Search Results

In this article, we’ll discuss the many disciplines that make up a successful company, their scope of duties, and how their role involves the Security Operations Center (SOC). We’ll also cover the external organizations with which the SOC might interact in their day-to-day work. These are the Areas of Expertise in the SOC . Cybersecurity Icons in a Circle with a Padlock in the Middle Your time as a SOC analyst will bring you into contact with many teams from within your organization. Everyone, including the CEO, could be involved in a security investigation. However, the SOC plays an essential role in the functions of other teams as well, including external organizations. This article will break down the teams into three sections: information security teams, internal teams, and external teams. So, let’s get started. Information Security Information security teams in most large organizations today are made up of three groups: analysts , engineers , and architects . The size of the companies’ enterprise network is usually the main factor in determining if the team is staffed internally or outsourced to third-party organizations. Some mid-sized organizations might combine the duties of two teams to save costs. Regardless of who staffs these positions, the scope of responsibility for each group is different and distinct. Job titles vary from company to company, so instead we are categorizing each function into the type of work they do, whether its analysis, engineering, or architecture. Analysts Let’s start with an easy one. The Security Operations is where you work as a SOC analyst. I hope by now you’ve learned that “SOC” is an acronym for Security Operations Center. Right, now that we’ve gotten that large knee-slapper out of the way, let’s talk briefly about the Security Operations’ scope of duties. Security Operations is home of Analysts : threat intelligence, threat hunting, digital forensics, and incident response analysts. Sometimes more subgroups and sometimes less. Sometimes companies give analysts an engineer or specialist job title. Job titles are just made up so we are referring to the type of work that you’ll be doing. Each subgroup works together to ensure that day-to-day operations are running smoothly. The SOC is responsible for monitoring, investigating, and remediating security events. Their scope of responsibility depends on who is staffing the SOC. As previously discussed, SOCs can be internal to the company or outsourced to an MSSP. Internal SOCs typically have higher privileges to take remedial actions during an incident, where Managed Security Services Providers (MSSPs) usually must report the incident to a customer’s information technology (IT) team. The key benefit to an internal SOC vs. an MSSP is the ability of the internal SOC to learn the details of a single network. MSSPs have multiple customers and must monitor several enterprise networks at once. This leaves the SOC analysts at a disadvantage as they never truly learn the granular details of a customer’s enterprise. This is most people’s starting point in cybersecurity. Threat Intelligence (TI) is usually a smaller team that’s focused on researching new threat reports, determining if the new threat is a danger to the company, and provides pertinent details to management and other information security teams. In some situations, the TI team is responsible for managing the Threat Intelligence Platform, which serves as a single point of collection for indicators of compromise and intelligence reports from multiple intel sources. Some typical intel sources are threat feeds such as AlienVault or Talos Intelligence and Open Source Intelligence. The best threat feeds require a subscription and can get expensive. However, they have dedicated security researchers teamed with intelligence collection specialists to generate high fidelity reports. Open Source Intelligence, or OSINT for short, can provide excellent intel if you have a team dedicated to sifting through it all. A quick Google search for “Open Source Intel Feeds” will net you a plethora of top ten lists of the best OSINT feeds out there. Threat Intelligence Analyst requires foundational knowledge of all cybersecurity, good communication skills both written and verbal, presentation skills, technical knowledge of cybersecurity threats, and a love for reading tons of information and fostering relationships with people who share information. Threat Intelligence Analysts empower the operations teams to detect and protect efficiently. This is not a junior position and can be staffed without having worked in the SOC. This could be a great position to try right out of the gate for transitioning military. The Digital Forensics and Incident Response (DFIR) teams are responsible for conducting investigations on long and enduring incidents. Sometimes this team is split into two separate teams at more defined companies and other times its one team known as the DFIR team. In both cases, they are common escalation points from the SOC. The SOC conducts the initial investigation, and if the incident isn’t resolved after it has travelled through all of the tiers, the incident transitions to Digital Forensics and Incident Response who often have to work together to resolve it. This is why it’s common to learn that the team is combined into one (Figure 1–1) Figure 1–1.  DF and IR Shared Responsibility Any engagements with legal, privacy, fraud, or external law enforcement organizations get filtered through the Digital Forensics and Incident Response teams, essentially becoming the experts on such matters. Also, in most organizations, the Digital Forensics and Incident Response teams work hand in hand with threat intelligence to conduct threat hunting. These are not junior positions and are often staffed by people who first worked in the SOC. The Threat Hunting team is an advanced security function that combines a proactive methodology, innovative technology, highly skilled people, and in- depth threat intelligence to find and stop the malicious, often hard-to-detect activities executed by stealth attackers that automated defenses may miss. Threat Hunting Analysts proactively search environments for traces of malicious activity. It requires knowledge of common SIEM tools and their query languages and familiarity with all of the rest of the tools in an environment such as endpoint tools, vulnerability scanners, and cloud security brokers, to name a few. Anything that is currently producing security events, the Threat Hunter needs to know about it. They also need expert knowledge of offensive security and how attacks happen. Just because the title might say Analyst doesn’t mean this is a Junior position. It requires a lot of expertise but is becoming more accessible to smaller companies as tools automate threat-hunting and/or make suggestions for threat-hunting queries. This position is often staffed by people who first worked in the SOC. The Red Team are your in-house penetration testing analysts . Not all businesses have a Red Team, as it might be more cost-efficient to outsource the function, but they play a critical role in any company. How do you test to ensure your security controls are working? Easy, hack yourself. Ethical hackers are analysts with the skills needed to compromise your enterprise network. Let’s talk briefly about a few types of penetration tests businesses utilize today. Black Box Test: The penetration tester has no prior knowledge of the target environment. This mimics an attacker with a limited understanding of the company. Typically, this type of test is contracted from a third-party penetration testing firm due to the Red Teams’ experience with the network. White Box Test: Testers have full knowledge of the target environment. This type of test is usually more pointed at a smaller portion of the enterprise. It could be a software company’s code pipeline or source code repository. The Red Team thrives in this type of penetration test. Gray Box Test: A combination of black box and white box, with the tester having partial knowledge of the target environment. This replicates a malicious insider or an outside attacker that has successfully infiltrated your network and has established a foothold. Purple Team Test: This type of test is used to measure the effectiveness of the SOC and DFIR teams (Blue Teams). This is a planned exercise where the Red Team will intentionally trigger a security alert to force the Blue Team to respond. The findings of this test will be used to drive improvements in the security program. Blue Team + Red Team = Purple Team! Cyber Professionals sure love their colors. This list is not all-encompassing; there are many other types of penetration tests that can be conducted. But generally speaking, these four will cover the large majority of all tests performed. Penetration testers are a special breed of security professionals; they dedicate a lot of time to honing their skills and testing new hacking tools and techniques. Red Team is often staffed by people who first worked in the SOC but also has a knack to attract the special lone wolves in the wild with special talent and skills. Engineers The Security Engineering team is responsible for deploying, managing, and maintaining the enterprise’s security tools and appliances. Many smaller companies will combine this function with the SOC analysts. They’re able to do this due to the small footprint of the network; however, more defined companies will have entire teams for engineering. Whether this role is staffed or handled by the SOC, security engineers are also responsible for updating and tuning the security tools. Many organizations will assign a single technology group to an engineer. Common technology groups for engineers are: Application Security Engineer: Responsible for identifying and addressing security weaknesses in applications that a business develops or uses. They implement controls, including app authentication, encryption, and authorization settings, test software, set up firewalls, and scan/test applications. Network Security Engineer: Responsible for maintaining the safety of a business’ organizational network. They monitor the network for breaches, identify vulnerabilities, and develop solutions and safeguards to protect the network against attacks. Cloud Security Engineer: Responsible for defending a business against attacks within the cloud. The engineer is responsible for configuring the network security, building applications, identifying and addressing vulnerabilities, and maintaining a secure cloud infrastructure. SIEM Engineer: Responsible for collaborating with various stakeholders to understand business requirements and devise strategies for utilizing data in a more effective and efficient manner. Works closely with the Security Operations Center (SOC) team, assisting in the implementation and management of SIEM and SOAR technologies, while also focusing on leveraging ML/AI techniques to enhance threat detection and analysis. Detection Engineer: Responsible for designing, building, and fine-tuning systems and processes to detect malicious activities or unauthorized behaviors. They also maintain the monitoring portfolio and track the coverage gaps in the security tools. They define change management processes to ensure alerts aren’t modified or removed and often develop “detection as code” by migrating threat detection development into code pipelines such as Github or Gitlab. Vulnerability Management Engineer: Responsible for scanning the environment for known vulnerabilities, prioritizing them, and assisting with managing the patching of these devices. This list isn’t inclusive of all of the types of engineers and it’s essential to understand the need for cross-leveling of skills here and how big the teams can get. A single person managing the Network Security would leave the organization in a predicament if the employee were to tender their notice. A best practice is to have a minimum of two engineers on a technology group; this allows for a checks-and-balances approach that limits the risk of a single point of failure. The number one customer of the Security Engineering team is the SOC. Because these teams work so closely together, security engineering is a natural progression for SOC analysts in the ladder upward to architect. This role requires advanced knowledge of how to administer systems and technologies. If you’re interested in engineering, take on some projects in your spare time at home. Learn a new technology group, such as virtualization or containers. The best way to learn this job is by doing it. So get out there and experiment, and when you fail, delete it all and start again. A note on Vulnerability Management Engineers, they also work closely with a different