Search Results

Do Not Lie During Cybersecurity Interviews .. Do This Instead Let me tell you about a person I know .. let’s call him Kevin Kevin had an interview lined up for a Security Operations Center (SOC) analyst role which he was really keen about. Kevin, an ambitious candidate, was asked about his experience with threat hunting tools. Though Kevin had only dabbled in them during his training, he decided to exaggerate his expertise, hoping it would impress the panel. This is Do Not Lie During Cybersecurity Interviews .. Do This Instead. “I’ve extensively used Splunk and CrowdStrike in live incident response scenarios,” He claimed that he fabricates stories about detecting advanced persistent threats (APTs) in critical environments. Initially, his answers seemed to land well, and the company was impressed. However, the hiring manager, an experienced SOC lead, started probing deeper as the interview progressed. He asked Kevin to walk through specific configurations in Splunk and detail how he’d created detection rules. Kevin stumbled; his answers were vague and contradictory. By the end of the interview, it was evident that Kevin had clearly overstated his abilities. The hiring manager thanked him politely but noted his lack of transparency in their feedback. Kevin didn’t get the job — not because of his limited experience, but because his dishonesty raised red flags about his integrity. Kevin’s bluffing attempt not only cost him the opportunity but also tarnished his professional reputation with that employer. Here’s how you can confidently address knowledge gaps in your interviews and turn them into strengths. 1. Acknowledge the Gap Without Hesitation When faced with a question about an area you’re unfamiliar with, start by acknowledging the gap. Trying to fake expertise is dangerous — most experienced interviewers can see through it, and it could damage your credibility. Instead, use phrases like: “I haven’t had hands-on experience with [specific technology], but I’m familiar with the underlying concepts.” This approach shows self-awareness and maturity. Cybersecurity is a vast field, and no one expects you to know everything. What they do expect is honesty. 2. Highlight Similar Experience Even if you lack direct experience with a specific tool or technology, you’ve likely worked on something similar. Drawing parallels to related experience demonstrates that you have foundational knowledge and transferable skills. For example, if you’re asked about Kubernetes but have worked with Docker, you could say: “While I don’t have hands-on experience with Kubernetes, I’ve led projects securing Docker containers. These projects involved image hardening, runtime monitoring, and implementing strict network policies — all of which are critical for container security.” This not only answers the question but also shifts the focus to your expertise, making you appear confident and resourceful. 3. Show Your Willingness to Learn Employers value candidates who are proactive about upskilling. If you’re already taking steps to bridge your knowledge gap, mention it. This shows initiative and a commitment to professional growth. For instance, you could say: “I’m actively expanding my skills in Kubernetes security and currently working through a Kubernetes security certification. I’ve also been following best practices in container orchestration to ensure I’m prepared to tackle similar challenges.” By framing your gap as an area of ongoing learning, you demonstrate a growth mindset — an essential quality for success in cybersecurity. 4. Pivot to Your Strengths After addressing the gap, steer the conversation toward your strengths. Highlight how your existing skills can be applied to the role or technology in question. For example: “My experience in container security has taught me to adapt quickly to new tools and frameworks. I’ve developed processes for securing complex environments, and I’m confident I could apply the same approach effectively to Kubernetes.” This reassures the interviewer that, while you may need some ramp-up time, you have the foundational skills and adaptability to succeed. Why This Approach Works Addressing knowledge gaps with honesty and professionalism has several advantages: Demonstrates Self-Awareness: Acknowledging what you don’t know shows confidence and maturity. It proves you’re not afraid to admit your limitations, which is a sign of integrity. Highlights Adaptability: Employers value candidates who are proactive about learning and can adapt to new challenges. By showcasing your willingness to upskill, you position yourself as a forward-thinking professional. Builds Trust: Integrity is paramount in cybersecurity. Employers need to trust you to protect their systems and data. Bluffing erodes that trust, while honesty reinforces it. Creates a Positive Impression: Pivoting to your strengths and expressing a clear desire to learn leaves the interviewer with a strong impression of your professionalism and enthusiasm. What Happens When You Bluff? Bluffing might seem tempting in the moment, but it can have serious consequences. If your bluff is uncovered during the interview, it damages your credibility and can cost you the opportunity. Worse, if you’re hired and later exposed as lacking the claimed expertise, it could harm your reputation and your team’s trust in your abilities. Cybersecurity is a field where trust and accuracy are everything. If you can’t demonstrate integrity in an interview, how can an employer trust you with their critical systems? So .. next time you face a tough question, take a deep breath, be honest, and let your strengths shine. Good luck with your interviews! Taimur Ijlal is a multi-award-winning, information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his YouTube channel “ Cloud Security Guy ” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.

The whole point of side hustles is to help Cybersecurity professionals build additional income streams alongside their 9-to-5 jobs. This is becoming increasingly critical as Cybersecurity is no longer the layoff-proof, recession-proof haven it used to be. This week, I thought I would start listing down every single one of my income streams and side hustles that I have built beside my 9 to 5 I have tried many cybersecurity side-hustles over the years . Some of them worked, while some of them flopped into the black void of the Internet. In this post I plan to list down my current ones and then deep dive into each in the coming weeks. I hope this gives you some insights and shows you what is possible with monetizing your cybersecurity knowledge. Let’s see how it goes! How I Chose These Cybersecurity Side-Hustles I started experimenting with cybersecurity side hustles in 2022 and used these criteria to choose the ones to focus on: Enjoyment : I would enjoy doing them in my spare time. Staying consistent is tough, so you want to choose something you actually enjoy instead of getting burnt out. Passive : They would have the potential to be completely passive over time. While no side hustle is 100% passive .. these income streams should have the potential to become increasingly passive over time. I do not want to exchange my time for money as I already have a 9 to 5 job. The Compounding Effect : These streams should have the potential to compound over time and increase momentum, i.e., the snowball effect. For example, Freelancing on Fiverr is not really scalable, as 10x the order means I have to put in 10x the effort! My 2024 Income Streams Udemy courses Self-Publishing One-to-One Mentoring YouTube Medium Income Stream 1 - Udemy Udemy is like the YouTube of online courses. I have always been a massive fan of this platform, as anyone can make a course and upload it to Udemy to make some $$$ The downside is that Udemy is massively saturated with thousands of courses uploaded daily. I have been creating courses since 2022, and provided you do the proper research; you can still make a good income with Udemy. But not as much today as you used to. My initial courses sank like stones, but these failures helped improve the subsequent courses, with incremental improvements happening over time Income Stream 2 - Self Publishing Income stream #2 is about self-publishing cybersecurity books on Kindle Direct Publishing (KDP). I have over five books ( one under a pen name not shown here ). KDP is a great way to make money as a cybersecurity professional, where you can monetize your knowledge by writing books. But full disclosure in that I have not made a lot of money directly through this side hustle, i.e., through the KDP royalty program itself Indirectly, though .. there is a lot of $$$ to be made. A lot of CEOs have reached out to me and paid me a lot of cash to ghost-write cybersecurity books for them. Self-publishing is a great way to stand out in the industry and gives you a lot of street-cred that you can leverage to make some serious $$$ Income Stream 3 - One-to-One Mentoring Over time, if you establish a name for yourself, people will pay you for your time. If someone had told me many years back, people would have paid me a hundred dollars for an hour of my time. I would have laughed. But many people in Cybersecurity are willing to pay to get access to your knowledge and skills. I use Topmate , which allows people to block slots in my calendar after paying. I like it more than Calendly because it does not charge you every month. I have shared this on my LinkedIn Profile so anyone visiting it can use it to book a 1-1 with me. I have over 115 bookings and am featured in their top 1 percent. Income Stream 4 - YouTube I got into YouTube not to make money, honestly. The platform is massively competitive right now, and earning good money via adsense is no longer what it was a decade back (or during the pandemic). Yet despite this .. it is a great way of sending traffic to my courses, books, and other side-hustles profiles. I started YouTube as it is the second biggest search engine in the world and cannot be beaten as a traffic generation method. My Channel has over 5K subscribers, and I make sure to link my courses and profile in every video Income Stream 5 - Medium I think it is fair to say that Medium’s glory days are behind it. The Medium Partner Program (MPP) is no longer the cash-generating machine it once was, and the days of writers making thousands of dollars every month are pretty much finished Not to mention the ridiculous changes to the algorithm they make every few months, which destroys views and earnings, however, just like YouTube, it is a great way to drive traffic to your side hustles and generate money. I have over 9.6K followers on Medium and still love writing on the platform ( although that love is increasingly one-sided ! ) Income Stream 6 - My Flagship Course I created a flagship course called The Cybersecurity Career Accelerator in 2023 The goal was to make a course to help people land cybersecurity jobs in the industry. While I still make sales .. this is one of my lower performing side-hustles, as I have to do all the marketing and traffic generation. I can potentially make more money self-hosting this course than placing it in a marketplace like Udemy … but driving traffic toward it is a major pain! Generating traffic to your products/courses/website is not easy, and it takes significant upfront investment and capital. If interested, I may host the Cybersecurity Career Accelerator course here at Cyber NOW® for members as an addition to SOC Analyst NOW! and SOC Job NOW! This article concludes. If you are wondering why I omitted Substack, the answer is that it is not a side hustle for me. I am still learning the ins and outs of the platform. I plan to show the different methods I use to generate traffic for these side hustles soon, which can be the most challenging part of creating a side income. No one will buy your stuff if they cannot find you! Taimur Ijlal is a multi-award-winning information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his YouTube channel “ Cloud Security Guy ” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.

Is Fiverr a Good Cybersecurity Side Hustle? I got into Fiverr in 2022 to test it out as a side hustle for Cybersecurity professionals.  To be clear... I am NOT a big fan of freelancing, as most cybersecurity professionals already have 9–5 jobs and busy schedules.  This is Is Fiverr a Good Cybersecurity Side Hustle?? Trading time for money is not scalable with that type of job stress.  This is why I have always preferred to write e-books, create courses, etc. You get ten orders with freelancing, and that is ten times the effort!  However, with all the layoffs and cost-of-living issues, many cybersecurity professionals need a viable side hustle to survive.  This is where sites like Fiverr and Upwork come in.  Fiverr is an incredibly popular freelancing platform that has evolved considerably since its early days.  It is now a thriving marketplace for freelancers with a proper gig ecosystem.  Even making a few thousand dollars a month on this platform can be life-changing for people. You can also earn in dollars, which is amazing for countries like Pakistan and India, where I am from.  In the UK, where I currently reside .. Freelancing is becoming more and more viable.  I have worked on this platform quite often, getting up to Fiverr Level 2 and then into the Fiverr Pro program, which is only possible after the Fiverr team assesses your profile.  So, here is my honest opinion about this platform in 2024 and whether it is a good side hustle for Cybersecurity professionals.  The Good Things About Fiverr  Firstly, the good things about Fiverr:  Fiverr takes away the hassle of freelancing. You create a gig on their marketplace showing what you can do, and you're good to go!  Undoubtedly, demand for freelancing services is increasing as companies look to cut costs and hire professionals only when necessary. Thousands of customers browse and search for these gigs daily to select those that meet their needs.  If you are a cybersecurity professional, you get access to a global marketplace with little hassle.  You don't have to push traffic to your website or chase after customers yourselves.  If customers like your work, they can become repeat customers and give you a nice project-based income every month.  For people starting out freelancing, Fiverr is a great, frictionless way to get started.  Cons of Using Fiverr  Now, the bad stuff...  Fiverr is massively saturated and can be a race to the bottom, where your skills can become greatly undervalued. Newer entrants can set dirt-cheap prices, forcing you to lower yours—i.e., the dreaded fiver dollar gig!  SEO is critical in Fiverr, given the number of gigs launched daily. You need to optimize the Gig images, description, etc., to make yourself stand out; otherwise, customers will never find you!  Cybersecurity services are usually listed in Fiverr Pro rather than the regular Fiverr platform. To get into Fiverr Pro, you have to fill out an application and get vetted by the Fiverr team, which can take some time.  If you don't have a portfolio, start making one ASAP to increase your chances to get into the Fiverr Pro program.  I recommend creating a gig in non-Fiverr Pro categories so you get a feel for the platform and can get some testimonials on your profile.  Fiverr also charges a 20% fee on every transaction, which can reduce your earnings. You can set higher rates as you build your name on the platform, but this takes time and effort!  Do I recommend Fiverr As a side hustle? If you are interested in becoming a Cybersecurity freelancer, then YES. Fiverr, like any platform, has its flaws, but you can get a lot of success by following these tips: Specialize in a particular cybersecurity niche that makes you stand out like cloud security, AI pentesting, malware analysis etc. Make a good profile that highlights your skills. Fiverr is not Facebook or Instagram, so make sure it looks professional.  Analyze existing gigs that are doing well to understand how they write their gig descriptions and price themselves. Get some help from tools like ChatGPT to get started.  Reach out to your network for some early orders. Once you have a few reviews, you can use the Fiverr algorithm.  Maintain high-quality services and get as many testimonials and reviews as possible.  Start making some gigs in non-cybersecurity-related categories first, then aim for the Fiverr Pro program.  Over time, you can build a loyal customer base, which will help you if you decide to become a full-time consultant or freelancer. The gig economy will only get stronger over time, and Fiverr is one of the best ways to get started.  Wishing you the best on your freelancing journey! Taimur Ijlal is a multi-award-winning, information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his YouTube channel “ Cloud Security Guy ” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.

