by the chapter on achieving success as a SOC analyst? Ⓐ Career changers from healthcare The chapter specifically targets college graduates, career changers from IT, veterans, and the autodidact, not those transitioning from healthcare. This highlights the tailored advice for individuals with different backgrounds moving into cybersecurity. What is a recommended project for interview preparation mentioned in the chapter? Ⓑ Deploying The Modern Honey Network on AWS Deploying The Modern Honey Network on AWS with a few honeypots and analyzing the data is recommended as a project to prepare for interviews. This hands-on project demonstrates a candidate’s practical skills and ability to analyze security events, making it a valuable talking point during interviews. What is identified as the strongest selling point for autodidacts seeking a SOC Analyst role? Ⓒ Their personal projects and community involvement For autodidacts, their strongest selling point is their personal projects and involvement with the community at large. This demonstrates their passion and self-motivated learning in the field of cybersecurity, which is highly valued by employers. For recent college graduates, what is considered a significant challenge when applying for SOC Analyst roles? Ⓑ Lack of real-world experience Recent college graduates often face the challenge of lack of real-world experience, especially with commercial tools and complex enterprise environments. Employers look for any projects or personal initiatives that show a candidate’s interest and practical skills in cybersecurity beyond academic achievements. What is a common misconception about certifications according to the veteran’s section? Ⓓ They are more important than hands-on experience. A common misconception addressed in the chapter is the overemphasis on certifications over practical hands-on experience, especially for veterans. While certifications are valuable, the chapter underscores that practical experience and the ability to apply knowledge in real-world situations are more critical for entry-level technical positions. Which online platform is mentioned as a resource for veterans interested in cybersecurity? Ⓑ VeteranSec VeteranSec is mentioned as an online platform providing a private networking channel, free training videos, partnerships, and a cybersecurity blog specifically for military veterans interested in transitioning to cybersecurity. It’s a resource for veterans to connect, learn, and advance in their cybersecurity careers. What advice is given to those transitioning from IT to cybersecurity regarding their resume? Ⓒ Write about skills and experience in domains overlapping with cybersecurity Those transitioning from IT to cybersecurity are advised to write their resumes highlighting skills and experience in domains that overlap with cybersecurity. This strategy leverages their existing IT background, showcasing their relevant skills and making them appealing candidates for SOC Analyst roles.

Follow the Sun Model How to Become a SOC Analyst: The Tools & More In this article, we’ll discuss the tools you’ll use every day as a SOC analyst, common security definitions, MITRE ATT&CK framework, Cyber Kill Chain model, Incident Response, and Zero Trust. This is Becoming a SOC Analyst: The Tools & More. SOC Analyst Scenario Imagine badging into the front door of your office building and saying hello to the guard you see daily, wondering what you will get him for Christmas. You leave your badge at home more often than you should, so you’ve chit-chatted as he gets you a temporary badge. You know he has a little boy, and he likes Hot Wheels. You think about this as you tell him to have a nice day, and you approach the elevator to go to your floor. You badge the elevator to get to your floor, because your floor is locked unless you are approved to get in. Then you get off the elevator at your destination and walk more toward the center of the floor where the SOC sits. You have one more door to get to the common areas, because you have access to this area, and this is where the sales and engineering teams sit in their cubicles. As you approach the center of the room where the SOC is, there are two security doors within a few feet of each other. This is called a mantrap, and it allows security to trap someone in between the two doors for them to be escorted out of the building if they are not allowed to be there. You swipe your badge at the first door, and then briefly, you get a little anxious if the locks break or your badge suddenly doesn’t work. You’d be trapped in the mantrap in some kind of horror experiment. You try your badge again and make it through the second door to the heart of security: the Security Operations Center! It is dark and there are windows, but blinds cover all of them. It is eerie because the only time the blinds seem to be opened is to let the window cleaners clean the windows. You look above your head around you, and you are instantly brought to the front lines as the TVs that line the ceiling display what is happening in your global company and the world in real time. You are sucked into your role, and you say hello to your friends and then jump into action. Note: This was an actual SOC for a Managed Security