department in helping prioritize vulnerabilities. Prioritizing vulnerabilities isn’t as straightforward as you might think. When a vulnerability is found, it gets assigned a criticality that is adjusted by them based on many factors such as if the device is dev or prod, if it’s public-facing, or if it can be patched at all because it’s a legacy system with dependencies that require older versions of software. It’s not as easy as reading a report and taking action on it. These engineers typically work closely with the IT teams who are the ones that conduct the patching, often trying to convince them to patch things out-of-cycle or in a higher priority. Vulnerability Management requires a specific knowledge of how corporate environments operate and specifically how their company operates. It also requires good people skills, and knowing how to manage without authority. Those two skills should be practiced throughout your career no matter which technology group you fall into place with. Engineers usually have worked in the SOC first, but can come from other areas of IT such as Software Development, or IT/Cloud Engineering. Architects The Cybersecurity Architecture team is unique to large organizations and is focused on enforcing best security practices and compliance controls while implementing new technology in the enterprise. Let’s look at an example: Your company wants to move its on-premises database into a cloud solution such as Amazon AWS or Microsoft Azure. It’s the Security Architecture team’s job to work with the database and cloud administrators to ensure that the systems and data being migrated into the cloud are as secure as possible. This team is usually composed of senior security specialists with several years of experience in cybersecurity. Some organizations will outsource this to a third-party security consulting firm due to the limited scope of work needed for individual projects. A common practice for Cybersecurity Architecture teams at large companies is to have a small team with a broad knowledge of all of cybersecurity and each one has mastery skill of a different specialty. To name a few of these specialties, they are software security, network security, infrastructure security, and cloud security. At smaller companies there might only be one or two Cybersecurity Architects often with a broad cybersecurity background with a mastery of the specific company’s IT practices. An example of a cybersecurity architect’s objective is that they might devise the security and logging plan for a project to ensure a proper balance of security and cost saving. Security Architecture is one of the many pathways for a SOC analyst to move up in their career, but typically it happens after they’ve progressed as an engineer. You should have at least 7–10 years of cybersecurity experience before considering a move into Security Architecture. It is a highly stressful job and just because you’re able to do it, doesn’t mean that it’s what you should do. Tyler was a Cybersecurity Architect at a Fortune 50 company for only about four months before he resigned and decided they couldn’t pay him enough to do the job. He hardly slept the entire four months worrying about the ramifications if just one tiny calculation was incorrect. It just wasn’t for him, yet. Maybe when he’s much older and wiser. Architects are typically Engineers first (Figure 1–2) Figure 1–2. Typical Analyst Career Progression In summary, most organizations have some embodiment of these three information security teams: Security Operations, Security Architecture, Security Engineering. Whether the team is outsourced or owned by the SOC, the roles exist in every company. Each is a puzzle piece that fits together to form a well-rounded cybersecurity program. No one team is more important than the other, and I ask that you remember this as you move forward in your career. You’ll likely leave the SOC one day and pick a specialty. You’ll make more money, and you’ll have more freedoms like being able to work your own schedule and you’ll not have to do shift work. You’ll need less hand holding and you’ll become more independent as you grow more senior and you might one day look down on the SOC. It’s a typical progression that a lot go through in their careers, but know that it’s not leadership. No one team is more important than the other… and to lead is to serve. On that note, let’s move on to the next section. Internal Teams As you gain and demonstrate experience as a SOC analyst, opportunities to interact with teams outside of the SOC will occur. These opportunities are an excellent way to stand out and make a great impression on your leadership. Regardless of the task, you should approach each encounter with external teams with a high level of professionalism and confidence. You’ll find that when you’ve put in maximum effort toward the task, word of your accomplishments will make it back to your supervisor. And of course, the reverse is true as well. The last thing you want is for your supervisor to learn that you failed to contribute to a task. They tend to remember those conversations when reviewing compensation adjustments. Let’s first talk about Management . Technically, not all of management works outside the SOC. The SOC has a manager, and usually, somewhere up the chain, there’s a director. But, management makes business decisions, so this topic will cover the standard positions and scope of responsibility of those in management. It’s important to know that every organization is different in how they staff their management team. We’ll start in the SOC with the SOC manager and work upward to the executive staff. The SOC manager is the direct and first-line supervisor for all SOC analysts. Your interactions with them begin in the interview process as they’re also responsible as the hiring manager for the open analyst positions. SOC managers have a wide range of duties: everything from mentoring the junior analysts to driving collaboration between the SOC and other teams. In fact, the SOC manager has so many duties that there could be an entire article dedicated to the topic. We’ll begin with their responsibilities to you, the newly hired SOC analyst. The SOC manager is responsible for all aspects of compensation for the analysts under them, including the offer letter when you first applied, bonus payouts, and promotions. However, promotions can’t happen without mentorship, and that’s also a large part of their duties. Each company has different mentorship requirements, but you can expect to sit down with your manager and discuss personal and business goals. Your progress toward achieving these goals is taken into account during the bonus and promotion decisions. Time-off requests, work schedules, and SOC duty assignments are all decided upon by the SOC manager. The SOC manager is also responsible for generating reports on the number and type of security events the SOC sees to upper management. These reports inform the members of the executive staff on the latest trends of cyberattacks that are targeting the company. The SOC manager is the first level of the management team and is by far one of the hardest jobs in information security. Let’s move on. The SOC director is the next step up in the chain of managers to the SOC. This title is different for almost every company; some examples are “Director of Security Operations,” and “Director of IT Security.” Regardless of title, this position is usually the SOC manager’s supervisor. They’re responsible for the overall strategic decisions that face the company regarding cybersecurity, including budgeting requests, SOC staffing approval, and the metrics reporting to executive leadership. They also coordinate with other directors to plan and coordinate joint projects. We’ll cover them more later. The next rung in the management ladder is the Chief Information Security Officer or CISO for short. Depending on the company, the responsibilities of the CISO range considerably. Due to this, we won’t spend too much time discussing the CISO. All you need to understand from a SOC analyst perspective is the CISO is responsible for the high- level decisions regarding information security. They will most likely be the first executive officer you’ll meet, and depending on your company, the CISO likely reports directly to the CEO. So, no pressure trying to make an excellent first impression. That’ll wrap it up for the management team; from here, let’s move on to some of the common organizations you’ll work with as a SOC analyst. Each team we discuss will have a similar management structure as the SOC. I’ll skip going into detail about the team members and focus on the scope of the team itself. The Risk Management team is responsible for measuring, reporting, and mitigating the company’s risk levels. In regard to cybersecurity, they’ll look at the likelihood of a compromise, determine the impact on the business if the attack happened, and generate a report to management on the risk. This data allows management to make an informed decision to assume or mitigate the risk. Most likely, if all this sounds familiar, you’ve learned about risk matrices somewhere along the way. “But how does the SOC assist the Risk Management Team?” I’m so glad you asked. Risk Management teams are not cybersecurity experts. Their understanding of attacks and compromises is limited to what they read in the news. That’s when the SOC consults to define the impact of a compromise. An example of a SOC consultation would be to describe how a critical system is vulnerable to a particular type of compromise. Maybe you’re asked what security control would best stop the attack before it happens. Regardless of the request from Risk Management, the goal is to provide them with the worst-case scenario. To measure risk, Risk Management needs to know the most dangerous outcome for the company and how often it might occur. The Governance and Compliance team ensures “the overall management approach that board members and senior executives use to control and direct an organization”1 is disseminated and adhered to. They also ensure the company meets or exceeds compliance standards related to certain industries. An example of this would be the Payment Card Industry Data Security Standard (PCI DSS), which enforces controls around payment and card systems. The purpose of compliance is to ensure that proper cybersecurity practices are followed in a uniform manner. There are several global compliance standards, and each has a different set of controls, although some overlap. Table lists the common and well- known compliance standards. The most common interaction the SOC will have with Governance and Compliance teams is during the auditing process. The SOC plays a vital role in providing evidence of compliance for the Audit team. Some common evidence requests might be logs collected, process documentation, and a security event walk-through. We’ll cover more about the Audit team later in this article. Definition Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities. The next team we’ll cover is the Privacy and Legal team. Usually, you’ll interact with Privacy and Legal during security incidents that involve evidence collection or public disclosure of a compromise. In the previous article, we briefly discussed the Capital One data breach.3 The privacy half of this team was responsible for identifying the nature of the data that was stolen. Working with legal, together they inform executive leadership on disclosure requirements, legal obligations, and options to pursue actions against the attacker. In the case of Capital One, the Privacy and Legal team notified victims of the data breach and assisted the FBI in apprehending the suspect. Let’s segue to our final team for this section, the Fraud team. The Fraud team works hand in hand with Privacy and Legal in investigations of a data breach to determine if the data has been leaked, sold, or used for malicious means. For example, the data stolen from Capital One included 140,000 US Social Security Numbers. The Fraud team is responsible for investigations tied to the use of stolen data such as identity theft or data brokerage on the dark web. The Fraud team’s responsibilities shift depending on the company’s industry. A software company’s Fraud team might scour the Internet for license key generators, while a manufacturing company has their Fraud team looking for signs of stolen blueprints. External Teams For this article, external teams are defined as any team that does not work for your company. So far, we’ve covered information security and internal teams that the SOC will interact with to accomplish business objectives. Your interaction with external teams requires special considerations. The most important note is that