How to Create a Cloud Security Strategy Cloud Security is not easy at the start and this is how to create a cloud security strategy. I say this as someone who has worked in this industry for the past 20 years, the last five of which have been dedicated to the cloud. One of the most challenging steps in a Cloud Security journey is to create a roadmap for securing your cloud environment. The importance of this step cannot be understated as if not made correctly then it can lead to wrong investments, wasted time and potential data breaches down the road. Cloud and digital adoption have sky-rocketed in the last few years, and cybersecurity teams without a proper roadmap can face serious problems. As CIOs and CISOs sit down and work out the best approach to secure their cloud workloads, they will be flooded with a huge amount of material present, which can be quite frustrating! Based on my own experiences with numerous cloud implementations, I have decided to jot down what are the key success factors for a successful cloud security implementation. I have divided the roadmap into three basic phases, which are Foundational Implementation Optimize Note: I have tried my best to make it as detailed as possible based on my experience, but not so detailed that it becomes impractical to most companies. Phase 1: Laying down the foundation One of the most common reasons a cloud security project fails is for CISOs to simply “ copy-paste ” their on-prem model onto the cloud. Not understanding the cloud will result in potent native capabilities being ignored; hence, laying down a proper foundation before starting your journey is very important. A few of the key foundational elements are listed below A. Understand the regulatory environment Before starting your cloud security journey, a crucial first step is to know the regulations for your particular geography. If not done correctly, you could move data if you are not authorized to move it and be subject to severe regulatory fines. Made by Author in Canva Certain countries do not allow their data to be moved outside their borders and impose heavy penalties for non-compliance. The plus point is that most regulations also overlap with security best practices, so putting a proper framework first will cut down work later. Whether it is HIPAA, PCI DSS, or SOC 2, engage with your legal departments and fully know the dos and don'ts for your particular sector. You have to know what data is going into the cloud , what the controls will be and what questions you have to answer what the regulator comes knocking. One excellent news for cyber-security teams who are fed up with doing audits all year long is that most of the cloud providers do a lot of heavy lifting for them. AWS , Azure , and Google all have multiple third-party programs running hundreds of local and global certifications all year long, which can be requested for no fees One example is the AWS artifact below, which gives you access to hundreds of reports for AWS AWS Artifact NOTE : While this is great news for cyber-security teams, this does not mean you are automatically compliant to PCI or ISO just because you are hosting on AWS or Azure or Google. This is the topic of the shared responsibility model detailed below B. Understand the Shared responsibility model The Shared Responsibility model is one of the most important things to know upfront before implementing anything on the cloud. Some companies move into the cloud with the mistaken assumption that going forward AWS or Microsoft will handle everything and all their security obligations are gone. This is a huge mistake, as security in the cloud becomes a shared responsibility. The customer and the cloud provider must work together to secure the environment. A lot of the foundational work is done, but you still have to go the last mile and implement controls on your data and applications to ensure everything in your area is compliant. As AWS says, they are responsible for security OF the cloud while you look after security IN the cloud Source This can change depending on the model you use ( fully managed, IaaS or Platform, etc. ). Depending on your chosen model, the cloud provider will effectively do more or less of the work. Source C. Ramp up your teams in parallel Creating cloud skills within your teams is a key foundational step if you are a CISO and starting your cloud security journey. Please do not rely solely on external consultants. They usually leave once the project finishes, and the internal teams will take over running day-to-day operations. Without knowing how to secure Infrastructure as Code, Containers and Serverless your cyber-security teams will be at a severe disadvantage later on and not be able to handle queries by the technology teams. There are numerous free and paid trainings / certification paths available on these technologies. The team will also see this as a vote of confidence due to the investment being made in them Phase 2: Securing the Cloud Now that you have a solid foundational understanding of the cloud and regulatory approval ( hopefully! ), we can start examining how to secure the cloud environment. As I mentioned, don’t try to copy whatever toolset you are using on-prem blindly, but always try to use native cloud services first. This phase can be one with the most effort required by the teams and the most stress-inducing. In this phase, the two most important things to do are bench-marking and creating your cloud security model. A. Benchmark The best and quickest way to immediately know your security posture in the cloud is to enable bench-marking against security best practices. The good news is that providers like Google, Azure, and AWS have already provided you with pre-configured benchmarks against which you can measure your environments from day one . Turning on CIS benchmarks from day 1 to get some easy, quick security wins within your cloud will be a great way to make your CISO happy. Below are the tools to use for the major providers: AWS Security Hub Azure Security Center ( now Microsoft Defender ) Google Compliance Center Apart from that, there are third-party tools that can help you get visibility if you have the budget for the same B. Establish your cloud security model With benchmarks enabled, now is the time to start implementing a high-level security framework for your environment. Below are the key areas to focus on: Identity controls : Your identity is your firewall in the cloud, so focus there as the priority. Do not just enable MFA and call it a day; create a proper security ecosystem for your identities. The best thing you can do is to connect it with your Single Sign On system if you have one so you don’t have to manage a separate set of identities in the cloud. Encryption : A lot of this will be dictated by what regulations you are under and what data ( PCI, PII ) is going into the cloud. Know the encryption controls for sensitive data at rest and in transit. AWS and other cloud providers provide some amazing managed services for handling cryptographic keys, which take away the hassle of managing HSMs in-house Logging and Alerting : It is very easy to overdo logging and alert in the cloud. Creating too few alerts will result in missing critical data, and creating too many will flood your response teams, leading to alert fatigue. The good thing is that if you have enabled benchmarking already, you just need to translate many of those high items into alerts and add your own. Workload protection : Ensure your VMs, Containers, and Clusters are protected and secure when running your cloud workloads. Your VMs should be spinning up from secure images. Container Images would have to be scanned before spinning up, and runtime protection would be available across the board. Make this a minimum requirement for the cloud Threat Intel : One of the most extraordinary things about the cloud is how much threat intelligence you can access, thanks to the cloud provider. Azure, Google, and AWS are investing billions in threat intelligence technology, which benefits customers. This data is fed into their cloud services, enabling early detection of attacks. Enable these services early, so they start learning from day one and can generate a baseline to take proactive action. Phase 3: Optimize the Cloud This is the phase where you start gaining confidence in your cloud controls, and you can shift your focus to more strategic work. A few key areas to look at in this phase are below: Turning on auto-remediation for the alerts that are being generated so your security teams can start focusing on more productive work Fine-tune the existing alert logic so you will now realize what is working and what isn’t. Cleaning up of cloud permissions granted in the earlier phases. By now, you should know who needs white and can fine-tune accordingly Extending your toolset via collaboration tools like Slack can greatly increase the efficiency of your security processes and move you away from email culture A. Risk Review While you should have maintained a risk tracker from day 1, this is the time to take a long, hard look at your risk database and decide what stays and needs to be accepted by management. Be pragmatic and realize you will never get that lovely 100% complete risk tracker. What can be fixed should be tracked, and what can be fixed should be closed. That wraps up the significant steps and puts you on the road to a successful cloud security journey. If you want more details, check out the video I made below. Taimur Ijlal is a multi-award-winning information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on  LinkedIn  or on his YouTube channel, “ Cloud Security Guy, ” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.

It was 2013 and I was 26 years old just starting out in the Security Operations Center of an Managed Security Services Provider. I sat in a room filled with hopes and dreams of money, money, money from my colleagues. We were all just starting out and at the lowest rung of the ladder not making much money at all but everyone knew somebody that made what felt like billions of dollars doing cybersecurity. What did they do with all that money? This is Is the best of the SOC behind us? We would wake up and check the news outlets because breaches were happening and making big news. The public was very concerned about cybersecurity and companies were throwing cash at cybersecurity so they didn’t end up in the news. There weren’t many people who were trained in cybersecurity and the demand was high for talent, companies couldn’t hire the talent they needed so they threw cash at training people. The training business was booming. It was a time to be in cybersecurity; it was the golden age. Before we go further I want to say that this blog doesn’t end depressing it ends on a high note and not the high note that you might be thinking right now. It is 2020, COVID is hot topic, I am just leaving VMware as an SOC Automation Developer after having what someone could describe as a breakdown for just realizing what the future of cybersecurity would look like. I spent my time slowly taking away work from the SOC and automating it, scribbling in my notebook next steps until I reached what would be the master plan for automating not only the SOC, but what would be “Mastering Cybersecurity Automation” which led to a book deal with the publisher Manning that I ultimately backed out of. When I began on the book, starting with the matrix, I realized something that haunted me, something I haven’t told anyone until now. Computing at its fundamental level is very basic. Its a combination of 1’s and 0’s, which a 1 and a 0 can be organized into four combinations: 11, 00, 10, 01. We are adding complexity. From there, you can take those same 11, 00, 10, 01 and make 16 combinations adding more complexity. This is the same thing that we’ve done in cybersecurity. The very basic cybersecurity tasks, or in this outline “building blocks”, can be organized into increasing complexity to accomplish all of our tasks meaning all you need to do is automate the building blocks of your company and use a matrix to combine them in various combinations to achieve the result of full automation. This draft could use some more refining but presented to understand the idea. There are actually very few tasks that we do in cybersecurity fundamentally. And thats when I stopped. We overcomplicated and convoluted a 180 billion dollar industry that provides jobs to millions of people and I wasn’t prepared to take on what would be an internal struggle on what the right thing to do was. I went back and forth with this for sometime. What eventually happened was is that I couldn’t stomach being responsible for building the master matrix of tasks leaving everyone unemployed and I left automation all together. Today, it is well known that automation, not AI, is replacing cybersecurity jobs and we are feeling the impact of it. Its like I am seeing this evolve before my eyes whether I was responsible for it or not. Someone is going to figure this out. Now, I mentioned that this blog leaves on a high note. Are you ready for it? The high note is the demand for automation. The threat landscape continuously evolves leaving more to automate. Automation tools have become extremely more user friendly meaning that you don’t have to be a developer to use them. The SIEM that we used in the past as a single pane of glass is now automation tools. There will be a race for efficiency that will never, ever, ever, end. Companies will continuously tweak automation forever to get more and more efficient. It will never end and the demand will shift for people with better and better automation skills. Automation BREAKS all the time. People will be needed to repair the automation. Some processes you just can’t leave to automation and require human approval. People will be needed to do this, too. I am writing about this only because it’s my belief that the net sum of labor from before and after will be near zero when its all said and done. I think companies are going through some changes right now where they are laying off people they will have to rehire when they re-skill. There are some unrealistic expectations of the cost savings of automation and the only real way they can save costs is by accepting more risk and thats something they could have just did from the beginning. It’s an ebb in the ebb and flow of an industry and that is where I have landed lately. All those nights lying awake worried about the future just seemed to work itself out. PART ONE: Understanding Automation CHAPTER 1: Introduction Why this book was written What this book aims to accomplish CHAPTER 2: The Demand for Automation The evolving cybersecurity threat landscape The cybersecurity workforce The traditional security operations center The solution of cybersecurity automation Value Stream Map CHAPTER 3: Mastering Cybersecurity Automation Cybersecurity automation architecture Cybersecurity automation processes Cybersecurity automation technology CHAPTER 4: Prerequisites and Assumptions The similarities between SMB and Large Enterprises International legal and data privacy considerations Government regulations and certifications Industry-related regulations and certifications Organization policies/Asset policy PART TWO: Building Blocks CHAPTER 5: Sending Emails Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 6: Enrichment Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 7: Analyzing Malware Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 8: Actioning Endpoints Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 9: Firewall/web proxy Blocking Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 10: Escalate to Incident Response Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 11: SIEM Automation Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 12: Responding to Emails Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 13: Asset Discovery Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 14: Manual Exception Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 15: Whitelist Playbook Technical integration components Process flowchart Explanation of steps and decisions PART THREE: Fully Automated CHAPTER 16: Phishing Response Automation Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 17: Unusual Privileged Account Activity Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 18: Banned Programs Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 19: Threat Intelligence Response Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 21: Vulnerability Management Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 22: Emergency Vulnerability Management Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 23: Data Loss Prevention Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 24: Cloud Orchestration and Response Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 25: Insider Threat Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 26: Threat Hunting Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 27: User Account Provisioning/Termination Building Blocks Required Flowchart Description of the phases of this automation: Potential response actions How this automation is used CHAPTER 28: Rogue Assets Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 29: Metrics Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 30: Cybersecurity Automation Matrix Building blocks and their components Automations and their building blocks Cybersecurity roles and their automation Table of Illustrations About the Authorship About the Technical Review Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