Services Provider that we worked for. They would periodically bring clients in to show them how serious they took security. It sometimes felt like being watched like fish in a tank, but it made me feel pride in what I was doing. SIEM The number one tool you will need to know as a security analyst in this decade is what a Security Incident and Event Management (SIEM) tool is and how it plays into your role. The SIEM is the heartbeat of the SOC. Everything that is done on a device can generate a log. Without logs, there would not be a security analyst. Without logs, there would not be security. When devices worldwide generate logs, the idea is to send them to a single point where they can be observed and measured . This concept is called a “single pane of glass”. It is ideally the one screen that the SOC can operate without having to chain multiple web browsers and sites together to accomplish the review of security events. The single pane of glass is the SIEM . Other than collecting logs, the SIEM also puts them into chronological order. Because of the varying time zones across the world configured in your devices, the timestamps, or date and time, on each log need to be accounted for.  Also, the SIEM normalizes logs. When the logs are ingested into the SIEM platform, they must meet a certain standard and format. Each SIEM has a “special sauce” or proprietary technique to take in billions of logs and identify suspicious things. At a basic level, the vendor or the users (or both) create rules that the alarm will be sounded if any logs match the given criteria. Next-generation SIEM platforms perform User Entity and Behavior Analytics (UEBA), which attempts to monitor all of your user-generated logs, create a baseline of activity that is considered normal, and then sound the alarm when someone is acting outside of their normal behavior. Also, in next-generation SIEM platforms, they are moving toward being case managers. When multiple alarms are seemingly related, they offer a way to combine them and track evidence and investigations in a meaningful and easy-to-use way. Lastly, next-generation SIEM platforms are moving toward integrated automation. Security Orchestration, Automation, and Response (SOAR) is rapidly gaining traction in the industry and is poised to be the next “single pane of glass.” Firewalls In addition to SIEM and SOAR, you will likely come across firewalls. Firewall and firewall engineering is a specialty all on its own, but it’s important to understand the biggest players in the firewall space are Cisco, Checkpoint, Fortinet, Palo Alto, Juniper, and SonicWall. As a security analyst, you might be responsible for performing a firewall block on an IP address or requesting to have it done. What this means is you have used the tools and techniques of a security analyst and determined that it was bad, and you want to block that IP address from being communicated with from your internal network. IDS/IPS You will also need to know the difference between an  intrusion prevention system (IPS) and an intrusion detection system (IDS). A “protection” system allows the device to take action as events happen. A “detection” system only allows for detection and does not interject with actions. Figure 5–1 is a basic illustration of two computers communicating and how the IDS would fit in, just monitoring passively. Figure 5–1 Intrusion Detection System Intrusion detection systems can either be placed “in-line” or through a network tap, as seen in Figure 5–1. Tapping the network allows the device to see traffic without affecting bandwidth. Intrusion detection systems placed through a tap cannot take preventative action because they cannot control the flow of traffic. Figure 5–2 depicts two computers communicating and how an intrusion prevention system would fit into the network in an “active” scenario. Because it sits in line on the network, the intrusion prevention system can change traffic flow between the two devices. Figure 5–2 Intrusion Protection System Intrusion prevention systems must be placed as seen in Figure 5-2 Most modern intrusion prevention systems will have some rules set to “take action” and some set to monitor only. These are called intrusion detection and prevention systems (IDPS). Sandboxing Another tool you may come across is a sandbox. When you hear someone say, “ Did you sandbox that?”, what they mean is have you executed the file or website in a protected environment to find out what it does. Quite a few endpoint detection softwares will detonate the file on your behalf so it can know whether it is bad or not, but nothing comes as close as a good report from Hybrid Analysis, or Joe Sandbox. These tools are designed to twist every knob and press every button to squeeze as much execution information as they can out of it. As a SOC analyst, you mainly use these tools to get out indicators of compromise like hashes of files that it drops, or IP addresses and domains it contacts to run these through your SIEM to see if there are any historical connections. Terminology As you go through your day as a SOC analyst, you will come across terms that aren’t always agreed on, and the meanings are a bit vague. From the best of our combined experience, these are the