you are a representative of your organization and company. The first external team we’ll discuss is government agencies, and they’ll play a critical role in any country. Whether it’s for compliance, reports of data breaches, or interpreting privacy laws, the SOC will eventually find itself interacting with the local or federal government. As both authors are located in the United States, we’ll cover what we know and not speculate on other countries’ stance on cybersecurity. I urge you to research local laws and regulations in your region to prepare yourself when interacting with your local government agency. There are different types of government agencies that we need to cover, and the SOC will interact with each one in various capacities. Law enforcement agencies will be the most common government entity you’ll encounter. Some examples of law enforcement agencies in the United States are the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and State and Local Police. Like the Legal and Privacy team, the SOC will most likely work to provide evidence of data breaches or insider threats to the investigating agency. When communicating with law enforcement agencies, it’s important to only state facts. Try to remain professional and pay respect to the members of the agency you are working beside. The majority of individuals you’ll deal with won’t be cybersecurity analysts, so speak in common terms. The second government entity we’ll discuss is military and intelligence agencies. Today, many companies provide services or goods to their federal government, and most countries have cybersecurity regulations that must be followed by companies that do business with the government. This comes in the form of tighter compliance controls and mandatory reporting requirements. A benefit of working with the government is the shared threat intelligence provided by the network of companies that work with the government. In the United States, companies that work with the federal government can join the Defense Industrial Base Cybersecurity (DIB CS) program . This program allows companies to share threat reports, indicators of compromise, and malware samples in a central location. The Department of Defense (DoD) also provides threat reports and alerts based on intelligence collected by military or intelligence agencies. The last government organization we’ll cover is regulatory agencies. Regulatory agencies are bodies created to set a baseline of standards for a particular field of activity in the private sector of the economy and then enforce those standards. Regulatory agencies are commonly broken out into business sectors; for example, the US Department of Health and Human Services regulates the HIPAA compliance standards. Not all regulatory bodies are government-affiliated; the International Organization for Standardization is an independent, nongovernmental international organization with a membership of 164 national standards bodies. Since nongovernment regulatory agencies can’t enforce compliance or issue punishment to companies out of compliance, government agencies who adopt compliance standards such as ISO 27001 will assume responsibility for enforcement and punishment. In this model, a committee of representatives from the member countries developed new and revamped compliance standards. The second external team we’ll discuss is Audit teams. Auditors play a significant role in a company’s path to regulatory compliance and will be a source of many headaches for the SOC. The auditor’s primary responsibility is to understand the compliance standards and the security controls that satisfy the requirement. Next, they apply their knowledge and expertise in their field to compare a company’s security posture against the compliance standards. Let’s look at an example of how an auditor might interact with the SOC during a compliance engagement by looking at a PCI DSS Version 1.2 controls in Table 2–2. The goal, “Regularly Monitor and Test Networks,” is a typical example of data the SOC will be responsible for providing. Specifically, the SOC would be the team monitoring access to network resources, and the data that auditors will want to see most likely resides in the SOC’s SIEM. Each auditor is different, so the exact data they’ll ask for will vary depending on the experience level and individual preference. Some auditors will request for the SOC to give a live demo of their ability to access and monitor the data, while others will request screenshots of the monitoring platform and the data held within. Depending on the compliance standard, audits will happen anywhere from every three months to annually. Also, depending on your company, the SOC might be responsible for providing evidence to multiple audit teams throughout the year. As a new SOC analyst, you won’t likely interact with the auditors directly. If a demo is requested, it’s usually handled by a senior analyst due to their experience with the company’s data sources and monitoring portfolio. Your manager and team lead will own the responsibility of planning and coordinating with the compliance and audit teams, and your tasks begin with evidence collection. Let’s move on to our final team for this article, and likely the most common external team you’ll interact with as a junior analyst. Vendors are external product or service providers that have sold a product to your company or are attempting to sell a product. Any tool the SOC uses, which wasn’t created by your company, came from a vendor. The SOC’s interaction level with existing vendors will be limited to requesting assistance with issues, feature requests, and bug reports. However, you might be asked to join a tool demo or proof of concept (POC) evaluation of a security tool. Insight Working with vendors can be a great networking opportunity; leaving a good impression with the vendor could lead to future job offers if you decide to move away from the SOC. When working with existing vendors, there are specific ethical concerns around requesting features or accepting gifts. It’s important to remember that you’re a representative of your company. Vendors who provide an existing service or product could take your feature request and bill your company for the hours spent on the work. That shouldn’t deter you from asking for new features. When communicating with the vendor, be sure to ask them if the company will be billed before any agreement is made. Similarly, when communicating with vendors trying to sell your company a product or service, it’s important not to promise anything to the vendor. The best conversation you can have with a vendor providing a demo or POC is by offering your honest feedback on their product. Good or bad, they will take your feedback to their company for product changes. So when providing your thoughts on their product, be sure to offer constructive criticism. Comments like “your product adds no value for us” and “we could build this ourselves” is a surefire way to get you removed from future vendor conversations. Summary Working in the SOC brings you into contact with many other teams, both from within and external to your company. Each team covered in this article combines to shape your SOC’s daily scope of duties. The team names and roles discussed in this article are not standardized from company to company. As previously mentioned, some team member responsibilities might belong to the SOC. Regardless of whether the positions exist, the team’s functions are required for a company to succeed. We’ve talked previously about our purpose for this book and how we hope to prepare you for a great, new career in cybersecurity by way of the SOC. Consider the overhead of having to teach a new SOC analyst the functions of each team member, external organization, and government entity for a moment. This article helps you set yourself up for success by providing a cursory introduction to the areas of expertise in cybersecurity. Whether you’re working with your local law enforcement to investigate a malicious insider or collecting audit evidence to the compliance team, your better understanding of the groups and their roles and responsibilities will help to make you stand out as a productive member of the SOC team. ARTICLE QUIZ (SOLUTIONS FOLLOW) Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them? Ⓐ IAM Ⓑ Operations Ⓒ Engineering Ⓓ Architecture The Threat Intelligence (TI) team does which of the following? Ⓐ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓒ Focuses on enforcing the best security practices and compliance controls while implementing new technology. Ⓓ Identifies, catalogs, and remediates new and existing vulnerabilities. Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following? Ⓐ Focuses on enforcing the best security practices and compliance controls while implementing new technology. Ⓑ Deploys, manages, and maintains security tools. Ⓒ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. The Security Engineering Team covers which of the following tasks? Ⓐ Identifies, catalogs, and remediates new and existing vulnerabilities. Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓒ Deploys, manages, and maintains security tools. Ⓓ Focuses on enforcing the best security practices and compliance controls while implementing new technology. The Vulnerability Management team is responsible for which of the following? Ⓐ Researching new threats, determining if they’re dangerous, and providing details to management. Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network. Ⓒ Taking over incidents from the SOC and conducting investigations on long and enduring incidents. Ⓓ Deploying, managing, and maintaining security tools. Responsibilities of the Security Architecture team include which of the following? Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology. Ⓑ Deploying, managing, and maintaining security tools. Ⓒ Researching new threats, determining if they’re dangerous, and providing details to management. Ⓓ Taking over incidents from the SOC and conducting investigations on long and enduring incidents. The _________ is the first level of management and one of the most difficult jobs in cybersecurity. Ⓐ SOC Director Ⓑ SOC Manager Ⓒ Chief Information Security Officer (CISO) Ⓓ Risk Management Team The SOC Director may also be called _______. Which of the following does not apply? Ⓐ Director of Security Operations Ⓑ Director of Threat Management Ⓒ Director of ITSecurity Ⓓ Director of Risk Management Which of the following internal teams focuses on the worst-case scenario and how often that may occur? Ⓐ Risk Management. Ⓑ Governance and Compliance. Ⓒ Privacy and Legal. Ⓓ Digital Forensics and Incident Response (DFIR). ARTICLE QUIZ SOLUTIONS Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them? Ⓐ IAM While there may be an IAM team in very large organizations, the three general teams can be broken down into Operations, Engineering, and Architecture The Threat Intelligence (TI) team does which of the following? Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. The Threat Intelligence team typically researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following? Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. Typically, the DFIR team takes over incidents from the SOC and conducts investigations on long and enduring incidents. The Security Engineering Team covers which of the following tasks? Ⓒ Deploys, manages, and maintains security tools. Typically the Security Engineering team deploys, manages, and maintains security tools. The Vulnerability Management team is responsible for which of the following? Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network. The Vulnerability Management teams Is responsible for identifying, cataloging, and remediating existing vulnerabilities throughout a network. Responsibilities of the Security Architecture team include which of the following? Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology. The Security Architecture team typically focuses on enforcing the best security practices and compliance controls while implementing new technology. The _________ is the first level of management and one of the most difficult jobs in cybersecurity. Ⓑ SOC Manager The first level of management and the one that you will interact with most frequently is the SOC Manager. The SOC Director may also be called _______. Which of the following does not apply? Ⓓ Director of Risk Management The SOC Director typically isn’t called a Director of Risk Management. Which of the following internal teams focuses on the worst-case scenario and how often that may occur? Ⓐ Risk Management. The Risk Management team focuses on all of the “bad” things that can happen and how often they may occur, as well as the impact they have on the organization.