In this article, we’ll discuss the many disciplines that make up a successful company, their scope of duties, and how their role involves the Security Operations Center (SOC). We’ll also cover the external organizations with which the SOC might interact in their day-to-day work. These are the Areas of Expertise in the SOC . Your time as a SOC analyst will bring you into contact with many teams from within your organization. Everyone, including the CEO, could be involved in a security investigation. However, the SOC plays an essential role in the functions of other teams as well, including external organizations. This article will break down the teams into three sections: information security teams, internal teams, and external teams. So, let’s get started. Information Security Information security teams in most large organizations today are made up of three groups: analysts , engineers , and architects . The size of the companies’ enterprise network is usually the main factor in determining if the team is staffed internally or outsourced to third-party organizations. Some mid-sized organizations might combine the duties of two teams to save costs. Regardless of who staffs these positions, the scope of responsibility for each group is different and distinct. Job titles vary from company to company, so instead we are categorizing each function into the type of work they do, whether its analysis, engineering, or architecture. Analysts Let’s start with an easy one. The Security Operations is where you work as a SOC analyst. I hope by now you’ve learned that “SOC” is an acronym for Security Operations Center. Right, now that we’ve gotten that large knee-slapper out of the way, let’s talk briefly about the Security Operations’ scope of duties. Security Operations is home of Analysts : threat intelligence, threat hunting, digital forensics, and incident response analysts. Sometimes more subgroups and sometimes less. Sometimes companies give analysts an engineer or specialist job title. Job titles are just made up so we are referring to the type of work that you’ll be doing. Each subgroup works together to ensure that day-to-day operations are running smoothly. The SOC is responsible for monitoring, investigating, and remediating security events. Their scope of responsibility depends on who is staffing the SOC. As previously discussed, SOCs can be internal to the company or outsourced to an MSSP. Internal SOCs typically have higher privileges to take remedial actions during an incident, where Managed Security Services Providers (MSSPs) usually must report the incident to a customer’s information technology (IT) team. The key benefit to an internal SOC vs. an MSSP is the ability of the internal SOC to learn the details of a single network. MSSPs have multiple customers and must monitor several enterprise networks at once. This leaves the SOC analysts at a disadvantage as they never truly learn the granular details of a customer’s enterprise. This is most people’s starting point in cybersecurity. Threat Intelligence (TI) is usually a smaller team that’s focused on researching new threat reports, determining if the new threat is a danger to the company, and provides pertinent details to management and other information security teams. In some situations, the TI team is responsible for managing the Threat Intelligence Platform, which serves as a single point of collection for indicators of compromise and intelligence reports from multiple intel sources. Some typical intel sources are threat feeds such as AlienVault or Talos Intelligence and Open Source Intelligence. The best threat feeds require a subscription and can get expensive. However, they have dedicated security researchers teamed with intelligence collection specialists to generate high fidelity reports. Open Source Intelligence, or OSINT for short, can provide excellent intel if you have a team dedicated to sifting through it all. A quick Google search for “Open Source Intel Feeds” will net you a plethora of top ten lists of the best OSINT feeds out there. Threat Intelligence Analyst requires foundational knowledge of all cybersecurity, good communication skills both written and verbal, presentation skills, technical knowledge of cybersecurity threats, and a love for reading tons of information and fostering relationships with people who share information. Threat Intelligence Analysts empower the operations teams to detect and protect efficiently. This is not a junior position and can be staffed without having worked in the SOC. This could be a great position to try right out of the gate for transitioning military. The Digital Forensics and Incident Response (DFIR) teams are responsible for conducting investigations on long and enduring incidents. Sometimes this team is split into two separate teams at more defined companies and other times its one team known as the DFIR team. In both cases, they are common escalation points from the SOC. The SOC conducts the initial investigation, and if the incident isn’t resolved after it has travelled through all of the tiers, the incident transitions to Digital Forensics and Incident Response who often have to work together to resolve it. This is why it’s common to learn that the team is combined into one (Figure 1–1) Figure 1–1. DF and IR Shared Responsibility Any engagements with legal, privacy, fraud, or external law enforcement organizations get filtered through the Digital Forensics and Incident Response teams, essentially becoming the experts on such matters. Also, in most organizations, the Digital Forensics and Incident Response teams work hand in hand with threat intelligence to conduct threat hunting. These are not junior positions and are often staffed by people who first worked in the SOC. The Threat Hunting team is an advanced security function that combines a proactive methodology, innovative technology, highly skilled people, and in- depth threat intelligence to find and stop the malicious, often hard-to-detect activities executed by stealth attackers that automated defenses may miss. Threat Hunting Analysts proactively search environments for traces of malicious activity. It requires knowledge of common SIEM tools and their query languages and familiarity with all of the rest of the tools in an environment such as endpoint tools, vulnerability scanners, and cloud security brokers, to name a few. Anything that is currently producing security events, the Threat Hunter needs to know about it. They also need expert knowledge of offensive security and how attacks happen. Just because the title might say Analyst doesn’t mean this is a Junior position. It requires a lot of expertise but is becoming more accessible to smaller companies as tools automate threat-hunting and/or make suggestions for threat-hunting queries. This position is often staffed by people who first worked in the SOC. The Red Team are your in-house penetration testing analysts . Not all businesses have a Red Team, as it might be more cost-efficient to outsource the function, but they play a critical role in any company. How do you test to ensure your security controls are working? Easy, hack yourself. Ethical hackers are analysts with the skills needed to compromise your enterprise network. Let’s talk briefly about a few types of penetration tests businesses utilize today. Black Box Test: The penetration tester has no prior knowledge of the target environment. This mimics an attacker with a limited understanding of the company. Typically, this type of test is contracted from a third-party penetration testing firm due to the Red Teams’ experience with the network. White Box Test: Testers have full knowledge of the target environment. This type of test is usually more pointed at a smaller portion of the enterprise. It could be a software company’s code pipeline or source code repository. The Red Team thrives in this type of penetration test. Gray Box Test: A combination of black box and white box, with the tester having partial knowledge of the target environment. This replicates a malicious insider or an outside attacker that has successfully infiltrated your network and has established a foothold. Purple Team Test: This type of test is used to measure the effectiveness of the SOC and DFIR teams (Blue Teams). This is a planned exercise where the Red Team will intentionally trigger a security alert to force the Blue Team to respond. The findings of this test will be used to drive improvements in the security program. Blue Team + Red Team = Purple Team! Cyber Professionals sure love their colors. This list is not all-encompassing; there are many other types of penetration tests that can be conducted. But generally speaking, these four will cover the large majority of all tests performed. Penetration testers are a special breed of security professionals; they dedicate a lot of time to honing their skills and testing new hacking tools and techniques. Red Team is often staffed by people who first worked in the SOC but also has a knack to attract the special lone wolves in the wild with special talent and skills. Engineers The Security Engineering team is responsible for deploying, managing, and maintaining the enterprise’s security tools and appliances. Many smaller companies will combine this function with the SOC analysts. They’re able to do this due to the small footprint of the network; however, more defined companies will have entire teams for engineering. Whether this role is staffed or handled by the SOC, security engineers are also responsible for updating and tuning the security tools. Many organizations will assign a single technology group to an engineer. Common technology groups for engineers are: Application Security Engineer: Responsible for identifying and addressing security weaknesses in applications that a business develops or uses. They implement controls, including app authentication, encryption, and authorization settings, test software, set up firewalls, and scan/test applications. Network Security Engineer: Responsible for maintaining the safety of a business’ organizational network. They monitor the network for breaches, identify vulnerabilities, and develop solutions and safeguards to protect the network against attacks. Cloud Security Engineer: Responsible for defending a business against attacks within the cloud. The engineer is responsible for configuring the network security, building applications, identifying and addressing vulnerabilities, and maintaining a secure cloud infrastructure. SIEM Engineer: Responsible for collaborating with various stakeholders to understand business requirements and devise strategies for utilizing data in a more effective and efficient manner. Works closely with the Security Operations Center (SOC) team, assisting in the implementation and management of SIEM and SOAR technologies, while also focusing on leveraging ML/AI techniques to enhance threat detection and analysis. Detection Engineer: Responsible for designing, building, and fine-tuning systems and processes to detect malicious activities or unauthorized behaviors. They also maintain the monitoring portfolio and track the coverage gaps in the security tools. They define change management processes to ensure alerts aren’t modified or removed and often develop “detection as code” by migrating threat detection development into code pipelines such as Github or Gitlab. Vulnerability Management Engineer: Responsible for scanning the environment for known vulnerabilities, prioritizing them, and assisting with managing the patching of these devices. This list isn’t inclusive of all of the types of engineers and it’s essential to understand the need for cross-leveling of skills here and how big the teams can get. A single person managing the Network Security would leave the organization in a predicament if the employee were to tender their notice. A best practice is to have a minimum of two engineers on a technology group; this allows for a checks-and-balances approach that limits the risk of a single point of failure. The number one customer of the Security Engineering team is the SOC. Because these teams work so closely together, security engineering is a natural progression for SOC analysts in the ladder upward to architect. This role requires advanced knowledge of how to administer systems and technologies. If you’re interested in engineering, take on some projects in your spare time at home. Learn a new technology group, such as virtualization or containers. The best way to learn this job is by doing it. So get out there and experiment, and when you fail, delete it all and start again. A note on Vulnerability Management Engineers, they also work closely with a different department in helping prioritize vulnerabilities. Prioritizing vulnerabilities isn’t as straightforward as you might think. When a vulnerability is found, it gets assigned a criticality that is adjusted by them based on many factors such as if the device is dev or prod, if it’s public-facing, or if it can be patched at all because it’s a legacy system with dependencies that require older versions of software. It’s not as easy as reading a report and taking action on it. These engineers typically work closely with the IT teams who are the ones that conduct the patching, often trying to convince them to patch things out-of-cycle or in a higher priority. Vulnerability Management requires a specific knowledge of how corporate environments operate and specifically how their company operates. It also requires good people skills, and knowing how to manage without authority. Those two skills should be practiced throughout your career no matter which technology group you fall into place with. Engineers usually have worked in the SOC first, but can come from other areas of IT such as Software Development, or IT/Cloud Engineering. Architects The Cybersecurity Architecture team is unique to large organizations and is focused on enforcing best security practices and compliance controls while implementing new technology in the enterprise. Let’s look at an example: Your company wants to move its on-premises database into a cloud solution such as Amazon AWS or Microsoft Azure. It’s the Security Architecture team’s job to work with the database and cloud administrators to ensure that the systems and data being migrated into the cloud are as secure as possible. This team is usually composed of senior security specialists with several years of experience in cybersecurity. Some organizations will outsource this to a third-party security consulting firm due to the limited scope of work needed for individual projects. A common practice for Cybersecurity Architecture teams at large companies is to have a small team with a broad knowledge of all of cybersecurity and each one has mastery skill of a different specialty. To name a few of these specialties, they are software security, network security, infrastructure security, and cloud security. At smaller companies there might only be one or two Cybersecurity Architects often with a broad cybersecurity background with a mastery of the specific company’s IT practices. An example of a cybersecurity architect’s objective is that they might devise the security and logging plan for a project to ensure a proper balance of security and cost saving. Security Architecture is one of the many pathways for a SOC analyst to move up in their career, but typically it happens after they’ve progressed as an engineer. You should have at least 7–10 years of cybersecurity experience before considering a move into Security Architecture. It is a highly stressful job and just because you’re able to do it, doesn’t mean that it’s what you should do. Tyler was a Cybersecurity Architect at a Fortune 50 company for only about four months before he resigned and decided they couldn’t pay him enough to do the job. He hardly slept the entire four months worrying about the ramifications if just one tiny calculation was incorrect. It just wasn’t for him, yet. Maybe when he’s much older and wiser. Architects are typically Engineers first (Figure 1–2) Figure 1–2. Typical Analyst Career Progression In summary, most organizations have some embodiment of these three information security teams: Security Operations, Security Architecture, Security Engineering. Whether the team is outsourced or owned by the SOC, the roles exist in every company. Each is a puzzle piece that fits together to form a well-rounded cybersecurity program. No one team is more important than the other, and I ask that you remember this as you move forward in your career. You’ll likely leave the SOC one day and pick a specialty. You’ll make more money, and you’ll have more freedoms like being able to work your own schedule and you’ll not have to do shift work. You’ll need less hand holding and you’ll become more independent as you grow more senior and you might one day look down on the SOC. It’s a typical progression that a lot go through in their careers, but know that it’s not leadership. No one team is more important than the other… and to lead is to serve. On that note, let’s move on to the next section. Internal Teams As you gain and demonstrate experience as a SOC analyst, opportunities to interact with teams outside of the SOC will occur. These opportunities are an excellent way to stand out and make a great impression on your leadership. Regardless of the task, you should approach each encounter with external teams with a high level of professionalism and confidence. You’ll find that when you’ve put in maximum effort toward the task, word of your accomplishments will make it back to your supervisor. And of course, the reverse is true as well. The last thing you want is for your supervisor to learn that you failed to contribute to a task. They tend to remember those conversations when reviewing compensation adjustments. Let’s first talk about Management . Technically, not all of management works outside the SOC. The SOC has a manager, and usually, somewhere up the chain, there’s a director. But, management makes business decisions, so this topic will cover the standard positions and scope of responsibility of those in management. It’s important to know that every organization is different in how they staff their management team. We’ll start in the SOC with the SOC manager and work upward to the executive staff. The SOC manager is the direct and first-line supervisor for all SOC analysts. Your interactions with them begin in the interview process as they’re also responsible as the hiring manager for the open analyst positions. SOC managers have a wide range of duties: everything from mentoring the junior analysts to driving collaboration between the SOC and other teams. In fact, the SOC manager has so many duties that there could be an entire article dedicated to the topic. We’ll begin with their responsibilities to you, the newly hired SOC analyst. The SOC manager is responsible for all aspects of compensation for the analysts under them, including the offer letter when you first applied, bonus payouts, and promotions. However, promotions can’t happen without mentorship, and that’s also a large part of their duties. Each company has different mentorship requirements, but you can expect to sit down with your manager and discuss personal and business goals. Your progress toward achieving these goals is taken into account during the bonus and promotion decisions. Time-off requests, work schedules, and SOC duty assignments are all decided upon by the SOC manager. The SOC manager is also responsible for generating reports on the number and type of security events the SOC sees to upper management. These reports inform the members of the executive staff on the latest trends of cyberattacks that are targeting the company. The SOC manager is the first level of the management team and is by far one of the hardest jobs in information security. Let’s move on. The SOC director is the next step up in the chain of managers to the SOC. This title is different for almost every company; some examples are “Director of Security Operations,” and “Director of IT Security.” Regardless of title, this position is usually the SOC manager’s supervisor. They’re responsible for the overall strategic decisions that face the company regarding cybersecurity, including budgeting requests, SOC staffing approval, and the metrics reporting to executive leadership. They also coordinate with other directors to plan and coordinate joint projects. We’ll cover them more later. The next rung in the management ladder is the Chief Information Security Officer or CISO for short. Depending on the company, the responsibilities of the CISO range considerably. Due to this, we won’t spend too much time discussing the CISO. All you need to understand from a SOC analyst perspective is the CISO is responsible for the high- level decisions regarding information security. They will most likely be the first executive officer you’ll meet, and depending on your company, the CISO likely reports directly to the CEO. So, no pressure trying to make an excellent first impression. That’ll wrap it up for the management team; from here, let’s move on to some of the common organizations you’ll work with as a SOC analyst. Each team we