best definitions for these terms. Figure 5–3 is a chart of the order of volume from each class. Figure 5–3 Volume Funnel Chart Security Logs: Most Common At the very base of a security program are security logs. These logs could be from anything and everything and about anything and everything. Once they are ingested into a SIEM, they become a security log. An example of important security logs that a SOC would want to capture are network flow logs, Windows Event Logs, Unix Syslogs, and firewall logs. Security events can string together many security logs. Security Event: Common Security events are the day-to-day routine security monitoring from the tooling. They are very common, and almost all security tooling notifications start as a security event generated from security logs, with the exception of vulnerability scanners, and are escalated as needed. A security event must be escalated to a security incident before becoming a breach. When a security event is escalated to become an incident, the incident response process triggers, and an incident handler is assigned. Incident: Uncommon Security incidents are uncommon but happen more frequently than a security breach. An incident is declared, and the incident response process starts if there is suspected loss of sensitive data. What is not an incident: security events and vulnerabilities that have not been escalated. Security Breaches: Rare Security breaches are rare and contain a verified loss of data containing sensitive personal information . In most cases to utter the words something is a breach, it requires the legal department and the CISO to declare a breach. As a new analyst, it is good practice to not use this term anywhere unless told otherwise. In most cases, breaches require a breach notification to clients and sometimes the public and are handled with extra sensitivity. All breaches start as incidents. The Incident Response Process As an analyst, you’ll typically be dealing with security events that you’ll be seeing through to closure, however, sometimes security events become larger than what the SOC typically deals with, requiring the Incident Response Plan (IRP) to be executed and the dedicated Incident Response Team (IRT) to take over the investigation. It is important for you to understand the incident response process. The incident response process is a structured approach businesses develop to manage and mitigate the impact of security breaches. This critical process aims to minimize damage, reduce recovery time and costs, and prevent future incidents. By following a well-defined response plan, organizations can quickly address vulnerabilities, assess the extent of breaches, and implement effective countermeasures. This proactive and reactive strategy is essential in maintaining information assets’ integrity, confidentiality, and availability in today’s increasingly complex and evolving cyber threat landscape. The National Institute of Standards and Technology (NIST) Incident Response Lifecycle is a common and widely recognized standard. It’s broken down into 4 phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. Figure 5–4 Incident Response Process Preparation is the first and most impactful phase of the incident response lifecycle. This is where the groundwork for how an organization responds to a security breach is developed. Training and awareness programs are defined for the incident responders and the larger organization. By preparing for incidents before they happen, companies build resilience against cyber threats. This proactive approach means that the impact on operations, reputation, and finances can be minimized when incidents occur. Detection and Analysis is where the SOC is focusing their efforts. It’s important to remember that early detection is critical, the sooner a security incident is detected, the more effectively it can be contained and remediated. Having a detailed and comprehensive Incident Response Plan will also aid in developing rapid response capabilities. The plan should clearly specify how to prioritize security incidents, escalation procedures, and who to report confirmed security incidents to in the organization’s leadership. Containment, Eradication, and Recovery begin once a security incident is declared. The first objective of this phase is to accurately identify the method of compromise and actions taken by the attacker post-compromise. A plan to “stop the bleeding” can be developed from there. This is how containment is achieved. Next, actions are taken to eradicate the access gained by the attacker. This could include removing an end-point infected with ransomware from the network, resetting compromised passwords, or adding a network block to the firewalls. The actions taken here vary incident by incident and require critical thinking to ensure nothing is missed. Finally, a recovery plan is developed and executed. This usually involves identifying the initial method of compromise and plugging the hole to ensure it doesn’t happen again. For example, if a web server was compromised using SQL injection , the developer would be tasked with remediating the SQL injection vulnerability from the website. Recovery is considered complete once all affected systems, networks, and