A circle with gears in it, with a shield over it, with a circle with gears in it, with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Part Three To kick Azure Cybersecurity Labs - Part Three off, we first need to install Terraform and then continue completing our first Terraform lifecycle. Follow along in these two videos as we install Terraform on Mac and Windows, then proceed with the instructions. Installing Terraform on Windows https://youtu.be/1er-WkfUBmU curl.exe -O https://releases.hashicorp.com/terraform/0.12.26/terraform_0.12.26_windows_amd64.zip Expand-Archive terraform_0.12.26_windows_amd64.zip Rename-Item -path .\terraform_0.12.26_windows_amd64\ .\terraform Insta lling Terraform on Mac brew install terraform terraform -install-autocomplete Running your first Terraform With Terraform, there is a lifecycle for a resource, and it can be broken down into four phases: Init, Plan, Apply, and Destroy. The cycle of init, plan, apply, destroy of Terraform init — Init. Initialize the (local) Terraform environment. Usually executed only once per session. plan — Plan. Compare the Terraform state with the as-is state in the cloud, build and display an execution plan. This does not change the deployment (read-only). apply — Apply the plan from the plan phase. This potentially changes the deployment (read and write). destroy — Destroy all resources that are governed by this specific Terraform environment. This article assumes that you have created an Azure account and subscription. The first thing we will do is install the Azure CLI tools and configure them to be used with Terraform. The Azure CLI Tool is installed Install the Azure CLI tool with brew on macOS: brew update  && brew install azure-cli To install the Azure CLI using PowerShell in Windows, start PowerShell as an administrator and run the following command: $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi You can now run the Azure CLI with the az command from Windows Command Prompt, PowerShell, or Mac Terminal. You will use the Azure CLI tool to authenticate with Azure. Terraform must authenticate to Azure to create infrastructure. In your terminal, use the Azure CLI tool to set up your account permissions locally. az login You have now logged in using your account, which you created in previous lectures. In the output in the terminal, find the ID of the subscription that you want to use: {       "cloudName": "AzureCloud",     "homeTenantId": "0envbwi39-home-Tenant-Id",     "id": "35akss-subscription-id",     "isDefault": true,     "managedByTenants": [],     "name": "Subscription-Name",     "state": "Enabled",     "tenantId": " 0envbwi39-TenantId ",     "user":  {     "name": "your-username@domain.com",       "type": "user" } } Once you have chosen the account subscription ID, set the account with the Azure CLI. az account set --subscription " 35akss-subscription-id " Next, we create a Service Principal. A Service Principal is an application within Azure Active Directory with the authentication tokens that Terraform needs to perform actions on your behalf. Update the with the subscription ID you specified in the previous step. az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/ The output includes credentials that you must protect . Ensure you do not include these credentials in your code or check the credentials into your source control. For more information, see the assignment details {   "appId": "xxxxxx-xxx-xxxx-xxxx-xxxxxxxxxx",   "displayName": "azure-cli-2022-xxxx",   "password": "xxxxxx~xxxxxx~xxxxx",   "tenant": "xxxxx-xxxx-xxxxx-xxxx-xxxxx" } Next, you need to set your environment variables. HashiCorp recommends setting these values as environment variables rather than saving them in your Terraform configuration. Open a Mac terminal or PowerShell and input the values from the previous command. We got the subscription ID from the previous step. For Mac Terminal export ARM_CLIENT_ID=""  export ARM_CLIENT_SECRET=""  export ARM_SUBSCRIPTION_ID=" "  export ARM_TENANT_ID="" For PowerShell $env:ARM_CLIENT_ID = "APPID_VALUE" $env:ARM_CLIENT_SECRET = "PASSWORD_VALUE" $env:ARM_TENANT_ID = "TENANT_VALUE" $env:ARM_SUBSCRIPTION_ID = " SUBSCRIPTION_ID " Install Visual Studio Code and Set Up Environment Great! We are all configured to use Azure now. Now, the next thing we are going to do is open up a terminal and install Visual Studio Code by issuing this command on a Mac: brew install visual-studio-code Or on a Windows machine navigating to this URL to download . Next, in the terminal on Mac, we will issue the following commands to create a directory that will contain our Terraform configuration: mkdir  ~/tf-exercise-1 cd  ~/tf-exercise-1 And open up a file for main.tf code   main.tf On Windows create a folder anywhere called "tf-exercise-1" and create a new file called "main" with the file extension ".tf" and open that file with Visual Studio Code Now we need to write a configuration to create a new resource group. Copy and paste the code snippet into the "main.tf" file # Configure the Azure provider terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 3.0.2" } } required_version = ">= 1.1.0" } provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "myTFResourceGroup" location = "westus2" } Note: The location of your resource group is hardcoded in this example. If you do not have access to the resource group location westus2, update the main.tf file with your Azure region. This is a complete configuration that Terraform can apply. In the following sections we will review each block of the configuration in more detail. Terraform Block The terraform {} block contains Terraform settings, including the required providers that Terraform will use to provision your infrastructure. For each provider, the source attribute defines an optional hostname, a namespace, and the provider type. Terraform installs providers from the Terraform Registry by default. In this example configuration, the azurerm provider’s source is defined as hashicorp/azurerm, which is shorthand for registry.terraform.io/hashicorp/azurerm . You can also define a version constraint for each provider in the required_providers block. The version attribute is optional, but we recommend using it to enforce the provider version. Without it, Terraform will always use the latest version of the provider, which may introduce breaking changes. Providers The provider block configures the specified provider, in this case azurerm. A provider is a plugin that Terraform uses to create and manage your resources. You can define multiple provider blocks in a Terraform configuration to manage resources from different providers. Resource Use resource blocks to define components of your infrastructure. A resource might be a physical component, such as a server, or it can be a logical resource, such as a Heroku application. Resource blocks have two strings before the block: the resource type and the resource name. In this example, the resource type is azurerm_resource_group and the name is rg. The prefix of the type maps to the name of the provider. In the example configuration, Terraform manages the azurerm_resource_group resource with the azurerm provider. Together, the resource type and name form a unique ID for the resource. For example, the ID for your network is azurerm_resource_group.rg. Resource blocks contain arguments which you use to configure the resource. The Azure provider documentation documents supported resources and their configuration options, including azurerm_resource_group and its supported arguments. Initialize your Terraform configuration Initialize your learn-terraform-azure directory in your terminal. The terraform commands will work with any operating system. Your output should look similar to this one: terraform init Initializing the backend...Initializing provider plugins... - Finding hashicorp/azurerm versions matching "~> 3.0.2"... - Installing hashicorp/azurerm v3.0.2... - Installed hashicorp/azurerm v3.0.2 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running “terraform plan ” to see any required changes for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. Format and validate the configuration We recommend using consistent formatting in all of your configuration files. The terraform fmt command automatically updates configurations in the current directory for readability and consistency. Format your configuration. Terraform will print out the names of the files it modified, if any. In this case, your configuration file was already formatted correctly, so Terraform won’t return any file names. terraform fmt You can also make sure your configuration is syntactically valid and internally consistent by using the terraform validate command. The example configuration above is valid so Terraform will return a success message. terraform validate Success! The configuration is valid. Apply your Terraform Configuration Run the terraform apply command to apply your configuration. This output shows the execution plan and will prompt you for approval before proceeding. If anything in the plan seems incorrect or dangerous, it is safe to abort here with no changes made to your infrastructure. Type yes at the confirmation prompt to proceed. terraform apply An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the action of creating a resource group: azurerm_resource_group.rg will be created + resource "azurerm_resource_group" "rg" { + id = (known after apply) + location = "westus2" + name = "myTFResourceGroup" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes azurerm_resource_group.rg: Creating... azurerm_resource_group.rg: Creation complete after 1s [id=/subscriptions/c9ed8610-47a3-4107-a2b2-a322114dfb29/resourceGroups/myTFResourceGroup] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Navigate to the Azure portal in your web browser to ensure the resource group was created. Inspect your state When you apply your configuration, Terraform writes data into a file called terraform.tfstate. This file contains the IDs and properties of the resources Terraform created to manage or destroy those resources going forward. Your state file includes all of the data in your configuration and could contain sensitive values in plaintext, so do not share it or check it into source control. Inspect the current state using terraform show. terraform show azurerm_resource_group.rg: resource "azurerm_resource_group" "rg" { id = "/subscriptions/c9ed8610-47a3-4107-a2b2-a322114dfb29/resourceGroups/myTFResourceGroup" location = "westus2" name = "myTFResourceGroup" } When Terraform created this resource group, it also gathered the resource’s properties and metadata. These values can be referenced to configure other resources or outputs. To review the information in your state file, use the state command. If you have a long state file, you can see a list of the resources you created with Terraform using the list subcommand. terraform state  list azurerm_resource_group.rg If you terraform state, you will see a full list of available commands to view and manipulate the configuration’s state. terraform state Usage: terraform state  [options] [args] This command has subcommands for advanced state management. These subcommands can be used to slice and dice the Terraform state. This is sometimes necessary in advanced cases. For your safety, all state management commands that modify the state create a timestamped backup of the state before making modifications. The structure and output of the commands are specifically tailored to work well with the standard Unix utilities such as grep, awk, etc. We recommend using those tools to perform more advanced state tasks. Terraform Destroy Lastly, issue the terraform destroy command to complete the lifecycle and undo the changes that you made. Terraform keeps a state of the changes you made in the terraform state file, so it knows exactly which ones to undo. terraform destroy # azurerm_resource_group.rg will be destroyed resource "azurerm_resource_group" "rg" { id = "/subscriptions/b7b18fdb-6e24-4934-a25e-2957c9e62d05/resourceGroups/myTFResourceGroup" -> null location = "westus2" -> null name = "myTFResourceGroup" -> null tags = {} -> null } Plan: 0 to add, 0 to change, 1 to destroy. Do you really want to destroy all resources? Summary You have now completed your very first terraform lifecycle. Congratulations! It's fairly simple, the configuration files get more complex from here but the steps and lifecycle remain the same. We just created a resource group in Azure, but we will continue the Terraform exercises by doing something a little more complex and deploying a honeypot using Terraform.