discuss will have a similar management structure as the SOC. I’ll skip going into detail about the team members and focus on the scope of the team itself. The Risk Management team is responsible for measuring, reporting, and mitigating the company’s risk levels. In regard to cybersecurity, they’ll look at the likelihood of a compromise, determine the impact on the business if the attack happened, and generate a report to management on the risk. This data allows management to make an informed decision to assume or mitigate the risk. Most likely, if all this sounds familiar, you’ve learned about risk matrices somewhere along the way. “But how does the SOC assist the Risk Management Team?” I’m so glad you asked. Risk Management teams are not cybersecurity experts. Their understanding of attacks and compromises is limited to what they read in the news. That’s when the SOC consults to define the impact of a compromise. An example of a SOC consultation would be to describe how a critical system is vulnerable to a particular type of compromise. Maybe you’re asked what security control would best stop the attack before it happens. Regardless of the request from Risk Management, the goal is to provide them with the worst-case scenario. To measure risk, Risk Management needs to know the most dangerous outcome for the company and how often it might occur. The Governance and Compliance team ensures “the overall management approach that board members and senior executives use to control and direct an organization”1 is disseminated and adhered to. They also ensure the company meets or exceeds compliance standards related to certain industries. An example of this would be the Payment Card Industry Data Security Standard (PCI DSS), which enforces controls around payment and card systems. The purpose of compliance is to ensure that proper cybersecurity practices are followed in a uniform manner. There are several global compliance standards, and each has a different set of controls, although some overlap. Table lists the common and well- known compliance standards. The most common interaction the SOC will have with Governance and Compliance teams is during the auditing process. The SOC plays a vital role in providing evidence of compliance for the Audit team. Some common evidence requests might be logs collected, process documentation, and a security event walk-through. We’ll cover more about the Audit team later in this article. Definition Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities. The next team we’ll cover is the Privacy and Legal team. Usually, you’ll interact with Privacy and Legal during security incidents that involve evidence collection or public disclosure of a compromise. In the previous article, we briefly discussed the Capital One data breach.3 The privacy half of this team was responsible for identifying the nature of the data that was stolen. Working with legal, together they inform executive leadership on disclosure requirements, legal obligations, and options to pursue actions against the attacker. In the case of Capital One, the Privacy and Legal team notified victims of the data breach and assisted the FBI in apprehending the suspect. Let’s segue to our final team for this section, the Fraud team. The Fraud team works hand in hand with Privacy and Legal in investigations of a data breach to determine if the data has been leaked, sold, or used for malicious means. For example, the data stolen from Capital One included 140,000 US Social Security Numbers. The Fraud team is responsible for investigations tied to the use of stolen data such as identity theft or data brokerage on the dark web. The Fraud team’s responsibilities shift depending on the company’s industry. A software company’s Fraud team might scour the Internet for license key generators, while a manufacturing company has their Fraud team looking for signs of stolen blueprints. External Teams For this article, external teams are defined as any team that does not work for your company. So far, we’ve covered information security and internal teams that the SOC will interact with to accomplish business objectives. Your interaction with external teams requires special considerations. The most important note is that you are a representative of your organization and company. The first external team we’ll discuss is government agencies, and they’ll play a critical role in any country. Whether it’s for compliance, reports of data breaches, or interpreting privacy laws, the SOC will eventually find itself interacting with the local or federal government. As both authors are located in the United States, we’ll cover what we know and not speculate on other countries’ stance on cybersecurity. I urge you to research local laws and regulations in your region to prepare yourself when interacting with your local government agency. There are different types of government agencies that we need to cover, and the SOC will interact with each one in various capacities. Law enforcement agencies will be the most common government entity you’ll encounter. Some examples of law enforcement agencies in the United States are the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and State and Local Police. Like the Legal and Privacy team, the SOC will most likely work to provide evidence of data breaches or insider threats to the investigating agency. When communicating with law enforcement agencies, it’s important to only state facts. Try to remain professional and pay respect to the members of the agency you are working beside. The majority of individuals you’ll deal with won’t be cybersecurity analysts, so speak in common terms. The second government entity we’ll discuss is military and intelligence agencies. Today, many companies provide services or goods to their federal government, and most countries have cybersecurity regulations that must be followed by companies that do business with the government. This comes in the form of tighter compliance controls and mandatory reporting requirements. A benefit of working with the government is the shared threat intelligence provided by the network of companies that work with the government. In the United States, companies that work with the federal government can join the Defense Industrial Base Cybersecurity (DIB CS) program . This program allows companies to share threat reports, indicators of compromise, and malware samples in a central location. The Department of Defense (DoD) also provides threat reports and alerts based on intelligence collected by military or intelligence agencies. The last government organization we’ll cover is regulatory agencies. Regulatory agencies are bodies created to set a baseline of standards for a particular field of activity in the private sector of the economy and then enforce those standards. Regulatory agencies are commonly broken out into business sectors; for example, the US Department of Health and Human Services regulates the HIPAA compliance standards. Not all regulatory bodies are government-affiliated; the International Organization for Standardization is an independent, nongovernmental international organization with a membership of 164 national standards bodies. Since nongovernment regulatory agencies can’t enforce compliance or issue punishment to companies out of compliance, government agencies who adopt compliance standards such as ISO 27001 will assume responsibility for enforcement and punishment. In this model, a committee of representatives from the member countries developed new and revamped compliance standards. The second external team we’ll discuss is Audit teams. Auditors play a significant role in a company’s path to regulatory compliance and will be a source of many headaches for the SOC. The auditor’s primary responsibility is to understand the compliance standards and the security controls that satisfy the requirement. Next, they apply their knowledge and expertise in their field to compare a company’s security posture against the compliance standards. Let’s look at an example of how an auditor might interact with the SOC during a compliance engagement by looking at a PCI DSS Version 1.2 controls in Table 2–2. The goal, “Regularly Monitor and Test Networks,” is a typical example of data the SOC will be responsible for providing. Specifically, the SOC would be the team monitoring access to network resources, and the data that auditors will want to see most likely resides in the SOC’s SIEM. Each auditor is different, so the exact data they’ll ask for will vary depending on the experience level and individual preference. Some auditors will request for the SOC to give a live demo of their ability to access and monitor the data, while others will request screenshots of the monitoring platform and the data held within. Depending on the compliance standard, audits will happen anywhere from every three months to annually. Also, depending on your company, the SOC might be responsible for providing evidence to multiple audit teams throughout the year. As a new SOC analyst, you won’t likely interact with the auditors directly. If a demo is requested, it’s usually handled by a senior analyst due to their experience with the company’s data sources and monitoring portfolio. Your manager and team lead will own the responsibility of planning and coordinating with the compliance and audit teams, and your tasks begin with evidence collection. Let’s move on to our final team for this article, and likely the most common external team you’ll interact with as a junior analyst. Vendors are external product or service providers that have sold a product to your company or are attempting to sell a product. Any tool the SOC uses, which wasn’t created by your company, came from a vendor. The SOC’s interaction level with existing vendors will be limited to requesting assistance with issues, feature requests, and bug reports. However, you might be asked to join a tool demo or proof of concept (POC) evaluation of a security tool. Insight Working with vendors can be a great networking opportunity; leaving a good impression with the vendor could lead to future job offers if you decide to move away from the SOC. When working with existing vendors, there are specific ethical concerns around requesting features or accepting gifts. It’s important to remember that you’re a representative of your company. Vendors who provide an existing service or product could take your feature request and bill your company for the hours spent on the work. That shouldn’t deter you from asking for new features. When communicating with the vendor, be sure to ask them if the company will be billed before any agreement is made. Similarly, when communicating with vendors trying to sell your company a product or service, it’s important not to promise anything to the vendor. The best conversation you can have with a vendor providing a demo or POC is by offering your honest feedback on their product. Good or bad, they will take your feedback to their company for product changes. So when providing your thoughts on their product, be sure to offer constructive criticism. Comments like “your product adds no value for us” and “we could build this ourselves” is a surefire way to get you removed from future vendor conversations. Summary Working in the SOC brings you into contact with many other teams, both from within and external to your company. Each team covered in this article combines to shape your SOC’s daily scope of duties. The team names and roles discussed in this article are not standardized from company to company. As previously mentioned, some team member responsibilities might belong to the SOC. Regardless of whether the positions exist, the team’s functions are required for a company to succeed. We’ve talked previously about our purpose for this book and how we hope to prepare you for a great, new career in cybersecurity by way of the SOC. Consider the overhead of having to teach a new SOC analyst the functions of each team member, external organization, and government entity for a moment. This article helps you set yourself up for success by providing a cursory introduction to the areas of expertise in cybersecurity. Whether you’re working with your local law enforcement to investigate a malicious insider or collecting audit evidence to the compliance team, your better understanding of the groups and their roles and responsibilities will help to make you stand out as a productive member of the SOC team. ARTICLE QUIZ (SOLUTIONS FOLLOW) Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them? Ⓐ IAM Ⓑ Operations Ⓒ Engineering Ⓓ Architecture The Threat Intelligence (TI) team does which of the following? Ⓐ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓒ Focuses on enforcing the best security practices and compliance controls while implementing new technology. Ⓓ Identifies, catalogs, and remediates new and existing vulnerabilities. Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following? Ⓐ Focuses on enforcing the best security practices and compliance controls while implementing new technology. Ⓑ Deploys, manages, and maintains security tools. Ⓒ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. The Security Engineering Team covers which of the following tasks? Ⓐ Identifies, catalogs, and remediates new and existing vulnerabilities. Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓒ Deploys, manages, and maintains security tools. Ⓓ Focuses on enforcing the best security practices and compliance controls while implementing new technology. The Vulnerability Management team is responsible for which of the following? Ⓐ Researching new threats, determining if they’re dangerous, and providing details to management. Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network. Ⓒ Taking over incidents from the SOC and conducting investigations on long and enduring incidents. Ⓓ Deploying, managing, and maintaining security tools. Responsibilities of the Security Architecture team include which of the following? Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology. Ⓑ Deploying, managing, and maintaining security tools. Ⓒ Researching new threats, determining if they’re dangerous, and providing details to management. Ⓓ Taking over incidents from the SOC and conducting investigations on long and enduring incidents. The _________ is the first level of management and one of the most difficult jobs in cybersecurity. Ⓐ SOC Director Ⓑ SOC Manager Ⓒ Chief Information Security Officer (CISO) Ⓓ Risk Management Team The SOC Director may also be called _______. Which of the following does not apply? Ⓐ Director of Security Operations Ⓑ Director of Threat Management Ⓒ Director of ITSecurity Ⓓ Director of Risk Management Which of the following internal teams focuses on the worst-case scenario and how often that may occur? Ⓐ Risk Management. Ⓑ Governance and Compliance. Ⓒ Privacy and Legal. Ⓓ Digital Forensics and Incident Response (DFIR). ARTICLE QUIZ SOLUTIONS Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them? Ⓐ IAM While there may be an IAM team in very large organizations, the three general teams can be broken down into Operations, Engineering, and Architecture The Threat Intelligence (TI) team does which of the following? Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. The Threat Intelligence team typically researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following? Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. Typically, the DFIR team takes over incidents from the SOC and conducts investigations on long and enduring incidents. The Security Engineering Team covers which of the following tasks? Ⓒ Deploys, manages, and maintains security tools. Typically the Security Engineering team deploys, manages, and maintains security tools. The Vulnerability Management team is responsible for which of the following? Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network. The Vulnerability Management teams Is responsible for identifying, cataloging, and remediating existing vulnerabilities throughout a network. Responsibilities of the Security Architecture team include which of the following? Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology. The Security Architecture team typically focuses on enforcing the best security practices and compliance controls while implementing new technology. The _________ is the first level of management and one of the most difficult jobs in cybersecurity. Ⓑ SOC Manager The first level of management and the one that you will interact with most frequently is the SOC Manager. The SOC Director may also be called _______. Which of the following does not apply? Ⓓ Director of Risk Management The SOC Director typically isn’t called a Director of Risk Management. Which of the following internal teams focuses on the worst-case scenario and how often that may occur? Ⓐ Risk Management. The Risk Management team focuses on all of the “bad” things that can happen and how often they may occur, as well as the impact they have on the organization. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