user accounts are returned to their operational state before the incident. Implementing new security detections for the SOC to monitor post-incidents is also essential. You can move into the final phase only after extensive testing of the latest security controls and detections. Post-Incident Activity is when an analysis of the response process is conducted to identify any opportunities for improvement. This is where the After Action Review (AAR) would be conducted for the veterans out there. Usually, the Incident Commander/Manager will meet with everyone involved in the incident to talk through the steps taken, identify what worked and what needs improvement, and develop a report for executive leadership. This step might result in updates to the Incident Response Plan, strengthening security measures, or filling previously unknown security gaps with tooling or detections. Finally comes knowledge sharing. Many organizations are members of cybersecurity working groups. One example is the Defense Industrial Base (DIB) hosted by the Department of Defense. DIBnet is a secure portal for companies who are members of DIB to share incident reports, indicators of compromise, and lessons learned with one another to strengthen the entire community through collaboration. MITRE ATT&CK Framework Tactics, Techniques and Procedures (TTPs) describes three components in a process used to develop threats and plan cyberattacks. Tactics represent the “why” of an attack technique and the reason for performing an action. Techniques represent “how” an adversary achieves a tactical goal by performing an action. Procedures are the specific implementation the adversary uses for techniques. Note: Tactics, Techniques and Procedures (TTPs) is a common industry term that you should know. Developed by the MITRE Corporation, the ATT&CK framework is a knowledge base that describes cyber adversary tactics, techniques, and procedures based on real-world observations. It is most commonly used at a management level in metrics to categorize attacks seen in an organization to know where to make improvements to the security posture. It is also important for an analyst to be familiar with it so that you know how to categorize things when you need to. But you need not have to memorize everything, it’s there on the website for you to. Figure 5–4  The ATT&CK for Enterprise Matrix It’s OK if you’re not able to read figure 5–4 but that’s what it looks like if you visit the website. The key components of the MITRE ATT&CK framework are: Tactics: High-level objectives or goals that adversaries seek to achieve during an attack. Examples include Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. These are at the top of Figure 5–3. Figure 5–5  MITRE ATT&CK Tactics Techniques: Specific methods or approaches that adversaries use to accomplish a particular tactic. Techniques are more detailed and granular than tactics. For example, within the “Execution” tactic, there might be techniques like Command-Line Interface, Scripting, or Exploitation of Remote Services. Figure 5–6  Mitre ATT&CK Techniques Procedures: Specific instances or examples of how adversaries implement techniques in a real-world scenario. These are inside of each technique. Figure 5–7  MITRE ATT&CK Procedures Mitigations: Inside each technique are recommendations and best practices to defend against or minimize the impact of specific techniques. Groups: Inside each technique are adversarial groups or threat actors that have been identified by researchers, along with information about their tactics, techniques, and procedures. Software: Inside each technique is specific malware, tools, or software associated with adversary activity. The MITRE ATT&CK framework is widely used in the cybersecurity community for threat intelligence, red teaming, blue teaming, and incident response. Cyber Kill Chain Another model like the MITRE ATT&CK framework that is used for mapping adversaries and developing countermeasures is the Cyber Kill Chain. The Cyber Kill Chain is a concept that describes the stages an adversary typically goes through to successfully execute a cyber attack. It was initially introduced by defense contractor Lockheed Martin and has since become a widely adopted framework in the field of cybersecurity. The Cyber Kill Chain helps organizations understand and analyze the various phases of a cyber attack, allowing them to implement effective defense mechanisms at each stage. The traditional Cyber Kill Chain consists of the following stages: Figure 5–8  Stages for Cyber Kill Chain Reconnaissance: The attacker gathers information about the target, such as identifying potential vulnerabilities, employee names, and network architecture. This can involve both passive (e.g., online research) and active (e.g., scanning for open ports) methods. Weaponization: The attacker creates or acquires a weapon, typically in the form of malware or a malicious payload, designed to exploit a specific vulnerability. Delivery: The attacker delivers the weapon to the target environment. This could occur through various means, such as email attachments, malicious links, or exploiting software vulnerabilities. Exploitation: The weapon is executed, taking advantage of vulnerabilities in