Becoming an SOC analyst is often viewed as the gateway to a career in cyber. Many aspiring professionals see it as the easiest entry point into this lucrative field. While entering the SOC can lead to a prosperous future, the application process isn't as easy as you might think. The SOC Analyst Job Application Process is Broken . My Journey as a Cybersecurity Analyst Let me share my journey into the world of cyber. I enjoyed a successful career in cyber with a significant income. At least, to me, it felt like I had more money than I could ever spend. However, money alone didn't bring me happiness. Eventually, I sought something meaningful in my life. I was disillusioned by my previous role as a SOC Consultant, which felt monotonous and uninspiring. I often compared my situation to Sisyphus, who endlessly pushes a boulder up a hill only to have it roll back down. Curved lines, almost scribbles, making out a person pushing a boulder up a hill. Around a recreation tangle (rectangle) with triangles at perpendicular edges. Someone's journey. This myth encapsulated my feelings of futility in my job. After having traveled extensively and accumulated material possessions, I realized that living a fulfilling life was all that mattered. Thus, I made a bold decision to leave a $185,000-a-year SOC job. How Much Does a SOC Analyst Make? Salaries can vary greatly depending on location and cost of living. Here are some insights based on my experience in Cumming, Georgia. SOC Analyst Career Trajectory Example Here’s a quick glimpse of my salary progression as a SOC Analyst: 2013: $55k/year as an entry-level SOC analyst 2014: $75k/year after 1.5 years at a different company 2015: $105k/year as a Sr. SOC Analyst 2016: $135k/year as a Sr. Security Engineer 2018: $135k/year plus $25k in RSUs as a Sr. Security Engineer 2020: $160k/year as a Cybersecurity Architect 2020: $140k/year plus a 10% bonus as a Cyber Advisor 2021: $185k/year as a SOC consultant As you can see, starting salaries in the Managed Security Service Provider (MSSP) sector are typically lower, ranging from $60k to $80k. However, permanent positions within a company's internal SOC offer starting salaries from $80k to $100k. It is essential to accept that you might not be able to go headfirst into an exotic specialty, and need to start cyber however you can, even if that means accepting a contract role. Why SOC Analyst Jobs Are Accessible There are three keys to why SOC analyst roles are the most accessible entry-level jobs in cyber: Many individuals use the SOC to begin their cyber career. Consequently, backfill positions open up. SOCs must operate all day, every day, requiring constant staffing. High SOC turnover, especially for overnight positions, leads to new job openings. Staffing can be complicated due to geographic limits and FedRamp regulations, leading to additional recruitment challenges. For many, the SOC remains the best entry point into cyber. Yet, if you're ready for more specialized roles, don't hesitate to explore those options. The SOC Analyst Job Application Process is Broken If you aim to secure a SOC job by 2026, prioritize networking. The hiring process is notably broken. Many job seekers use AI to enhance their resumes, leading to multiple applications from the same candidate just to be seen. Hiring managers are inundated with job applications, filling their inboxes with thousands of applications. It's a DDoS! They often favor referrals and existing connections over cold applications because cold applications are impossible to evaluate. With thousands of aspiring SOC analysts vying for attention, differentiating yourself is essential. You have control over your narrative and cannot change the competition of SOC analysts. Essential Networking Strategies To effectively network, consider these tactics: Attend two in-person meetups each month. Make daily appearances in relevant online communities. Write two blog posts per week on Medium. A strong network can propel your career to new heights. A Note to Your Future Self As you navigate your career, begin collecting contacts and building your email list. This will prove invaluable in a future where AI and entrepreneurship shape the job market. In summary, while the SOC analyst job application process has its challenges, you can position yourself for success in the cybersecurity field with the right strategy. Let us help you with that. Our course SOC Analyst NOW!, SOC JOB NOW!, and Cloud Security NOW! is the trifecta that can set you apart. Explore our course offerings here .

It was 2013 and I was 26 years old just starting out in the Security Operations Center of an Managed Security Services Provider. I sat in a room filled with hopes and dreams of money, money, money from my colleagues. We were all just starting out and at the lowest rung of the ladder not making much money at all but everyone knew somebody that made what felt like billions of dollars doing cybersecurity. What did they do with all that money? This is Is the best of the SOC behind us? We would wake up and check the news outlets because breaches were happening and making big news. The public was very concerned about cybersecurity, and companies were throwing cash at cybersecurity to avoid being in the news. There weren’t many people trained in cybersecurity, and the demand for talent was high. Companies couldn’t hire the talent they needed, so they threw cash at training people. The training business was booming. It was a time to be in cybersecurity; it was the golden age. Before we go further, I want to say that this blog doesn’t end depressingly; it ends on a high note, and not the high note that you might be thinking right now. It is 2020, COVID is a hot topic, I am just leaving VMware as an SOC Automation Developer after having what someone could describe as a breakdown, just realizing what the future of cybersecurity would look like. I spent my time slowly taking away work from the SOC and automating it, scribbling in my notebook next steps until I reached what would be the master plan for automating not only the SOC, but what would be “Mastering Cybersecurity Automation” which led to a book deal with the publisher Manning that I ultimately backed out of. When I began the book, starting with the matrix, I realized something that haunted me, something I haven’t told anyone until now. Computing at its fundamental level is fundamental. It's a combination of 1s and 0s, and a 1 and a 0 can be organized into four combinations: 11, 00, 10, 01. We are adding complexity. From there, you can take those same 11, 00, 10, 01 and make 16 combinations, adding more complexity. This is the same thing that we’ve done in cybersecurity. The fundamental cybersecurity tasks, or in this outline, “building blocks”, can be organized into increasing complexity to accomplish all of our tasks, meaning all you need to do is automate the building blocks of your company and use a matrix to combine them in various combinations to achieve the result of full automation. This draft could use some more refining, but it is presented to understand the idea. We do very few fundamental tasks in cybersecurity. And thats when I stopped. We overcomplicated and convoluted a 180 billion dollar industry that provides jobs to millions of people, and I wasn’t prepared to face an internal struggle over what was right. I went back and forth with this for some time. Eventually, I couldn’t stomach being responsible for building the master matrix of tasks, leaving everyone unemployed, so I left automation altogether. Today, it is well known that automation, not AI, is replacing cybersecurity jobs, and we feel its impact. It's like I am seeing this evolve, whether or not I was responsible for it. Someone is going to figure this out. Now, I mentioned that this blog leaves on a high note. Are you ready for it? The high note is the demand for automation. The threat landscape continuously evolves, leaving more to automate. Automation tools have become incredibly user-friendly, meaning you don’t have to be a developer to use them. The SIEM we used as a single pane of glass is now an SOAR tool. There will be a race for efficiency that will never, ever, ever, end. Companies will continuously tweak automation forever to get more and more efficient. It will never end, and the demand will shift for people with better and better automation skills. Automation BREAKS all the time. People will be needed to repair the automation. Some processes you just can’t leave to automation and require human approval. People will be needed to do this, too. I am writing about this only because I believe the net sum of labor from before and after will be near zero when it's all said and done. Companies are undergoing some changes, laying off people they will have to rehire when they reskill. There are some unrealistic expectations of the cost savings of automation. The only real way to save costs is by accepting more risk, which they could have done from the beginning. It’s an industry that fluctuates, and that is where I have landed lately. All those nights lying awake, worried about the future, just seemed to work themselves out. And then AI happened. PART ONE: Understanding Automation CHAPTER 1: Introduction Why this book was written What this book aims to accomplish CHAPTER 2: The Demand for Automation The evolving cybersecurity threat landscape The cybersecurity workforce The traditional security operations center The solution of cybersecurity automation Value Stream Map CHAPTER 3: Mastering Cybersecurity Automation Cybersecurity automation architecture Cybersecurity automation processes Cybersecurity automation technology CHAPTER 4: Prerequisites and Assumptions The similarities between SMB and Large Enterprises International legal and data privacy considerations Government regulations and certifications Industry-related regulations and certifications Organization policies/Asset policy PART TWO: Building Blocks CHAPTER 5: Sending Emails Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 6: Enrichment Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 7: Analyzing Malware Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 8: Actioning Endpoints Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 9: Firewall/web proxy Blocking Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 10: Escalate to Incident Response Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 11: SIEM Automation Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 12: Responding to Emails Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 13: Asset Discovery Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 14: Manual Exception Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 15: Whitelist Playbook Technical integration components Process flowchart Explanation of steps and decisions PART THREE: Fully Automated CHAPTER 16: Phishing Response Automation Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 17: Unusual Privileged Account Activity Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 18: Banned Programs Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 19: Threat Intelligence Response Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 21: Vulnerability Management Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 22: Emergency Vulnerability Management Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 23: Data Loss Prevention Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 24: Cloud Orchestration and Response Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 25: Insider Threat Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 26: Threat Hunting Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 27: User Account Provisioning/Termination Building Blocks Required Flowchart Description of the phases of this automation: Potential response actions How this automation is used CHAPTER 28: Rogue Assets Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 29: Metrics Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 30: Cybersecurity Automation Matrix Building blocks and their components Automations and their building blocks Cybersecurity roles and their automation Table of Illustrations About the Authorship About the Technical Review

A circle with gears in it with a shield in front of it with a gear inside another circle with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Part Two The first thing that we will be covering in this course, Azure Infrastructure as Code, is what infrastructure as code is and why it is important. This is Azure Cybersecurity Labs - Part Two. Infrastructure as Code (IaC) is about using code to manage the computing infrastructure in the cloud rather than pointing and clicking and using the GUI. This includes things like operating systems, databases, and storage, to name a few. Traditionally, we had to spend lots of time setting up and maintaining infrastructure... going through lengthy processes when we wanted to create something new or delete entire environments. With IaC, you can define what you want your infrastructure to look like with code without worrying about all the detailed steps to get there. For instance, you can just say that you want a Debian server with 12gb of ram and 80gb of hard drive space and it figures out everything it needs to do to make that happen. Benefits of Infrastructure as Code Automation is a key goal in computing, and IaC is a way to automate infrastructure management. There are several benefits of using IaC, one of which is easy environment duplication. You can use the same IaC to deploy an environment in one location that you do in another. Suppose a business has IaC describing its entire regional branch's environment, including servers and networking. In that case, they can copy and paste the code, then execute it again to set up a new branch location. Another benefit of using IaC is that it reduces configuration errors. Manual configurations are error-prone due to human mistakes, so having them automated with IaC minimizes the error. It also makes error checking more streamlined. Later in this course, we will be using tools to check IaC configurations for issues, but for now, you can just take a piece of IaC code and evaluate it for misconfigurations before you deploy it. The last benefit I want to cover for IaC is the ability to build and branch on environments easily. For instance, if a new feature like a machine learning module is invented, developers can branch the IaC to deploy and test it without affecting the main application. How does IaC work? IaC describes a system's architecture and functionality, just like software code describes an application. It uses configuration files treated like source code to manage virtualized resources in the cloud. These configuration files can be maintained under source control and part of the overall codebase. Immutable vs. Mutable Infrastructure There are two approaches to IaC: mutable and immutable infrastructure. In a mutable infrastructure, components are changed in production while the service usually operates. With immutable infrastructure, components are set and assembled to create a full service or application. If any change is required, the entire set of components has to be deleted and redeployed wholly to be updated. Approaches to IaC There are two basic approaches to IaC: declarative and imperative. Declarative describes the desired end state of a system, and the IaC solution creates it accordingly. It's simple to use if the developer knows what components and settings are needed. An imperative describes all the steps to set up resources to reach the desired running state. It's more complex but necessary for intricate infrastructure deployments where the order of events matters. Terraform IaC An open-source tool, Terraform , takes an immutable declarative approach and uses its language, Hashicorp Configuration Language (HCL). HCL is based on Go and is considered one of the easiest languages for IaC to pick up.  I have the Terraform Associate certification, and it took me three days to pick up the language. By the end of these labs, I'd highly suggest you pick up a study guide for the exam since you'll already be 2/3rds of the way there. With Terraform , you can use the same configuration for multiple cloud providers. And since many organizations today opt for the hybrid cloud model , Terraform can easily be called the most popular IaC tool. Terraform is capable of provisioning and configuration management, but it’s inherently a provisioning tool that uses cloud provider APIs to manage required resources. And since it natively and effortlessly handles the orchestration of new infrastructure, it’s more equipped to build immutable infrastructures, where you must replace components fully to make changes. Terraform uses state files to manage infrastructure resources and track changes. State files record everything Terraform builds, so you can easily refer to them. We'll get more into this later. Often considered an obvious choice for an IaC tool, Terraform is what we will be using in this course.  So let's get started.