Lessons from 10 years in the SOC I started in the cybersecurity scene in the early 2000s. I was 12 or 13 years old hanging out on AIM, IRC and Yahoo! chat rooms. I discovered warez and learned my first hack, the ping of death. I’d hop on AIM and netstat for your IP address and send you a packet too large for your dialup to handle and it’d kick you off line. I was a prankster; just a bit mischievous but never malicious. I dove headfirst into the Linux subculture and went to Walmart where I found Mandrake for sale on CD. Now, most people think you can’t sell Linux but you can. This is Lessons from 10 years in the SOC? You’re selling the distribution of Linux and you used to be able to walk into stores and buy it. This was a time when it’d take you days to download it and a quarter of your hard drive. It led to Knoppix Linux, which was the first live Linux distribution. I would take it to school pop it in the computer and all of the restrictions were lifted and I could jump back into my IRC chats. Always a chatter which has become troublesome because I treat Facebook and social media as an informal chat room and people take it very seriously. I went to a really bad high school so I dropped out in 10th grade and went directly to get my GED. I walked in and passed it without any classes. In fact the year before in 9th grade I tested post graduate of high school in all the standardized tests. I started college at 16 in the only place that’d take me, DeVry, and I had the whole college experience. I stayed in dorms, hung out doing nerdy things on campus, delivered pizza to pay for my living money. My grandmother paid for my student housing but the rest of living was up to me. I look back very fondly at my time at DeVry in Decatur, Ga. It was a good education, too. I took my classes on-site and learned a lot. Some of my classes were online but it wasn’t the same learning experience. I think the reason why DeVry gets so much of a bad rep is that people start and they never finish, and it is expensive. The classes can be difficult. It really all depends on the Professor, and some take their jobs very seriously and do care a lot about the subject. I graduated college and I had the full graduation experience. For the first time in my life I graduated. I walked across the stage at the Georgia Dome in front of all of my family and friends there to support me. Got pictures, threw my cap, and everything. It was the very first thing I accomplished in life. Prior to that I wasn’t much of a finisher. I started out after college working IT support at a local community college. I spent eight months there and then started my career in cybersecurity at Dell SecureWorks in the SOC in December of 2013. I had so much fun working with my peers in this SOC that I’ve spent my entire career trying to find a place with the camaraderie that was the unique culture. Since December of 2013 I’ve worked at several companies with an average tenure of 2–3 years so I’ve seen a lot of different environments. These are the lessons that I’ve learned in my 10 years working in cybersecurity. Becoming SOC mature is about learning what to ignore. I saw on LinkedIn recently someone said becoming mature in cybersecurity is about learning what to ignore and I just loved it. It resonated so well with me. When you first start out everything is a crisis. Everything is new and everything is critical. Once you have time in your seat long enough you learn what is expected and what is a unique occurrence. What’s an anomaly in the industry, and what seemingly happens all the time. This is important because knowing this helps you determine if there is an established process at the company you’re at for seeing this type of thing. If you’re new at a company, but you’ve seen this often before, there’s likely a playbook for this. Zeal fades as you slowly learn how compliance and regulation works. And how everyone gets paid. Zeal is incredibly important for you starting out. Its the fountain of motivation to learn how everything works. Its a blessing and its a curse. Not everything works the way it should work for whatever reason and this creates conflicts of interest that really put a damper on how you feel about the importance of your work. Not everyone is going to care about cybersecurity as much as you do, even the people paying you to do your work. Ideally, cybersecurity exists so businesses can take risks responsibly, but in some places cybersecurity exists just to say cybersecurity exists here. When breaches were in the news everyday, cybersecurity was at the top of the agenda for executives. Breaches rarely meet the news cycles anymore, the public has been desensitized, controls have been put into place to protect people, and overall there has been improvement in the cybersecurity industry. Its a different place today where a breach isn’t likely to affect your stock very much. There was a period about five years ago that a breach would even make your stock go up. Boy, was that difficult to deal with. Try going into work everyday to protect a company when a breach would make them more money. Now its just become daily life. There’s a gray area of perception. What you see on the outside of a company isn’t what is true and that’s accepted. As I’ve become a business owner I’ve been viewed as not an individual but a company trying to promote/sell something to an audience. Its really made me feel compassion for the community because they are predisposed today to be skeptical of everything because they’ve been manipulated so much by marketing schemes. Marketing exists to make you want something, and to get your product to the people that want it. In this effort things get misconstrued that is often borderline untrue. Your company has a marketing team and your company strategizes on how to get the product as it is the right spin on it to make people buy it. I’ve worked at companies that had really great marketing teams and the perception is that this company really has its stuff together, and then I go to work there and they’re announcing how great their new product is that I know now hasn’t even finished developing. It doesn’t exist! It can leave a bad taste on your mouth about the company you work for thinking they are all just talking BS, but just know this is what marketing teams are supposed to do. Their doing their jobs really great, and now everyone else needs to do their jobs to catch up. This is normal and happens at every company. This is the product people want, now we need to make it. You’re paid to protect a company from itself. If I paid someone to protect you from yourself, how would you feel if you kept being told to correct yourself. That’s how it looks as a CEO. I said that right. You aren’t protecting your company from the bad guys out there hacking your company, that just par for the course. You’re protecting your company from users who do something to let them in. As a CEO, you are your company. When addressing executives use tact and empathy when explaining one of their indirect reports just caused a security incident. Its not important to punish anyone for bad behavior in most cases outside of insider threat, its important to come up with solutions on things we can do to prevent this from happening again. Live in the solution. These are some of the things I’ve struggled with over the years, often causing periods of depression in my work when my idea of what cybersecurity should be isn’t what it truly is. The world didn’t meet my expectations in what I was led to believe would be my purpose and its sad. When this happens, its time to get comfortable in Corporate America and play this game the way its played. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

If I was just graduating high school or deciding how to get started in cybersecurity, knowing what I know now, I wouldn’t ever consider a program that didn’t teach cloud skills (few of them do). By the time I would graduate, everything I learned would be obsolete. Within the next five years, most companies will have finished their migration to the cloud or at least close to it, or even just beginning on it; its the focus. This it Should Cybersecurity Degree Programs Have a Cloud Focus? Cloud skills are so difficult to teach because they change rapidly. Institutions have no way to keep their curriculum up to date. I have a cloud course and I’ve already had to go through and keep it updated. It changes so much that I put the year it was last updated in the title, just so that everyone knows its still relevant. Its super easy to update a course on a website or Udemy. Record a module and bam upload it. But updating a college course or program with students enrolled in it, that have all these accreditation requirements, has to be carefully planned and executed and by the time it all happens it needs to be updated again. If it doesn’t get easier to train for cloud skills, its perhaps the end of degree requirements for IT all together. Microsoft and AWS have the same problem. They need people trained on their platforms too and they know how difficult it is to do so they’re doing it themselves. I’ve taken some of the Microsoft Azure training and I liked it. It all works! That so hard to do. They keep it updated but the content is limited. Its not comprehensive by a long stretch. There are so many cloud fundamentals to learn that aren’t vendor specific that universities aren’t teaching. They could cover cloud fundamentals in one semester but they don’t. If you’re just starting out, I wouldn’t consider any program that didn’t teach you the cloud. And I mean it. Don’t do it. You’re probably going to get your degree and you’re not going to be able to find a job. Any program thats teaching you infrastructure or perimeter defense is obsolete by the time you graduate. It was a waste of your time and money (and you have to pay that back!) Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

This article will discuss the maturity models of Security Operations Centers, how to know where your SOC is at, and how to embrace SOC automation and stay ahead of the curve. Automation within the Security Operations Center (SOC) is generally referred to as Security Automation and Orchestration (SAO) or Security Automation, Orchestration, and Response (SOAR). As an analyst, it has become increasingly more common to encounter some type of security automation within organizations. To what extent may depend on the maturity of your organization and its SOC. We will dive into maturity models and how those relate to automation a bit later in this article. First, what is security automation? What Is SOC Automation? No, SOC automation does not refer to robots becoming self-aware. Threat intelligence feeds do not suggest that “judgment day” is close on the horizon. Simply stated, automation is the machine implementation of low- level security-related actions. These actions are small pieces of a larger task. Generally, a task will be made from a number of actions. Similarly, a process will encompass a number of tasks. Tasks can be partially or fully automated with the goal of reducing human intervention in security operations. Orchestration, while very closely tied to automation, takes advantage of multiple automation tasks across multiple systems or platforms. Orchestration is used to automate or semiautomate more complex workflows and processes. We have heard criticism from SOC analysts and others in the security community regarding automation. The overwhelming theme seems to be that analysts are worried that automation will take their job. At first glance I can see where they are coming from. If a machine can do it faster and more efficiently, then what is the analyst to do? Believe me, I get it! As a SOC lead, I want to challenge my analysts to do a detailed analysis of events. This takes a good amount of time and is not possible with the volume of events seen on a daily basis. I want them to look for trends, examine data over a larger period of time, and then find the reason that these events are taking place. To ask themselves questions like: “Is the reason I have to respond to 50 events per day on an IPS signature due to the fact that the webserver is vulnerable?” Present that data back to your SOC leadership, and take initiative to get the business to patch the vulnerability. What we are attempting to convey is that SOC automation should not be seen as a limitation to your career, rather a springboard which can help you become a better analyst. We will go over a number of reasons for automation in the next section that should paint a clearer picture of the benefit of automation not only to the SOC but to the individual analysts as well. Let’s dig into why automation is a positive addition to any SOC. Why Automate? There are a number of reasons for a SOC to automate, but be assured that replacing analysts is generally not the goal. The SOC analyst is a valuable resource which will always be needed to perform where machines cannot. Whether part of a maturity initiative or new business requirements, leadership is often left taking on additional services with the same or fewer resources Taking into account that SOC leadership is being pressured to deliver more, combined with the shortage of skilled cybersecurity professionals, it is easy to see why automation is a no-brainer. I have spent time in the trenches working through an endless queue of events. When I was a junior analyst, there were times when I would have a number of events that were generated for antivirus detections where the files were quarantined. Over half of the events in that day were “potentially unwanted applications” (PUA) which were adware/toolbar related. The tool did its job, the files were quarantined, yet I still had a number of events that needed to be addressed. I had to manually add the appropriate notes and close each ticket. If I had automation in place, then it would have made my life a lot easier. I would have been able to focus on more in-depth analysis and look for a common source of the adware, but due to the sheer volume of events, it was not an option at that time. For me, automation is a force multiplier when it comes to helping analysts with the flood of events they handle on a daily basis. By eliminating the need for analysts to do monotonous tasks, they are free to spend more time performing higher-level analysis of events. Senior analysts will have more time to dedicate to training junior analysts and more time can be spent on developing documentation. With the ever- changing pace of a SOC, we all know this is always needed. One of the first reasons a SOC may choose to automate is to streamline existing processes. Many SOAR platforms have C-level dashboards that are designed to show the amount of time and money saved by automating actions. While I do agree to an extent that this can be important, focusing on this alone may not necessarily be the best fit for all organizations. There are a number of other reasons that I believe are equally important to the operation of a healthy SOC. One of my favorite reasons for automating is to reduce analyst fatigue. I cannot be the only analyst that has ever spent what seems like hours a day pressing “Ctrl+C” and “Ctrl+V.” I have gone home at the end of the day brain-fried, wondering if a monkey could do the job just as well. As I mentioned earlier, security analysts are the most important resource that a SOC has. These analysts are inundated day-in and day-out with an abundance of information that needs to be collected, categorized, classified, analyzed, and interpreted. Reducing the volume of events that need to be analyzed is one way to achieve this. Reducing analyst fatigue benefits the SOC by reducing overall stress and making it a fun and challenging place to work. Isn’t the saying: “Happy SOC, Happy Life”? Good leadership should strive to do all that they can to promote morale and a healthy workplace environment. Doing the same repetitive actions day-in and day-out will desensitize you and cause you to skip steps or cut corners. This fatigue increases the possibility for mistakes to be made. Reducing mistakes leads me to another popular reason for automating, which is standardizing processes. Analysts can get trapped in an endless screen-switching cycle during an investigation by checking documentation, following defined steps, and moving between multiple consoles. When automating security-related tasks, we drive consistency and reduce the likelihood for errors. Consistency is key in security operations. During incident response when we implement automation, we can ensure that processes are consistently followed. As a SOC analyst, it is very easy to cast wide nets in order to collect as much information as possible. Sometimes the rules we write just need to be broad. The events generated by a rule may only be an indicator when correlated to another event or other condition. Sure, you could write a correlation rule, but maybe you are in the infancy of tuning a rule, and thus analysts receive a large number of false-positive detections. What if we could use automation to tune out these false positives? Reducing the overall volume of false positives is one such use case that I have spent a good amount of time automating. I will give an example of this later in the article. Each analyst has their own preference for sources of information, and this can sometimes create false positives or lead an analyst down the wrong rabbit hole. As mentioned previously, consistency is important for a number of reasons, but in addition to those already mentioned, another reason to automate is for the reduction of information bias. There are some reputation and intelligence data sharing services that are higher fidelity than others. Open source feeds can be a double-edged sword. On one side they may have larger reference sets and are good quality, but on the other side, I have found that it is easier for one wrong attribution to skew a full dataset. When the sources for which data is ingested and consumed are defined by the team, reputation checking and intelligence enrichment can be easily automated within your playbooks. Every few months, it seems like there is a new attack pattern and threats are becoming more complex each and every day. Organizations need to be prepared for this evolution of complex threats. Adversaries today are utilizing automation to conduct attacks against your organization. Security operations need to keep up with the speed at which attackers are evolving, and the only way to do this is through automation and orchestration. As you implement new automation playbooks, the end goal should be to reduce the mean time to detection (MTTD) and mean time to response (MTTR). Each step that is automated shaves fractions of seconds from these SOC metrics. While at first glance it may not seem that a machine could save much time per single action, the culmination of all of these small actions over time will add up to significant time savings. The decrease of these metrics will satisfy senior management while also providing the numerous benefits mentioned previously. SOC Maturity I would like to preface this section by stating that I do not think many organizations would expect that they could fully automate every process from beginning to end. I believe there are just so many situations that require an analyst to make a decision that a machine just cannot do. There have been many horror stories of automation putting blocks in place based upon the wrong classification of the data. These instances have had catastrophic effects on businesses and their reputations. Until an organization has a high confidence level with the data being provided, I would personally suggest adding in some checks and balances into automation processes. These checks and balances should require human interaction and approval before blocking controls are put in place. All of these steps can be built into your playbooks to ensure that you can not only take advantage of automation to the fullest extent possible but also keep automation from taking an incorrect action. The goal of this article is not to go into a deep dive on the topic of maturity models. There are a few different ways to go about measuring the maturity of your SOC. You can write your own framework or use an industry standard framework to accomplish the same goal. The benefit to using a standardized framework is that it is recognized and probably being used by other organizations within your industry. Both solutions are designed to provide a situational summary of where the SOC is in their maturity taking into account all of its processes. Figure 1–1 Sample Maturity Phases When assessing the maturity of the SOC and its automation, it’s easy enough to start with a staged approach similar to the one shown in Figure . I put this graphic together to illustrate that once you have completed an inventory of the processes and actions that your SOC is doing today, you can then map your current state and measure your progress toward your goals. Set small goals to get you to the next phase. If you have not begun your automation journey, don’t be afraid of starting now. With each action you automate will get you closer to your goals. As a junior analyst, you will begin to see areas for improvement in the processes that you and your team use every day. Document any process gaps and look for actions that can be automated. Take time to gather all of the appropriate data, and do the analysis. Can any of these actions be automated? What benefit do you see it providing the team? Be able to articulate how you believe automating an action will improve the function. By presenting a process improvement or resolution to a problem and not just the gap, you will set yourself as a leader among your peers, and SOC leadership will see you as a true problem solver. How to Start Automating There is no one-size-fits-all solution for every organization. In my experience, it has been the most beneficial for analysts within the SOC that are intimately familiar with their processes and procedures to spend a little bit of time analyzing the work they perform each day. Categorize your tasks by the time required to complete them, and then by the complexity of the task. Start with the tasks that are simple, and do not take a lot of time to complete and leave the complex tasks for after you are comfortable with the process flow. Chances are that there are a number of these simple tasks, and by automating them you will make a good amount of progress. Figure may help you categorize your tasks and allow you to focus on automation tasks that will provide the most value up front. Figure 1–2 Security Task Categorization When starting with a simple task that takes a short time to complete, look for repetitive actions without complex conditions. If you have different actions that you take based upon the output of an action, it will add complexity to the playbook. I have found that it is very easy to start working through a use case, only to find out halfway through it that one small attribute changes the whole thing. Spend time dissecting the actions and whiteboard the process flow. Make every effort to break it down to the smallest steps that you can. A very simple example of automating a task such as this may be getting the reputation of a file. This might make it a bit easier to help you envision the steps taken. Figure 1–3 Simple use case of getting a file reputation In this simple example, I have broken down the task into four small actions that an analyst would need to take: 1. Gather the file hash. 2. Open a web browser. 