the target system to achieve its malicious objectives. This stage often involves gaining unauthorized access or control over the targeted systems. Installation: The attacker establishes a persistent presence in the target environment by installing additional tools, backdoors, or malware. This allows them to maintain access and control over the compromised system. Command and Control (C2): The attacker establishes communication channels with the compromised system to remotely control and manage the attack. This can involve receiving instructions, exfiltrating data, or delivering additional payloads. Actions on Objectives: The attacker achieves their ultimate goal, which could include data theft, system disruption, or other malicious activities. This stage may vary depending on the attacker’s motives, such as financial gain, espionage, or activism. Not all attacks follow these stages in a fixed order, and defenders can disrupt the chain at various points to prevent or mitigate the impact of an attack. Understanding the Cyber Kill Chain is valuable because although the MITRE framework is more common, the Cyber Kill Chain is still referred to in some places and conceptually the kill chain can be easier to digest than the MITRE framework. Just know that it is another model like the MITRE ATT&CK framework to map attackers to help with countermeasures. OWASP Top 10 OWASP stands for Open Wordwide Application Security Project. More commonly known as Open Web Application Security Project, it is a nonprofit foundation that works to improve the security of software. They have over 250 chapters that meet all over the world in person and it is likely they have one near you. You should consider attending sometime as it’s a great way to network with people. OWASP publishes a Top 10 report which describes the top 10 web application security risks. It’s important for you to have familiarity with these risks. I have been asked in interviews before to describe Cross-Site Scripting (XSS) or SQL-Injection (SQLi). OWASP Top 10 skills are difficult to learn and it is not best taught through an article but best through hands-on practice. Zero Trust Zero Trust is a security approach where you don’t automatically trust anyone or anything, whether they’re inside or outside your network. Instead of assuming everything is safe once inside, you constantly check and verify things like user identity, device health, and the context of the situation before allowing access to sensitive data. These are the basic principles of Zero Trust: Always check and make sure that people, devices, or systems are who or what they claim to be before letting them access important data. Only give people or things the minimum access they need to get their job done. Don’t give them more than necessary. Divide your network into smaller parts and control how things communicate between them. This way, if one part is in trouble, it won’t affect everything else. Keep an eye on what people and things are doing. If something seems weird or not right, check it out and take action. Decide who gets access based on the context, like where they are, what time it is, and how important the data is that they want. Make sure that information is protected by encrypting it, making it unreadable to anyone who shouldn’t see it. Always be ready to adjust your security rules based on what’s happening. Stay flexible and adapt to new threats or situations. These principles form the foundation of the Zero Trust model. It is quickly being adopted everywhere because your data is now everywhere. There isn’t a defined perimeter of most corporate networks anymore like there was in the past. The only way to defend authorized access to your data is to keep a closer eye on who accesses what and when , and we do this by implementing the Zero Trust model. Zero Trust: NEVER trust, ALWAYS verify. Summary When you start your new job on day one, it will help you tremendously if you even have heard of some of these technologies, concepts, and methodologies, not to mention how much it will help you to understand them during the interview process. As I stated, the SIEM is the most important tool today to know as a SOC analyst. In the future, more single panes of glass are going to be driven by SOAR platforms, but they will likely be a combined product — A SIEM/SOAR product as a single pane of glass. ARTICLE QUIZ (ANSWERS FOLLOW) _________ provides near real-time analysis of security alerts, allowing security specialists to see an overview of their network. Ⓐ SIEM Ⓑ IPS Ⓒ IDS Ⓓ SOAR _________ monitors all users and establishes a baseline of activity that’s considered normal, then sounds the alarm when someone’s activity falls outside of that. Ⓐ SIEM Ⓑ SOAR Ⓒ UEBA Ⓓ IPS _______ allows predefined playbooks to run automatically for common security issues, freeing up staff to work on more challenging and interesting items. Ⓐ UEBA Ⓑ SIEM Ⓒ IDS Ⓓ SOAR Common firewall vendors include all the following except: Ⓐ Super Sonic Ⓑ Cisco Ⓒ Checkpoint Ⓓ Palo Alto _______ allows a device to take action as needed to control the flow of network activity. Ⓐ IDP Ⓑ IPS Ⓒ SOAR Ⓓ SIEM _______ allows for detection, not intervention. Ⓐ IDS Ⓑ IPS Ⓒ SIEM Ⓓ UEBA When a file is opened or executed in a