A circle with gears in the middle, with a shield over it, with a circle with a gear in it, with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Final Are you ready to wrap this up? In Azure Cybersecurity Labs - Final, we will assemble everything and generate a report that can be presented to small to medium-sized businesses on their cloud security posture. First, we are going to analyze the Terraform code with Checkov. So let's do that. Make a Terraform Directory and Move There mkdir ~/wrappingup cd ~/wrappingup Create main.tf file with VS Code code main.tf Paste Code into File, and Save terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "3.90.0" } } } provider "azurerm" { # Configuration options features { } } variable "prefix" { default = "tpot" } resource "azurerm_resource_group" "tpot-rg" { name = "${var.prefix}-resources" location = "East US" } resource "azurerm_virtual_network" "main" { name = "${var.prefix}-network" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name } resource "azurerm_subnet" "internal" { name = "internal" resource_group_name = azurerm_resource_group.tpot-rg.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = ["10.0.2.0/24"] } resource "azurerm_virtual_machine" "main" { depends_on = [ azurerm_resource_group.tpot-rg ] name = "${var.prefix}-vm" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name network_interface_ids = [azurerm_network_interface.tpot-vm-nic.id] vm_size = "Standard_A2m_v2" # Uncomment this line to delete the OS disk automatically when deleting the VM delete_os_disk_on_termination = true # Uncomment this line to delete the data disks automatically when deleting the VM delete_data_disks_on_termination = true storage_image_reference { publisher = "canonical" offer = "ubuntu-24_04-lts" sku = "minimal-gen1" version = "latest" } storage_os_disk { name = "tpot-disk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Standard_LRS" } os_profile { computer_name = "hostname" admin_username = "azureuser" admin_password = "CyberNOW!" } os_profile_linux_config { disable_password_authentication = false } } # Create Security Group to access linux resource "azurerm_network_security_group" "tpot-nsg" { depends_on=[azurerm_resource_group.tpot-rg] name = "linux-vm-nsg" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name security_rule { name = "AllowALL" description = "AllowALL" priority = 100 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "*" source_address_prefix = "Internet" destination_address_prefix = "*" } security_rule { name = "AllowSSH" description = "Allow SSH" priority = 150 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "Internet" destination_address_prefix = "*" } } # Associate the linux NSG with the subnet resource "azurerm_subnet_network_security_group_association" "tpot-vm-nsg-association" { depends_on=[azurerm_resource_group.tpot-rg] subnet_id = azurerm_subnet.internal.id network_security_group_id = azurerm_network_security_group.tpot-nsg.id } # Get a Static Public IP resource "azurerm_public_ip" "tpot-vm-ip" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-ip" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name allocation_method = "Static" } # Create Network Card for linux VM resource "azurerm_network_interface" "tpot-vm-nic" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-nic" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name ip_configuration { name = "internal" subnet_id = azurerm_subnet.internal.id private_ip_address_allocation = "Dynamic" public_ip_address_id = azurerm_public_ip.tpot-vm-ip.id } } output "public_ip" { value = azurerm_public_ip.tpot-vm-ip.ip_address } Format the file terraform fmt Execute Checkov Make sure you're in the directory that your Terraform is in. checkov -f main.tf Results Checkov screenshot showing 8 passed checks, 7 failed checks, and 0 skipped checks. We have seven failed checks. Looking through the list, it warns us about stuff that we have explicitly configured, like ports exposed to the public internet. Since this is the honeypot that we just configured in Azure Cybersecurity Labs - Part Four, we know that this works, and we know that this is how it needs to be configured to work correctly. So let's go ahead and deploy this to Azure. Type az login in the terminal to establish your credentials if they aren't cached already. az login Initialize the directory terraform init Now terraform plan terraform plan Note:  Take a look at the Terraform Plan and see the 8 resources that we are creating. While not mandatory, it's good practice to 'Terraform Plan' to review your changes BEFORE deploying. Now terraform apply terraform apply Make sure you have previously deleted this project from Azure so that you can deploy it again. Prowler Now we're getting into new stuff. Prowler  is an open-source security tool to perform AWS, Azure, Google Cloud, and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening, forensics readiness, and remediations! We have Prowler CLI (Command Line Interface), which we call Prowler Open Source. You can install Prowler using Pip3 like we did with Checkov in Azure Cybersecurity Labs - Part Five. So let's do that. pip3 install prowler And then we run Prowler prowler azure --az-cli-auth The results are displayed on your screen and also exported to your 'output directory' I like to view HTML files and use HTML to JPG or HTML to PDF converters online. Our environment is new, so it doesn't have much on here other than turning Microsoft Defender on for our resources, which we do not currently have deployed. Using Prowler is very simple, and the value you add as a freelancer is discerning the results and narrowing them down for the business to what is useful and actionable to them. Do not just give them this report and be done with it. They will be unhappy. Instead, write specific recommendations in your report with your template, with step-by-step instructions on how to fix each issue that is important to them. That wraps up the Azure Cybersecurity Labs series, but stick around for one BONUS as we discuss serverless computing.

A circle with gears in it, with a shield, on top, with another circle with gears in it, with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Part Four Let's get started on Azure Cybersecurity Labs - Part Four. In this lab, we will continue our Terraform exercises by deploying a honeypot via Terraform. If you have been following along, previously on this blog I had you install a T-Pot manually using the GUI in Azure. There's a much easier way to do this, so let's get rolling. Create the Terraform Configuration File First, in the terminal on Mac, we will issue the following commands to create a directory that will contain our Terraform configuration: mkdir  ~/tpot cd  ~/tpot And open up a file for main.tf code   main.tf On Windows create a folder anywhere called "tpot" and create a new file called "main" with the file extension ".tf" and open that file with Visual Studio Code Now we need to write configuration to create a few new resources. Copy and paste the code snippet into the "main.tf" file terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "3.90.0" } } } provider "azurerm" { # Configuration options features { } } variable "prefix" { default = "tpot" } resource "azurerm_resource_group" "tpot-rg" { name = "${var.prefix}-resources" location = "East US" } resource "azurerm_virtual_network" "main" { name = "${var.prefix}-network" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name } resource "azurerm_subnet" "internal" { name = "internal" resource_group_name = azurerm_resource_group.tpot-rg.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = ["10.0.2.0/24"] } resource "azurerm_virtual_machine" "main" { depends_on = [ azurerm_resource_group.tpot-rg ] name = "${var.prefix}-vm" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name network_interface_ids = [azurerm_network_interface.tpot-vm-nic.id] vm_size = "Standard_A2m_v2" # Uncomment this line to delete the OS disk automatically when deleting the VM delete_os_disk_on_termination = true # Uncomment this line to delete the data disks automatically when deleting the VM delete_data_disks_on_termination = true storage_image_reference { publisher = "canonical" offer = "ubuntu-24_04-lts" sku = "minimal-gen1" version = "latest" } storage_os_disk { name = "tpot-disk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Standard_LRS" } os_profile { computer_name = "hostname" admin_username = "azureuser" admin_password = "CyberNOW!" } os_profile_linux_config { disable_password_authentication = false } } # Create Security Group to access linux resource "azurerm_network_security_group" "tpot-nsg" { depends_on=[azurerm_resource_group.tpot-rg] name = "linux-vm-nsg" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name security_rule { name = "AllowALL" description = "AllowALL" priority = 100 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "*" source_address_prefix = "Internet" destination_address_prefix = "*" } security_rule { name = "AllowSSH" description = "Allow SSH" priority = 150 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "Internet" destination_address_prefix = "*" } } # Associate the linux NSG with the subnet resource "azurerm_subnet_network_security_group_association" "tpot-vm-nsg-association" { depends_on=[azurerm_resource_group.tpot-rg] subnet_id = azurerm_subnet.internal.id network_security_group_id = azurerm_network_security_group.tpot-nsg.id } # Get a Static Public IP resource "azurerm_public_ip" "tpot-vm-ip" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-ip" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name allocation_method = "Static" } # Create Network Card for linux VM resource "azurerm_network_interface" "tpot-vm-nic" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-nic" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name ip_configuration { name = "internal" subnet_id = azurerm_subnet.internal.id private_ip_address_allocation = "Dynamic" public_ip_address_id = azurerm_public_ip.tpot-vm-ip.id } } output "public_ip" { value = azurerm_public_ip.tpot-vm-ip.ip_address } Something I'm just going to note here because it's difficult information to find, is if you want to find the SKU of a particular image you can search for it like this syntax: az vm image list --publisher Canonical --sku gen1 --output table --all  Type az login in the terminal to establish your credentials az login Initialize the directory terraform init Now terraform plan terraform plan Note: Take a look at the Terraform Plan and see the 8 resources that we are creating. While not mandatory, it's good practice to 'Terraform Plan' to review your changes BEFORE deploying. Now terraform apply terraform apply It will output the public IP address. Just SSH into it with the credentials (ssh azureuser@) Username: azureuser Password: CyberNOW! And install the honeypot. env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)" Select "Hive" install sudo reboot (when finished) Note: The installation script changes the port to SSH on, so if you want to ssh to it you have to use this syntax "ssh azureuser@ -p 64295" You can now log in to the honeypot web interface via https://:64297 See how much easier this is than configuring it manually? This blog series won't detail how to create a Terraform from scratch, but at this point, you understand the basic Terraform lifecycle, its application, and what it's used for. I recommend picking up a Udemy course on the Terraform Associate exam and spending the next couple of days studying for the exam. The Terraform Associate exam isn't very costly, and makes great wall art. When you are finished with the Tpot, make sure you aren't charged anything further and use the "terraform destroy” command to remove everything you did in one swoop. Easy peasy. Join us next in this series as we conduct automated scans of Terraform files for configuration issues using the open-source tool Checkov.