3. Paste the hash into the browser and submit it. 4. Make a decision based upon the file reputation. The decision made upon the file reputation may then feed another action or a process flow further downstream. A playbook can be this small. Keep in mind that it is possible to have a playbook that calls other playbooks synchronously, waiting for the first one to complete before calling another. At first glance, it may not look like that by automating this task, you would save much time. What if the hash was a false-positive detection? What if we could automatically close the event based on the file reputation? What if we could collect the false-positive file and submit it back to the vendor to be reevaluated? Not only would automation help by eliminating the noise of false-positive detections, but it would reduce the number of tickets you would need to respond to. Now, this short, simple action has saved a significant amount of time when scaled to the number of events that need to be investigated in a day. Sample Use Cases I have come across a number of use cases discussed in different articles around the Web. Maybe some of them will work for you, or maybe they will just spark some ideas on what can be done. Like I mentioned earlier in this article, there is no one size fits all. Vendors supply sample playbooks that are generally meant as teaching points to what their product can do. Unfortunately, not every solution will be able to be integrated with your automation platform. You will encounter situations that may not work in your environment, just as you will also encounter situations that the vendor has not specifically encountered before. This is to be expected and is all a part of the journey of SOC automation. I wanted to highlight a couple use cases that I have personally encountered that I have had good success with. They do not cover every use case or reason that a SOC may choose to automate; however, they may act as a starting point or inspiration for your automation endeavors. A use case that I have encountered was reducing a number of false- positive detections from an email hygiene provider. The team utilized a service that sends alerts for a malicious email that was delivered. There were times that after the alert was sent, the email was reclassified as clean. I wrote an automation playbook that would call the email hygiene provider’s API to check for the “false-positive” flag. If the alert was a false positive, an analyst ticket would not be created. Another use case which was a bit more advanced was providing paging to on-call analysts when critical events came in. We started by defining the type of events that would cause an analyst to be paged out. Once that was complete, we began to figure out how to collect the on-call person and their page address. This took a bit of custom python code using a plug-in called “beautifulsoup.” The playbook would scrape an intranet page and parse out the email address to page and send an alert to that analyst with the context of the critical event. Once that step was complete, the playbook would monitor a mailbox for a read-receipt for the page. If the page was not acknowledged within an hour, the playbook would send the same page to the on-call escalation point. The most common automation use case that I have helped to put in place is the enrichment of events with threat intelligence. In this environment, events are sent from the SIEM to the automation platform for processing, and a ticket is created in a temporary ticket queue. The playbook will extract indicators such as file hash, file path, source and destination IP addresses, etc. Depending on the event type, these indicators are enriched from various sources that are predefined by the SOC. The data is used to populate notes in the event and add context to the event for the analyst that works it. Once all of this enrichment is complete, the playbook will move the ticket from the temporary queue to the SOC analyst queue. The reasons for moving it to the analyst queue after all the enrichment is done are to prevent a ticket state change and to ensure that any error checking added to the playbook is complete first. I want the analyst to have all the data they need to make a decision on the event, instead of having only partially complete data. Summary Security automation is a tool that assists your SOC analysts and allows them to be more effective with their work. In my opinion, it is not designed to be a replacement for an analyst. We invest in automation technology to make us more efficient at our jobs, and we are going to be required to make decisions where a machine cannot. I don’t want to focus directly on best practices for writing automation playbooks, but more of the overall process and how it relates to the SOC. With that in mind, I want to leave you with a few tips for success. If you have not already begun your automation journey, talk with your team about the benefits of security automation. Get everyone on board with the idea and comfortable with how you envision the playbooks working for the team: Do a full inventory of the tasks your SOC performs. Break them down by the time required, and complexity to complete them. Define your use cases before automating any actions. Focus initially on tasks that are simple and can be completed quickly. This will provide you with some quick wins. Don’t write long complicated playbooks. Break them down to specific tasks as much as possible. You can use a parent playbook to call multiple child playbooks. Don’t be afraid to challenge the status quo. When you start automating processes, you may discover a new and better way to do something. Embrace these efficiencies, and automation will show its value to your organization. While security automation may be in its infancy, there is much that can be done to improve the operations within your SOC. I hope I was able to provide some insight into why you need to begin automating sooner rather than later. I have highlighted a number of reasons for automating and provided some possible use cases for quick wins. Take the lead, and show the rest of your team that automation is not a limitation but a force multiplier that will help you all become better analysts. ARTICLE QUIZ (ANSWERS FOLLOW) _______ is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. Ⓐ SOC Automation Ⓑ Process Ⓒ Orchestration Ⓓ Inventory _______ takes advantage of multiple automation tasks across multiple systems or platforms. Ⓐ Automation Ⓑ Process Ⓒ Orchestration Ⓓ Inventory A _______ is made up of a number of actions that are fully or partially automated while a _______ encompasses a number of the former. Ⓐ process, task Ⓑ task, process Ⓒ process, response Ⓓ response, task All the following are true regarding automation except: Ⓐ It will replace analysts in the next five years. Ⓑ It streamlines existing processes. Ⓒ It frees up analysts from monotonous tasks. Ⓓ It manages the flood of events coming in daily. All the following are reasons to implement SOC automation except: Ⓐ Reduce analyst fatigue Ⓑ Reduce mistakes Ⓒ Reduce productivity Ⓓ Reduce labor hours to increase skilled training Which of the following is true regarding how to start automating the Security Operations Center (SOC)? Ⓐ Start with complex changes Ⓑ Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. Ⓒ Figure out who to fire first. Ⓓ Make tasks more complicated than they should be. All of the following are true about playbooks except: Ⓐ They can be small. Ⓑ They can call other playbooks synchronously. Ⓒ They’re only used in fantasy football. Ⓓ They should not cause incorrect or damaging actions. ARTICLE QUIZ SOLUTIONS _______ is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. Ⓐ SOC Automation SOC Automation is the machine implementation of low-level security-related actions which are smaller pieces of a larger task. _______ takes advantage of multiple automation tasks across multiple systems or platforms. Ⓒ Orchestration Orchestration takes advantage of multiple automation tasks across multiple systems or platforms. A _______ is made up of a number of actions that are fully or partially automated while a _______ encompasses a number of the former. Ⓑ task, process Atask is made up of a number of actions that are fully or partially automated and a process encompasses a number of tasks. All the following are true regarding automation except: Ⓐ It will replace analysts in the next five years. Replacing analysts in the next five years is not entirely true. While SOC automation aims to reduce the amount of manual labor, SOC automation should be a springboard that frees up an analyst to work on more challenging tasks, preparing them to move out of the SOC into more advanced roles or to become a SOC Automation Engineer responsible for automating SOC Analyst tasks. Asmaller number of SOC analysts will always be needed to review the SOC automation’s work, assist in the SOC automation efforts, and handle exceptions. All the following are reasons to implement SOC automation except: Ⓒ Reduce productivity Reducing productivity is not a reason to implement SOC automation. Which of the following is true regarding how to start automating the Security Operations Center (SOC)? Ⓑ Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. Someone who is intimately familiar with the Security Operations Center (SOC) processes and procedures should start by taking an inventory of the SOC tasks. All of the following are true about playbooks except: Ⓒ They’re only used in fantasy football. There are many constructive uses for playbooks other than in fantasy football, including in SOC Automation. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

In this article, we’ll discuss the tools you’ll use everyday as a SOC analyst, common security definitions, MITRE ATT&CK framework, Cyber Kill Chain model, Incident Response, and Zero Trust. SOC Analyst Scenario Imagine badging into the front door of your office building and saying hello to the guard that you see everyday, wondering what you will get him for Christmas. You leave your badge at home more often than you should, so you’ve chit chatted a bit as he gets you a temporary badge. You know he has a little boy, and he really likes hot wheels. You think about this as you tell him to have a nice day, and you approach the elevator to go to your floor. You badge the elevator to get to your floor, because your floor is locked unless you are approved to get in. Then you get off the elevator at your destination and walk more toward the center of the floor where the SOC sits, and you badge one more door to get to the common areas, because you have access to this area, and this is where the sales and engineering teams sit in their cubicles. As you approach the center of the room where the SOC is, there are two security doors within a few feet from each other. This is called a mantrap and it allows security to trap someone in between the two doors for them to be escorted out of the building if they are not allowed to be there. You swipe your badge at the first door, and then briefly you get a little anxious if the locks broke or your badge suddenly didn’t work. You’d be trapped in the mantrap in some kind of horror experiment. You try your badge again and make it through the second door to the heart of security: the Security Operations Center! It is dark and there are windows, but there are blinds covering all of the windows. It is eerie because the only time the blinds seem to be opened are to let the window cleaners clean the windows. You look above your head around you, and you instantly are brought to the front lines as the TVs that line the ceiling are displaying what is going on in your global company, and in the world in real time. You are sucked into your role, and you say hello to your friends and then jump into action. Note: This was an actual SOC for a Managed Security Services Provider that we worked for. They would periodically bring clients in to show them how serious they took security. It sometimes felt like being watched like fish in a tank, but it made me feel pride in what I was doing. SIEM The number one tool you will need to know as a security analyst in this decade is what a Security Incident and Event Management (SIEM) tool is and how it plays into your role. The SIEM is the heartbeat of the SOC. Everything that is done on a device can generate a log. Without logs there would not be a security analyst. Without logs there would not be security. When devices from all around the world generate logs, the idea is to send it to a single point where all of the logs can be observed and measured . This concept is called a “single pane of glass” and is ideally the one screen that the SOC can operate without having to chain multiple web browsers and sites together to accomplish the review of security events. The single pane of glass is the SIEM . Other than collecting logs, the SIEM also puts. them into chronological order. Because of the varying time zones across the world configured in your devices, the timestamps, or date and time, on each log need to be accounted for. Also the SIEM normalizes logs, when the logs are ingested into the SIEM platform, they must meet a certain standard and format. Each SIEM has a “special sauce” or proprietary technique that is used to take in billions of logs and pick out the things that are suspicious, but at a basic level, either the vendor or the users (or both) create rules that if any of the logs match a given criteria, it will sound the alarm. Next-generation SIEM platforms perform User Entity and Behavior Analytics (UEBA) which attempts to monitor all of your user generated logs and create a baseline of activity that is considered normal and then sound the alarm when someone is acting outside of their normal behavior. Also in next-generation SIEM platforms, they are moving toward being a case manager as well. When there are multiple alarms that are seemingly related, they offer a way to combine them and track evidence and investigations in a way that is meaningful and easy to be used. Lastly in next-generation SIEM platforms, they are moving toward integrated automation. Security Orchestration, Automation, and Response (SOAR) is rapidly gaining traction in the industry and is poised to be the next “single pane of glass.” Firewalls In addition to SIEM and SOAR, you will likely come across firewalls. Firewall and firewall engineering is a specialty all on its own, but it’s important to understand the biggest players in the firewall space are Cisco, Checkpoint, Fortinet, Palo Alto, Juniper, and SonicWall. As a security analyst, you might be responsible for performing a firewall block on an IP address, or requesting to have it done. What this means is you have used the tools and techniques of a security analyst and determined that it was bad, and you want to block that IP address from being communicated with from your internal network. IDS/IPS You will also need to know what an intrusion prevention system (IPS) and an intrusion detection system (IDS) is. A “protection” system allows actions to be taken by the device as the events happen. A “detection” system only allows for it to be detected, and not to interject with actions. Figure 5–1 is a basic illustration of two computers communicating and how the IDS would fit in, just monitoring passively. Figure 5–1 Intrusion Detection System Intrusion detection systems can either be placed “in-line” or through a network tap, the network tap as seen in Figure 5–1. Tapping the network allows the device to see the network traffic but not affect bandwidth. Intrusion detection systems placed through a tap cannot take preventative action because they cannot control the flow of traffic. Figure 5–2 depicts two computers communicating and how an intrusion prevention system would fit into the network in an “active” scenario. The intrusion prevention system has the ability to change the flow of traffic between the two devices because of the way it sits in-line on the network. Figure 5–2 Intrusion Protection System Intrusion prevention systems must be placed as seen in Figure 5-2 Most modern intrusion prevention systems will have some rules set to “take action” and some set to monitor only. These are called intrusion detection and prevention systems (IDPS). Sandboxing Another tool you may come across is a sandbox. When you hear someone say, “ Did you sandbox that?”, what they mean is have you executed the file or website in a protected environment to find out what it does. Quite a few endpoint detection softwares will detonate the file on your behalf so it can know whether it is bad or not, but nothing comes as close as a good report from Hybrid Analysis, or Joe Sandbox. These tools are designed to twist every knob and press every button to squeeze as much execution information as they can out of it. As a SOC analyst, you mainly use these tools to get out indicators of compromise like hashes of files that it drops, or IP addresses and domains it contacts to run these through your SIEM to see if there are any historical connections. Terminology As you go through your day as a SOC analyst, you will come across terms that aren’t always agreed on, and the meanings are a bit vague. From the best of our combined experience, these are the best definitions for these terms. Figure 5–3 is a chart of the order of volume from each class. Figure 5–3 Volume Funnel Chart Security Logs: Most Common At the very base of a security program are security logs. These logs could be from anything and everything and about anything and everything. Once they are ingested into a