protected environment to find out what it does, this action is known as _______. Ⓐ Shadow Boxing Ⓑ Encryption Ⓒ Sandboxing Ⓓ An Incident You shouldn’t use this term unless specifically instructed to: _______. Ⓐ Incident Ⓑ Breach Ⓒ Security Event Ⓓ Logs _______ initiate an incident response process if there’s a suspected loss of sensitive data. Ⓐ Incidents Ⓑ Breaches Ⓒ Events Ⓓ Logs ARTICLE QUIZ SOLUTIONS _________ provides near real-time analysis of security alerts, allowing security specialists to see an overview of their network. Ⓐ SIEM Security Information and Event Management (SIEM) platforms provide real-time analysis of security alerts, allowing security specialists to see an overview of their network. _________ monitors all users and establishes a baseline of activity that’s considered normal, then sounds the alarm when someone’s activity falls outside of that. Ⓒ UEBA User and Entity Behavior Analytics monitors all users and establishes a baseline of activity that’s considered normal, then sounds an alarm when someone’s activity falls outside of the baseline. _______ allows predefined playbooks to run automatically for common security issues, freeing up staff to work on more challenging and interesting items. Ⓓ SOAR Security Orchestration Automation and Response (SOAR) tools allow predefined playbooks to run automatically for common security issues, freeing up the staff to work on more challenging and interesting items. All the following items should be included on your resume for a SOC analyst position except: Ⓐ Super Sonic Super Sonic is not a common firewall vendor. One similar sounding is “SonicWall.” _______ allows a device to take action as needed to control the flow of network activity. Ⓑ IPS Intrusion Prevention Systems (IPS) can control the flow of network traffic when placed in-line on a network. _______ allows for detection, not intervention. Ⓐ IDS Intrusion Detection Systems (IDS) allows for detection, not intervention. When a file or website is executed in a protected environment to find out what it does, this action is known as _______. Ⓒ Sandboxing Sandboxing is a protected environment where someone can execute potentially malicious files and urls safely to measure how they execute and what they do. You shouldn’t use this term unless specifically instructed to: _______. Ⓑ Breach Typically the term “breach” is a contractual term and its use should be avoided unless specifically told otherwise. _______ initiate an incident response process if there’s a suspected loss of sensitive data. Ⓐ Incidents Incidents initiate a predefined Incident Response Process (IRP) and typically an Incident Handler is assigned from the Incident Response Team (IRT) to manage the incident.

A circle with gears inside behind a shield with a gear in the middle, with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs In this series of blog posts, we will get hands-on with Cloud Security. One of the biggest challenges people face is that they can't get a job in Cloud Security because they don't have experience, and since they don't have experience, they can't get a job. This series will focus on Azure Cybersecurity Labs. Cloud computing has grown leaps and bounds in the last decade, and most, if not all, companies are migrating to one of the big three players in the Cloud: AWS, Azure, and GCP. While most companies operate using a multi-cloud approach, meaning they are operating in two or more of the big three, we will be focusing specifically on Azure in these labs. I advocate for the Microsoft Cloud, and I feel it's the safest bet for your career, as most large enterprises have an Active Directory infrastructure, and it makes the most sense for those companies to move into the Azure cloud. I am betting my future that Azure will dominate the cloud market by the end of the 2020s. Microsoft has a holistic solution for managing infrastructure in the cloud, but its cloud security products aren't too shabby. I enjoy using the Defender suite of products, and I know they're being widely adopted everywhere. They will be the standard security tool for many, many large enterprises in the future. By the end of this series, you will be able to say you have experience with deploying and managing Azure infrastructure as code, scanning infrastructure code for misconfigurations, and using open source tools to scan your Azure environment against security best practices. Cloud security certifications are essential, but more important is that you have hands-on experience with the cloud and understand why the certification bodies think this information is necessary. BELIEVE ME, it won't make sense completely by just studying for an exam. You have to do it for yourself for it to click. At least, that's how it was for me. And then you can put on your resume REAL experience that you've gained and will work for you as you apply for your next job, or you can create Fiverr or Upwork services to conduct independent assessments for small-to-medium sized businesses. I am excited to start this journey with you guys, and if you haven't already completed the lab posted for the honeypot project, your first task is to sign up and get your free credits from Azure . The credits are valid for a month. Talk to you soon.