A circle with gears in it sandwiched between a shield with a circle with gears on top of it with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Part Five Next up is Azure Cybersecurity Labs - Part Five. Checkov is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems. Checkov includes more than 750 predefined policies to check for common misconfiguration issues. Checkov also supports the creation and contribution of custom policies . Supported IaC types Checkov scans these IaC file types: Terraform (for AWS, GCP, Azure and OCI) CloudFormation (including AWS SAM) Azure Resource Manager (ARM) Serverless framework Helm charts Kubernetes Docker This lab shows how to install Checkov, run a scan, and analyze the results. Install Pip3 and Python pip3 is the official package manager and pip command for Python 3. It enables the installation and management of third-party software packages with features and functionality not found in the Python standard library. Pip3 installs packages from PyPI (Python Package Index). You can get it by installing the latest version of Python here. Install Checkov From PyPI Using Pip pip3 install checkov Make a Terraform Directory and Move There mkdir ~/checkov-example cd ~/checkov-example Create main.tf file with VS Code code main.tf Paste Code into File, Save, then Exit resource "aws_s3_bucket" "foo-bucket" { # same resource configuration as previous example, but acl set for public access. acl = "public-read" } data "aws_caller_identity" "current" {} Format the file terraform fmt Execute Checkov Make sure you're in the directory where your Terraform is. checkov -f main.tf Results Checkov result showing failed check It's that simple. As you can see, Checkov runs and it notes that there were 8 failed checks, including Public read access enabled. If you click on the link, it will take you to a guide that explains the failure in more detail and teaches you how to fix it. Checkov checks for all standard configuration and security errors in your Terraform code BEFORE deploying it. Anytime you download a Terraform script to execute in your environment, you will want to run Checkov to ensure that it meets your standards for configuration. In the next blog, wrapping up this series, we will check a Terraform configuration file for issues with Checkov, deploy it to Azure, and use the open-source tool Prowler to perform a security best practices assessment of your Azure environment. The report generated can be used to present your recommendations for remediation to small and medium-sized businesses. You will now be able to create a gig on Fiverr, Upwork, or the likes and conduct low-cost cloud security assessments. Remember to continue your education to pass the Terraform Associate exam.

In today's digital age, the demand for cybersecurity professionals is soaring. Among these roles, the Security Operations Center (SOC) Analyst stands out. A SOC Analyst is crucial to protecting organizations from cyber threats by monitoring and analyzing security incidents. If you want to build a successful career in this field, understanding the skills required to thrive as a SOC Analyst is essential. A SOC "Bullpen" Arrangement SOC Analyst Career Overview A SOC Analyst's primary responsibility is to defend an organization’s digital assets from cyber threats. They continuously monitor security systems, identify potential vulnerabilities, and respond to security incidents. Because of the highly dynamic nature of the cyber threat landscape, SOC Analysts must possess a diverse set of skills. Let’s dive into the key competencies you must develop for a successful SOC Analyst career. Technical Skills and Knowledge To be an effective SOC Analyst, you must have a strong technical foundation. This includes: Understanding networking protocols like TCP/IP, DNS, and HTTP is critical. You should know how data travels over the network, how devices communicate, and what potential vulnerabilities may arise. If asked, "When I type in google.com tell me what happens and how you end up with the webpage." Familiarity with operating systems such as Windows, Linux, and UNIX will enhance your understanding of the environments you must protect. Each OS has different security features and vulnerabilities. SOC Analysts use various tools to monitor, detect, and respond to security incidents. Get hands-on experience with security information and event management (SIEM) tools like Splunk. We have a Splunk cyber range here at Cyber NOW. Knowing how to respond to incidents is essential. This involves identifying the threat, mitigating it, and documenting the process. Investing time in these technical skills will not only make you more proficient but also increase your employability in the cybersecurity field. A person with perfect ergonomics in front of a desktop computer. Soft Skills and Communication While technical skills are vital, soft skills should not be overlooked. SOC Analysts often work in teams and must communicate effectively. Here are some essential soft skills to develop: You'll encounter complex issues daily. Being able to think critically and solve problems under pressure is key to success. Cybersecurity often relies on spotting minor issues that could lead to significant security breaches. A keen eye makes all the difference. You’ll need to clearly articulate security issues to technical and non-technical stakeholders. Being able to write concise reports about security incidents is also crucial. In a SOC, collaboration is essential. Working well with others can help mitigate threats more efficiently. Enhancing these soft skills can elevate your career and make you a more valuable asset to any security team. Relevant Certifications Certifications can strengthen your CV and demonstrate your commitment to the field. Here is the recommended certification for aspiring SOC Analysts: CompTIA Security+ A professional opens a book, illuminating herself; literati strikes in B/W Continuous Learning and Development The rapidly evolving nature of technology and cyber threats means that cybersecurity professionals must continuously learn. Here are ways to stay updated: Attend cybersecurity conferences, join local meetups, and engage online through forums, groups, Discord , Slack, Mastodon, X, LinkedIn, and social networks. Interacting with industry professionals can provide insights and job opportunities. Stay informed by reading blogs, whitepapers, and news articles related to cybersecurity. Websites such as this and the SANS Institute are excellent resources for the latest trends and threats. Finding a mentor in the field can offer invaluable real-world experience. A mentor can provide guidance, share insights, and help you navigate your career path more effectively. Continuously improving your skills and knowledge can position you as a leader in the SOC Analyst role. Real-World Experience Nothing compares to practical experience. Here are some ways to gain hands-on experience in cybersecurity: Many organizations offer internships for aspiring SOC Analysts. Even a junior position can provide valuable insight and experience. Offer your skills to non-profit organizations or local businesses to help them improve their security posture. This not only enhances your skills but expands your portfolio. Set up your own lab at home using the cloud. Document your projects before you destroy them on your favorite cloud. Every bit of experience counts, so be proactive in seeking out opportunities that will directly contribute to your growth as a SOC Analyst. Navigating Your Career Path Embarking on a SOC Analyst career involves careful planning and awareness of industry trends. Consider the following when navigating your career path: Define short and long-term goals to create a roadmap for your career. This helps you stay focused and motivated. As you gain experience, think about potential specializations within cybersecurity. Areas like threat hunting, malware analysis, or security orchestration can offer exciting career paths. Keep an eye on job postings and industry demand to see which skills are sought after. This can guide your learning and professional development. You can find a job board for SOC analysts and Helpdesk on this site. Cybersecurity is a field that requires constant adaptation to new challenges. A willingness to learn and evolve is crucial for success. By following these steps and remaining open to opportunities, you can carve a successful career as a SOC Analyst. Building a career as a SOC Analyst requires dedication, continuous learning, and the development of both technical and soft skills. Embracing both aspects will not only prepare you for the challenges ahead but also set you up for long-term success in the world of cybersecurity. For those serious about pursuing this path, consider starting your journey with soc analyst training .