SIEM, they become a security log. An example of important security logs that a SOC would want to capture are network flow logs, Windows Event Logs, Unix Syslogs, and firewall logs. Security events can string together many security logs. Security Event: Common Security events are the day-to-day routine security monitoring from the tooling. They are very common, and almost all security tooling notifications start as a security event generated from security logs, with the exception of vulnerability scanners, and are escalated as needed. A security event must be escalated to a security incident before becoming a breach. When a security event is escalated to become an incident, the incident response process triggers, and an incident handler is assigned. Incident: Uncommon Security incidents are uncommon but happen more frequently than a security breach. An incident is declared, and the incident response process starts if there is suspected loss of sensitive data. What is not an incident: security events and vulnerabilities that have not been escalated. Security Breaches: Rare Security breaches are rare and contain a verified loss of data containing sensitive personal information . In most cases to utter the words something is a breach, it requires the legal department and the CISO to declare a breach. As a new analyst, it is good practice to not use this term anywhere unless told otherwise. In most cases, breaches require a breach notification to clients and sometimes the public and are handled with extra sensitivity. All breaches start as incidents. The Incident Response Process As an analyst, you’ll typically be dealing with security events that you’ll be seeing through to closure, however, sometimes security events become larger than what the SOC typically deals with, requiring the Incident Response Plan (IRP) to be executed and the dedicated Incident Response Team (IRT) to take over the investigation. It is important for you to understand the incident response process. The incident response process is a structured approach businesses develop to manage and mitigate the impact of security breaches. This critical process aims to minimize damage, reduce recovery time and costs, and prevent future incidents. By following a well-defined response plan, organizations can quickly address vulnerabilities, assess the extent of breaches, and implement effective countermeasures. This proactive and reactive strategy is essential in maintaining information assets’ integrity, confidentiality, and availability in today’s increasingly complex and evolving cyber threat landscape. The National Institute of Standards and Technology (NIST) Incident Response Lifecycle is a common and widely recognized standard. It’s broken down into 4 phases: Preparation, Detection and Analysis, Containment, Eradication and Recovery, and Post-Incident Activity. Figure 5–4 Incident Response Process Preparation is the first and most impactful phase of the incident response lifecycle. This is where the groundwork for how an organization responds to a security breach is developed. Training and awareness programs are defined for the incident responders and the larger organization. By preparing for incidents before they happen, companies build resilience against cyber threats. This proactive approach means that the impact on operations, reputation, and finances can be minimized when incidents occur. Detection and Analysis is where the SOC is focusing their efforts. It’s important to remember that early detection is critical, the sooner a security incident is detected, the more effectively it can be contained and remediated. Having a detailed and comprehensive Incident Response Plan will also aid in developing rapid response capabilities. The plan should clearly specify how to prioritize security incidents, escalation procedures, and who to report confirmed security incidents to in the organization’s leadership. Containment, Eradication, and Recovery begin once a security incident is declared. The first objective of this phase is to accurately identify the method of compromise and actions taken by the attacker post-compromise. A plan to “stop the bleeding” can be developed from there. This is how containment is achieved. Next, actions are taken to eradicate the access gained by the attacker. This could include removing an end-point infected with ransomware from the network, resetting compromised passwords, or adding a network block to the firewalls. The actions taken here vary incident by incident and require critical thinking to ensure nothing is missed. Finally, a recovery plan is developed and executed. This usually involves identifying the initial method of compromise and plugging the hole to ensure it doesn’t happen again. For example, if a web server was compromised using SQL injection , the developer would be tasked with remediating the SQL injection vulnerability from the website. Recovery is considered complete once all affected systems, networks, and user accounts are returned to their operational state before the incident. Implementing new security detections for the SOC to monitor post-incidents is also essential. You can move into the final phase only after extensive testing of the latest security controls and detections. Post-Incident Activity is when an analysis of the response process is conducted to identify any opportunities for improvement. This is where the After Action Review (AAR) would be conducted for the veterans out there. Usually, the Incident Commander/Manager will meet with everyone involved in the incident to talk through the steps taken, identify what worked and what needs improvement, and develop a report for executive leadership. This step might result in updates to the Incident Response Plan, strengthening security measures, or filling previously unknown security gaps with tooling or detections. Finally comes knowledge sharing. Many organizations are members of cybersecurity working groups. One example is the Defense Industrial Base (DIB) hosted by the Department of Defense. DIBnet is a secure portal for companies who are members of DIB to share incident reports, indicators of compromise, and lessons learned with one another to strengthen the entire community through collaboration. MITRE ATT&CK Framework Tactics, Techniques and Procedures (TTPs) describes three components in a process used to develop threats and plan cyberattacks. Tactics represent the “why” of an attack technique and the reason for performing an action. Techniques represent “how” an adversary achieves a tactical goal by performing an action. Procedures are the specific implementation the adversary uses for techniques. Note: Tactics, Techniques and Procedures (TTPs) is a common industry term that you should know. Developed by the MITRE Corporation, the ATT&CK framework is a knowledge base that describes cyber adversary tactics, techniques, and procedures based on real-world observations. It is most commonly used at a management level in metrics to categorize attacks seen in an organization to know where to make improvements to the security posture. It is also important for an analyst to be familiar with it so that you know how to categorize things when you need to. But you need not have to memorize everything, it’s there on the website for you to. Figure 5–4 The ATT&CK for Enterprise Matrix It’s OK if you’re not able to read figure 5–4 but that’s what it looks like if you visit the website. The key components of the MITRE ATT&CK framework are: Tactics: High-level objectives or goals that adversaries seek to achieve during an attack. Examples include Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact. These are at the top of Figure 5–3. Figure 5–5 MITRE ATT&CK Tactics Techniques: Specific methods or approaches that adversaries use to accomplish a particular tactic. Techniques are more detailed and granular than tactics. For example, within the “Execution” tactic, there might be techniques like Command-Line Interface, Scripting, or Exploitation of Remote Services. Figure 5–6 Mitre ATT&CK Techniques Procedures: Specific instances or examples of how adversaries implement techniques in a real-world scenario. These are inside of each technique. Figure 5–7 MITRE ATT&CK Procedures Mitigations: Inside each technique are recommendations and best practices to defend against or minimize the impact of specific techniques. Groups: Inside each technique are adversarial groups or threat actors that have been identified by researchers, along with information about their tactics, techniques, and procedures. Software: Inside each technique is specific malware, tools, or software associated with adversary activity. The MITRE ATT&CK framework is widely used in the cybersecurity community for threat intelligence, red teaming, blue teaming, and incident response. Cyber Kill Chain Another model like the MITRE ATT&CK framework that is used for mapping adversaries and developing countermeasures is the Cyber Kill Chain. The Cyber Kill Chain is a concept that describes the stages an adversary typically goes through to successfully execute a cyber attack. It was initially introduced by defense contractor Lockheed Martin and has since become a widely adopted framework in the field of cybersecurity. The Cyber Kill Chain helps organizations understand and analyze the various phases of a cyber attack, allowing them to implement effective defense mechanisms at each stage. The traditional Cyber Kill Chain consists of the following stages: Figure 5–8 Stages for Cyber Kill Chain Reconnaissance: The attacker gathers information about the target, such as identifying potential vulnerabilities, employee names, and network architecture. This can involve both passive (e.g., online research) and active (e.g., scanning for open ports) methods. Weaponization: The attacker creates or acquires a weapon, typically in the form of malware or a malicious payload, designed to exploit a specific vulnerability. Delivery: The attacker delivers the weapon to the target environment. This could occur through various means, such as email attachments, malicious links, or exploiting software vulnerabilities. Exploitation: The weapon is executed, taking advantage of vulnerabilities in the target system to achieve its malicious objectives. This stage often involves gaining unauthorized access or control over the targeted systems. Installation: The attacker establishes a persistent presence in the target environment by installing additional tools, backdoors, or malware. This allows them to maintain access and control over the compromised system. Command and Control (C2): The attacker establishes communication channels with the compromised system to remotely control and manage the attack. This can involve receiving instructions, exfiltrating data, or delivering additional payloads. Actions on Objectives: The attacker achieves their ultimate goal, which could include data theft, system disruption, or other malicious activities. This stage may vary depending on the attacker’s motives, such as financial gain, espionage, or activism. Not all attacks follow these stages in a fixed order, and defenders can disrupt the chain at various points to prevent or mitigate the impact of an attack. Understanding the Cyber Kill Chain is valuable because although the MITRE framework is more common, the Cyber Kill Chain is still referred to in some places and conceptually the kill chain can be easier to digest than the MITRE framework. Just know that it is another model like the MITRE ATT&CK framework to map attackers to help with countermeasures. OWASP Top 10 OWASP stands for Open Wordwide Application Security Project. More commonly known as Open Web Application Security Project, it is a nonprofit foundation that works to improve the security of software. They have over 250 chapters that meet all over the world in person and it is likely they have one near you. You should consider attending sometime as it’s a great way to network with people. OWASP publishes a Top 10 report which describes the top 10 web application security risks. It’s important for you to have familiarity with these risks. I have been asked in interviews before to describe Cross-Site Scripting (XSS) or SQL-Injection (SQLi). OWASP Top 10 skills are difficult to learn and it is not best taught through an article but best through hands-on practice. I would recommend that you check out TryHackMe’s OWASP Top 10 labs. TryHackMe is both a free and subscription online platform that teaches cybersecurity through short, gamified real-world labs. If you’re new to TryHackMe, I recommend signing up for a free account and going over the platform to understand how the rooms/labs work. They have a discord chat but I would recommend skipping it. It’s over moderated and can distract you from your progress. TryHackMe is a great platform and I don’t want one overzealous chat moderator to ruin your experience with the company. Zero Trust Zero Trust is a security approach where you don’t automatically trust anyone or anything, whether they’re inside or outside your network. Instead of assuming everything is safe once inside, you constantly check and verify things like user identity, device health, and the context of the situation before allowing access to sensitive data. These are the basic principles of Zero Trust: Verify Identity: Always check and make sure that people, devices, or systems are who or what they claim to be before letting them access important data. Least Privilege Access: Only give people or things the minimum access they need to get their job done. Don’t give them more than necessary. Micro-Segmentation: Divide your network into smaller parts and control how things communicate between them. This way, if one part is in trouble, it won’t affect everything else. Continuous Monitoring: Keep an eye on what people and things are doing. If something seems weird or not right, check it out and take action. Contextual Access Control: Decide who gets access based on the context, like where they are, what time it is, and how important the data is that they want. Encryption: Make sure that information is protected by encrypting it, making it unreadable to anyone who shouldn’t see it. Dynamic Policy Enforcement: Always be ready to adjust your security rules based on what’s happening. Stay flexible and adapt to new threats or situations. These principles form the foundation of the Zero Trust model. It is quickly being adopted everywhere because your data is now everywhere. There isn’t a defined perimeter of most corporate networks anymore like there was in the past. The only way to defend authorized access to your data is to keep a closer eye on who accesses what and when , and we do this by implementing the Zero Trust model. Zero Trust: NEVER trust, ALWAYS verify. Summary When you start your new job on day one, it will help you tremendously if you even have heard of some of these technologies, concepts, and methodologies, not to mention how much it will help you to understand them during the interview process. As I stated, the SIEM is the most important tool today to know as a SOC analyst. In the future, more single panes of glass are going to be driven by SOAR platforms, but they will likely be a combined product — A SIEM/SOAR product as a single pane of glass. ARTICLE QUIZ (ANSWERS FOLLOW) _________ provides near real-time analysis of security alerts, allowing security specialists to see an overview of their network. Ⓐ SIEM Ⓑ IPS Ⓒ IDS Ⓓ SOAR _________ monitors all users and establishes a baseline of activity that’s considered normal, then sounds the alarm when someone’s activity falls outside of that. Ⓐ SIEM Ⓑ SOAR Ⓒ UEBA Ⓓ IPS _______ allows predefined playbooks to run automatically for common security issues, freeing up staff to work on more challenging and interesting items. Ⓐ UEBA Ⓑ SIEM Ⓒ IDS Ⓓ SOAR Common firewall vendors include all the following except: Ⓐ Super Sonic Ⓑ Cisco Ⓒ Checkpoint Ⓓ Palo Alto _______ allows a device to take action as needed to control the flow of network activity. Ⓐ IDP Ⓑ IPS Ⓒ SOAR Ⓓ SIEM _______ allows for detection, not intervention. Ⓐ IDS Ⓑ IPS Ⓒ SIEM Ⓓ UEBA When a file is opened or executed in a protected environment to find out what it does, this action is known as _______. Ⓐ Shadow Boxing Ⓑ Encryption Ⓒ Sandboxing Ⓓ An Incident You shouldn’t use this term unless specifically instructed to: _______. Ⓐ Incident Ⓑ Breach Ⓒ Security Event Ⓓ Logs _______ initiate an incident response process if there’s a suspected loss of sensitive data. Ⓐ Incidents Ⓑ Breaches Ⓒ Events Ⓓ Logs ARTICLE QUIZ SOLUTIONS _________ provides near real-time analysis of security alerts, allowing security specialists to see an overview of their network. Ⓐ SIEM Security Information and Event Management (SIEM) platforms provide real-time analysis of security alerts, allowing security specialists to see an overview of their network. _________ monitors all users and establishes a baseline of activity that’s considered normal, then sounds the alarm when someone’s activity falls outside of that. Ⓒ UEBA User and Entity Behavior Analytics monitors all users and establishes a baseline of activity that’s considered normal, then sounds an alarm when someone’s activity falls outside of the baseline. _______ allows predefined playbooks to run automatically for common security issues, freeing up staff to work on more challenging and interesting items. Ⓓ SOAR Security Orchestration Automation and Response (SOAR) tools allow predefined playbooks to run automatically for common security issues, freeing up the staff to work on more challenging and interesting items. All the following items should be included on your resume for a SOC analyst position except: Ⓐ Super Sonic Super Sonic is not a common firewall vendor. One similar sounding is “SonicWall.” _______ allows a device to take action as needed to control the flow of network activity. Ⓑ IPS Intrusion Prevention Systems (IPS) can control the flow of network traffic when placed in-line on a network. _______ allows for detection, not intervention. Ⓐ IDS Intrusion Detection Systems (IDS) allows for detection, not intervention. When a file or website is executed in a protected environment to find out what it does, this action is known as _______. Ⓒ Sandboxing Sandboxing is a protected environment where someone can execute potentially malicious files and urls safely to measure how they execute and what they do. You shouldn’t use this term unless specifically instructed to: _______. Ⓑ Breach Typically the term “breach” is a contractual term and its use should be avoided unless specifically told otherwise. _______ initiate an incident response process if there’s a suspected loss of sensitive data. Ⓐ Incidents Incidents initiate a predefined Incident Response Process (IRP) and typically an Incident Handler is assigned from the Incident Response Team (IRT) to manage the incident. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