In today's digital age, the importance of cybersecurity cannot be overstated. As technology advances, so do cybercriminals' tactics, making it crucial for both individuals and organizations to stay informed and capable of defending against cyber threats. One of the most effective and engaging ways to deepen your understanding of this field is through webinars. Cybersecurity webinars have become vital in expanding knowledge and skill sets for professionals at all levels. Cybersecurity Webinars Webinars offer an accessible platform for learning. They allow participants to engage with industry experts, gain insights, and ask real-time questions. Unlike traditional classroom settings, webinars provide flexibility; they can be attended from anywhere, as long as there’s an internet connection. Moreover, accessing recorded sessions means that participants can revisit the material as needed. This is particularly beneficial in the fast-evolving world of cybersecurity, where new vulnerabilities and solutions emerge almost daily. Padlock Inside a Circle Showing No Vulnerability / Appears to be a GIS System A recent study by Cybersecurity Ventures predicted that by 2025, cybercrime will cost the world $10.5 trillion annually. This statistic is a stark reminder of why ongoing learning in cybersecurity is paramount. Webinars fill the gap between formal education and real-world application, making it easier for individuals to stay updated with the latest trends and tactics in the cyber landscape. Moreover, educational webinars often feature real-life technical showcases that allow participants to understand the consequences of cyber attacks through real-life examples. This engaging format not only educates but also encourages proactive measures in cybersecurity practices. Benefits of Participating in Cybersecurity Webinars There are several benefits to participating in cybersecurity webinars: Webinars often feature guest speakers who are renowned experts in the field. These sessions provide you with unique insights into their experiences and knowledge. Many webinars allow participants to interact in chat rooms or forums. This can lead to invaluable networking opportunities and enhance your professional connections. You can attend webinars hosted anywhere without traveling. This makes it easier to find specialized topics that interest you. Webinars are often free or much cheaper than traditional classes. Many organizations offer these sessions to provide ongoing education to their workforce without breaking the bank. In an era where the demand for cybersecurity professionals outpaces supply, staying informed is not just an option - it's a necessity. A bite was taken from the forbidden fruit, and an intelligent person bought a journal. The Triad of Cybersecurity When discussing cybersecurity, it’s essential to understand the foundational principles that guide many practices: confidentiality, integrity, and availability. Confidentiality  ensures that sensitive information is accessible only to those authorized. Techniques such as encryption and access controls are commonly used to uphold confidentiality. Integrity refers to the accuracy and reliability of data. Maintaining data integrity involves measures to prevent unauthorized modifications. Data validation and checksums are two methods used to ensure information remains correct. Availability ensures that authorized users have access to information and resources when needed. Reliable systems and proper maintenance practices help achieve high availability, critical during peak usage. Understanding these three fundamental principles can significantly enhance your cybersecurity knowledge and make you more adept at implementing best practices within your organization. How to Get the Most Out of Webinars To maximize the benefits of attending cybersecurity webinars, consider the following strategies: Familiarize yourself with the topic. If you know what will be discussed, you will derive more value from the discussion. Ask questions and participate in discussions. Engaging actively can reinforce what you've learned and provide greater clarity on complex subjects. Documenting essential points will help you retain information and provide material for future reference. After the session, connect with the speaker or other attendees on professional networks like LinkedIn. This can open doors for future conversations and learning opportunities. Apply the concepts and strategies discussed in the webinar to your own work or studies. This hands-on approach solidifies your understanding. By utilizing these strategies, you can transform your webinar experience from a passive activity into a proactive learning opportunity. Future of Cybersecurity Education The landscape of cybersecurity education is changing rapidly, with webinars playing an increasingly critical role. As technological advancements continue, it is paramount to embrace updated educational tools. The convenience and effectiveness of online learning platforms make webinars a key component in ongoing professional development. Furthermore, organizations are taking notice. Many companies invest in webinars to upskill their employees. This not only fosters a culture of continuous learning but also strengthens the organization's overall security posture. As you embark on your journey in cybersecurity, consider exploring platforms that offer specialized training and sessions. Websites like CyberNow Education provide many resources to enhance your knowledge and skills in this ever-evolving field. With the right tools, and a commitment to ongoing learning, you can build a career that not only meets the demands of the present but also anticipates the challenges of the future.

Beginning a career in cyber from the position of an Aspiring SOC Analyst is a labor-intensive, exciting, intense, and up-and-coming journey that many hope works out. Salaries for knowledgeable, determined, and ambitious cyber professionals can absolutely reach the 300s. However, the need for cyber professionals is changing rapidly due to the increasing number of breaches. To meet this demand, AI and automation are stepping in to alleviate some of the workload of the human capital and balance the insatiable demand for IT. If you are considering becoming a cyber professional but feel daunted because you have no experience, do not worry. This guide will explain the steps to jump-start you into a rewarding cyber career. These are the Steps to Start a SOC Analyst Career with No Experience. Understanding the Cybersecurity Career Landscape Cybersecurity is a broad field that encompasses various roles, from network security to penetration testing, risk assessment, and compliance. More than just technical skills, a successful career in this domain often requires critical thinking, problem-solving abilities, advanced reading and writing, and a willingness to keep learning. A Security Operations Center Arrangement Known as the Bullpen. Tyler Dislikes These. No Privacy by Design The U.S. Bureau of Labor Statistics expects employment in cybersecurity roles to grow by 31% from 2019 to 2029, far faster than the average for all occupations. It is interesting to note that today, we do not see growth, but our perspective is short-term. According to the authority on labor statistics, a long-term increase in cybersecurity is still expected. As cyber threats evolve, the demand for qualified professionals rises, making now an excellent time to consider this career path. I believe advancements in human labor and Artificial Intelligence can meet these challenges together. Educational Pathways While some roles may require specific degrees, many entry-level positions do not. Here are some recommended paths to take: You may pursue an associate's degree in information technology or cybersecurity. Alternatively, universities offer specialized bachelor’s and master’s programs focusing on cybersecurity. Stick to public brick-and-mortar institutions, and typically, Computer Science degrees are more conducive to entry-level positions in cybersecurity. Computer Science degrees are very technical, whereas many Cybersecurity programs teach high-level policy that you won't use for many years. If you must choose an online school, WGU has a good reputation, and you'll come out of the program with something. It's cheap. It is a public institution. Avoid private online schools. Industry-recognized certifications can validate your skills to potential employers. Start with certifications such as CompTIA Security+. Cyber NOW Education offers affordable courses on cybersecurity fundamentals. These can be a great way to acquire knowledge without committing to a full-time degree program or supplementing formal learning. Person Computing the Square and Circle. They are Together. Start a SOC Analyst Career with No Experience Experience is essential, but can be gained even without a formal job in cybersecurity. Explore internships that provide hands-on experience in the field. Internships often lead to full-time positions and help you build a network. Many organizations, especially non-profits, seek individuals to assist with their cybersecurity needs. This can be an excellent way to gain real-world experience. Create a Medium blog and document your cloud-based projects. Medium is best because it has a built-in audience of millions of Tech people, and its SEO is really fantastic. Your name will become searchable on Google. Careful what you comment because those get indexed as well. Just be supportive of everyone and seldom critical. Participate in capture-the-flag (CTF) competitions. These events simulate real-world scenarios and allow you to develop and showcase your skills. Focus more on CTF programs that require you to work on a team. Less TryHackMe, more CCDC or similar. Networking in the Cybersecurity Community Building a professional network can significantly help your career. Online forums such as Reddit’s cybersecurity subreddits or specialized groups on LinkedIn can provide valuable insights and networking opportunities. Consider attending cybersecurity conferences and workshops. Events like OWASP, DEF CON Groups, 2600, ISACA, ISC2, Makerspaces, Hackerspaces, and local meetups can connect you with industry professionals and potential employers. Follow influential figures in cybersecurity on X, Mastodon, or LinkedIn. There is a significant presence of cybersecurity professionals on both X and Mastodon for less formal discussions. LinkedIn is typically reserved for formal debate. Engaging with their content can keep you updated on industry trends and job openings. Dave Kennedy from TrustedSec is a good name to follow if you want to see what a humble beginning in cybersecurity could turn out to be. Taimur Ijlal of Cloud Security Guy has a YouTube channel, a Medium blog, and a Substack, and he also creates courses for us. Gladys Ijih of Cyber Potential regularly posts jobs. John Strand and Jason Blanchard of Black Hills Information Security have quite a few resources. You might like Krebs, though he is more of a controversial, polarized character these days. Also, I am on LinkedIn. Is Cybersecurity a 9-5 Job? While many cybersecurity positions may operate within standard business hours, the nature of the field often requires flexibility. Cybersecurity professionals may be on call during off-hours to respond to security breaches or system failures. Many companies require security teams to monitor networks continuously. As a SOC analyst, if you work at an MSSP, you'll be customer-facing and take inbound calls. These positions typically are not on call. SOC analysts who work at an internal SOC at a medium-sized company are generally on call. Internal SOCs at large companies usually aren't on call. Researching Job Opportunities When you feel ready to enter the job market, researching available positions is crucial. Websites like Indeed, Glassdoor, and LinkedIn have dedicated sections for cybersecurity roles. Search for "SOC Analyst," "Information Security Analyst", "Cybersecurity Analyst", and "Cyber Security Analyst". Don’t hesitate to check the career pages of companies you’re interested in. Direct applications sometimes yield better chances as they are less competitive than general job boards. Some agencies specialize in IT and cybersecurity roles. Connect with them for guidance and potential job placements. SOC analyst positions are now often hiring by referrals only because the application process is broken . A Person Taking Notes and Studying About What He Is Seeing For the First Time Preparing for Interviews Once you begin applying, preparation is key to securing interviews. Here are some tips: Familiarize yourself with typical interview questions for cybersecurity roles. These can include technical queries and situational questions that assess your problem-solving skills. Employers value candidates who show enthusiasm for cybersecurity. Discuss recent security breaches or interesting issues you've followed in the industry. Consider conducting mock interviews with friends or mentors to build confidence and refine your responses. Continual Learning and Growth Cybersecurity is not a static field. Continuous learning is essential. Follow industry news and updates from the Cybersecurity & Infrastructure Security Agency (CISA). Staying informed can give you a competitive edge. As you gain experience, aim for intermediate certifications like EC-Council's Certified Ethical Hacker (CEH) and advanced certifications like Certified Information Systems Security Professional (CISSP). Understand that cybersecurity roles have multiple pathways. As you grow, consider exploring specializations in cloud security, security engineering, application security, or security architecture. Final Thoughts on Your SOC Analyst Career Journey Starting a career in the SOC without prior experience might seem challenging. Still, by following the steps outlined in this guide, you can successfully jump-start your vehicle for a long, rewarding journey in cyber. Education, networking, hands-on projects, and a commitment to continual learning will set you on you're road. Remember, every expert was once a beginner. Embrace the frustrations, and you’ll soon thrive in this dynamic and exciting field. Getting a job as a SOC analyst is 70% experience, 15% certifications, and 15% degree.