If you can take one very big hairy audacious goal (BHAG) and break it down its many smaller goals the result is what’s called the snowball effect. Once you complete the first small goal, you get a mental boost to complete the next. And then the next. Before you know it, you’ve accomplished something and it doesn’t feel all that big anymore. Often times you’ll look back and think the hardest part about the BHAG was getting started. It really, truly is about micro goals. This is How to Set SOC Analyst Goals? I would also tell you that a successful career is about choosing your tasks and the time you spend on them with tact. What I mean by that is everyone seems to be always overworked and those who excel are those who can prioritize and deliver on the tasks that give the most bang for the buck. There isn’t enough time in a two lifetimes to complete everything that I’ve been asked to do in my career. At times I’ve been asked to do things that no one cares about and that’s the last I ever hear about it. It would take me days to do it and it would interfere with more important things to do. Then I get asked to do something that is easy to do that ultimately lands on the CEO’s desk. Which one of those two do you do? Its a no brainier, you smash the task and over deliver on the vision of the executives. The Eisenhower Matrix is a task management tool that helps you organize and prioritize tasks by urgency and importance. Using the tool, you’ll divide your tasks into four boxes based on the tasks you’ll do first, the tasks you’ll schedule for later, the tasks you’ll delegate, and the tasks you’ll delete. In this piece, we’ll explain how to set up an Eisenhower Matrix and provide tips for task prioritization. Making a to-do list is the first step toward getting work done. But how do you determine what to tackle first when you don’t have enough time to do everything in one day? With effective prioritization, you can increase your productivity and ensure that your most urgent tasks get immediate attention. The Eisenhower Matrix is a task management tool that helps you distinguish between urgent and important tasks so you can establish an efficient workflow. Dwight D. Eisenhower — the 34th President of the United States and a five-star general during World War II — presented the idea that would later lead to the Eisenhower Matrix. In a 1954 speech, Eisenhower quoted an unnamed university president when he said, “I have two kinds of problems, the urgent and the important. The urgent are not important, and the important are never urgent.” Stephen Covey, author of The 7 Habits of Highly Effective People , took Eisenhower’s words and used them to develop the now-popular task management tool known as the Eisenhower Matrix. The Eisenhower Matrix is also known as the time management matrix, the Eisenhower Box, and the urgent-important matrix. This tool helps you divide your tasks into four categories: the tasks you’ll do first, the tasks you’ll schedule for later, the tasks you’ll delegate, and the tasks you’ll delete. Urgent tasks require your immediate attention. When something is urgent, it must be done now, and there are clear consequences if you don’t complete these tasks within a certain timeline. These are tasks you can’t avoid, and the longer you delay these tasks, the more stress you’ll likely experience, which can lead to burnout. Like the Executive high-visibility request above. OVER deliver on that. Important tasks may not require immediate attention, but these tasks help you achieve your long-term goals. Just because these tasks are less urgent doesn’t mean they don’t matter. You’ll need to thoughtfully plan for these tasks so you can use your resources efficiently. Quadrant 1: Do Quadrant one is the “do” quadrant, and this is where you’ll place any tasks that are both urgent and important. When you see a task on your to-do list that must be done now, has clear consequences, and affects your long-term goals, place it in this quadrant. There should be no question about which tasks fall into this quadrant, because these are the tasks that are at the front of your mind and are likely stressing you out the most. These are the phishing emails to executives. Quadrant 2: Schedule Quadrant two is the “schedule” quadrant, and this is where you’ll place any tasks that are not urgent but are still important. Because these tasks affect your long-term goals but don’t need to be done right away, you can schedule these tasks for later. You’ll tackle these tasks right after you tackle the tasks in quadrant one. You can use various time management tips to help you accomplish the tasks in this quadrant. Some helpful strategies may include the Pareto principle or the Pomodoro method . These are your development goals. Quadrant 3: Delegate Quadrant three is the “delegate” quadrant, and this is where you’ll place any tasks that are urgent but not important. These tasks must be completed now, but they don’t affect your long-term goals. Because you don’t have a personal attachment to these tasks and they likely don’t require your specific skill set to complete, you can delegate these tasks to other members of your team. Delegating tasks is one of the most efficient ways to manage your workload and give your team the opportunity to expand their skill set. As a junior SOC analyst, theres no one below you. If you have an MSSP, it would be a good time to see if the tasks can be delegated to them. But, you do have teammates, and you should act like a team. If you pick up a ticket and someone else is already halfway through working on a similar ticket, don’t be shy and ask them if they’d like to work on this one too. It makes their metrics look better and keeps the SOC efficient. This is queue management Quadrant 4: Delete Once you’ve gone through your to-do list and added tasks to the first three quadrants, you’ll notice that a handful of tasks are left over. The tasks left over are tasks that weren’t urgent or important. These unimportant, non-urgent distractions are simply getting in the way of you accomplishing your goals. Place these remaining items on your to-do list in the fourth quadrant, which is the “delete” quadrant. But remember, if something you deleted keeps popping back up on your radar, its time to reevaluate the importance of the task. These are special projects that you don’t have any time for Zig Zigler will say “You can have everything you want in life, if you will just help other people get what they want.” I will always encourage people to ask me for things because I believe in the motto, “If you never ask the answer is always no”, and I’m not afraid to say no. So prioritize correctly, get more done, and push the envelope sometimes in your career if you deserve it. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

This article will describe the prerequisite skills that you will need to land your first job in cybersecurity. This is What Skills Do I Need to Be a SOC Analyst? Knowing which topics you need to know to land your first role in cybersecurity is crucial. While we can’t teach you everything you need to know, this article will cover the fundamentals of cybersecurity based upon a common baseline of knowledge. Most of the prerequisite knowledge can be gained by formal cybersecurity certifications such as CompTIA Network+ and Security+. This article will discuss the concepts that you should understand before interviewing. Let’s talk about networking first. Networking The first requisite skill we’ll talk about is networking. No, this won’t be about how to talk to people, but we will cover the basics of the modern TCP/IP stack and OSI model. The Transmission Control Protocol and Internet Protocol (TCP/IP) was invented in the 1970s by DARPA scientists Vinton Cerf and Bob Kahn. At that time, there was not a recognized network standard. After over a decade of tests and refinement, the TCP/IP stack was officially launched in 1983 and was quickly adopted by the US Department of Defense. The DoD’s adoption of the new protocol secured the TCP/IP’s place as the standard moving forward. Basically, the TCP/IP stack can be viewed as a set of layers; each layer solves a set of problems around the transmission of data. The TCP/IP stack contains four layers. Alternatively, there is a seven-layer model called the Open Systems Interconnection (OSI) model that contains seven layers. Today, the OSI model is more generally used as it provides a more granular view of the encapsulation process. For the purpose of continuity, we will use the OSI model going forward. Refer to figure 1–1 for the TCP/IP and OSI models. Figure 1–1: TCP/IP and OSI Models Data Encapsulation and Decapsulation Data encapsulation and decapsulation is the process of taking data from one layer of the OSI model and translating it into the next layer. Whether that is adding or peeling layers back, it is being prepared for the next layer. As a broad example, decapsulation is the process of turning the binary 1’s and 0’s in the physical layer into something that is human readable in the application layer . Regardless if you’re viewing a web page or watching a video, data encapsulation and decapsulation is pivotal to the flow of data on our networks. When data starts out at layer seven, it is one piece of data. As it travels down the layers to layer one where it is sent across as a signal (light, electrical, radio waves) it gets prepared and chopped up into smaller bits to be sent. Each packet of data gets encapsulated with more information to the front and sometimes the back. After it gets sent as a signal, the layers then get peeled back at the destination and assembled until it is one piece of data again to be consumed. Figure 1–2: Data Encapsulation Entire books have been dedicated to this topic; however, we suggest you search YouTube for “OSI Model Encapsulation.” There are some great videos that break down the process with animations we can’t properly depict here. One that we found that we really like is here. bit.ly/osiencapsulation IPv4 and IPv6 IP Addresses On the Internet today, there are two types of IP addresses, IPv4 addresses and IPv6 addresses. The IPv4 address space (e.g., 10.0.0.1) is a 32 bit solution and is what most people are familiar with when they think about IP addresses, but due to changes in the Internet landscape, especially due to the addition of the Internet of Things, we have exhausted all publicly available IPv4 addresses. They are only currently being reassigned to people to replace the space where companies have gone out of business. As a solution, the world has begun to use IPv6 devices (e.g., 2004:0cb8:82a3:08d3:1319:8a2e:0370:7334) which is a 128-bit solution. Take time to learn the differences between IPv4 and IPv6, you can expect to be asked questions during your interview. RFC1918 Another important thing to know about IP addresses is the difference between public network space and private network space. If you were to ping Google, the message exits my private network and traverses the public Internet until it hits the computer on the public Internet owned by Google, and then Google decides what to do with that message internally. Think of it like driving through a modern neighborhood where the houses are right next to each other. As you drive, you can look to your left and right and see the front doors. You can walk up anyone’s driveway and knock on their front door because that is all publicly accessible. Now consider this: private network address spaces are the bedrooms, bathrooms, and common areas inside the house. In the scheme of the Internet, these three private home spaces are governed by something called the RFC1918 address space (Figure 1-3). There are three IP address subnets in RFC1918. Figure 1–3: RFC1918 Address Space Due to the large number of hosts, in a corporate environment, it is most common to see the 10.0.0.0/8 address space used frequently. Ports and TCP/UDP Knowing the common port numbers and the difference between TCP and UDP will be helpful. TCP, or Transmission Control Protocol, relies on establishing a three-way handshake connection. UDP, or User Datagram Protocol, requires much less control data when compared to TCP. Think of UDP as the “Unreliable Dang Protocol” because UDP traffic is sent, and neither the sending or receiving host cares if the data arrives. In contrast, if a piece of data is missed in transit in the TCP connection, it will resend the missed packet and put it back together in order. If you’ve ever streamed a movie or watched YouTube, you use UDP to receive the video data. You may have noticed the video skips or has a weird frame; well, that was a UDP packet that didn’t arrive at your computer or TV. TCP connections are used when every bit of data needs to arrive at the destination, such as in a file transfer. If you are transferring a file, if all bits and bytes do not get to the destination, the file will be corrupt and unusable. Figure 1–4 shows a cheatsheet table for port numbers. Figure 1–4: Common Port Numbers TCP Three-Way Handshake Next is the TCP three-way handshake process. This is important because this three-way handshake establishes a connection between two hosts for a TCP connection. See Figure 1–5. Figure 1–5 TCP Three-Way Handshake To explain, let’s say you are uploading a file to an image hosting website. Before the file transfer takes place, your computer would establish the connection to the server by sending a Synchronize or SYN packet. Then the server would send a SYN and Acknowledge packet back, and then your client will finally send the Acknowledge packet back, and the three-way handshake has completed. How this translates into your new job is if a host on the public Internet is attacking the perimeter of the corporate network, you might only see a SYN packet. Most firewalls will drop this traffic if it isn’t approved traffic and it isn’t a big deal. However, if you are looking at a computer on your network that is under suspicion of communicating with a malicious host and they have completed the handshake process, there is a good chance they have actively communicated and data at some scale has been transferred. CIA Triad The basic tenets of security revolved around the concept of CIA Triad, not the Central Intelligence Agency but confidentiality, integrity, and availability. All of security can be broken down from these three high-level categories. Confidentiality is the secrecy of the information, making sure that the information can only be seen by the intended people, no more no less. Integrity revolves around the correctness of the data, making sure that the information you are consuming is the data that you intend to consume, complete and unaltered. Availability consists of making sure that the data is able to be used when it is needed to be used. For instance, a denial of service attack can make a website unavailable to people who try to visit it. This is an attack on availability. Like a three-legged stool or a rigid triangle, the most secure data has a balance of all three. Figure 1–6 CIA Triad Firewalls Firewalls are superb for making sure that access to network resources are only available to those that need access. By use of access control lists (ACLs), firewalls can prevent the general Internet from accessing private network access. ACLs are an example of a confidentiality control as well as an availability control. As stated earlier in this article, there is a delineation of public Internet space and RFC1918 private Internet space. This boundary is created by using networking appliances and is called the perimeter of a network . If you think of your network as a circle and everything inside of the circle is your private computers and everything on the outside is the Internet, then the perimeter is the circle itself. This is governed by your firewalls. This concept is going out of fashion with the advent of cloud computing but still important to know today. Least Privilege and Separation of Duties Also when thinking about access control models, the concept of least privilege should be considered. Least privilege simply is the concept that no one should have more access to information than is minimally required to perform their work. For instance, a janitor needs access to all areas in a building, but probably shouldn’t require the same level of access to digital records. While considering the principle of least privilege, separation of duties is also important. Separation of duties is the concept that important duties should be separated to provide less opportunity for fraud. The famous example to explain separation of duties is to separate the employee who balances the checkbooks from writing the checks. If they cooked the books (modified it to their advantage), they could easily write a check to themselves for the differences, and no one would ever know. Cryptography There are a few cryptography principles that you will need to know as well. The first is the difference between encryption vs. hashing. Basically, encrypting is changing the data in a way that makes it unreadable, but it is intended to be changed back in a way to make the message readable again . Note: Takeaways to research on your own from encryption principles are knowing what public keys and private keys are and when they are used. Also, know what makes that key process different than using the same key to encrypt and decrypt. Hashing is the process of taking a set of data and creating a unique fingerprint out of it. For instance, if you had a thousand lines of code, you could save it to a file and hash that file to a 128-bit MD5 hash that would look something similar to this: 97fbca75e134639d48bd83270ae9e045 The main difference between a hash and an encryption is that a hash is one way. There is not any viable way to turn the string above back into the characters “Cyber NOW Education Rulez.” It might come up in your interview about the difference between encoding and encryption and what you need to remember is that encoding is only an algorithm and doesn’t use a key. Endpoint Security According to Verizon’s 2023 Data Breach Investigations Report nearly 74% of all malware infections are caused by actions taken by an individual. This includes opening email attachments, clicking unknown links, and downloading files with embedded malware. While network security is important in protecting your private network’s boundary, network security is completely circumvented when the user downloads and executes the malware on a local system. Once a single system is compromised, the attacker is free to move throughout your network, all while being undetected by your firewall. User laptops, smart phones, and printers are only a few of the targeted devices that attackers can compromise. The difficulty with endpoint security is the plethora of devices on the market. The majority of all devices run on one of these three operating system (OS) families: Windows, Unix, and MacOS. Note: The Verizon Data Breach Repor t is perhaps the most respected publication in the cybersecurity industry. We would suggest taking a minute to review the latest breach report online to bring you up to speed with the industry’s latest cyber statistics. This is a great topic during interviews! When considering endpoint security , I’ve found the most valuable skill is the knowledge of how each one could be compromised or exploited. The following sections will cover the major operating systems and some of their common vulnerabilities. Windows Let’s talk about Windows first as they are the global market leader for user endpoints. In fact according to the 2023 stats provided by Net Market Share 82.4% of all computers run some version of Windows. At the time of writing this article, Windows 11 and Windows Server 2022 are the latest iterations of the popular operating system. However, Windows Servers 2012, 2016, and 2019 and Windows 7, 8/8.1, and 10 are still prevalent in many homes and businesses. And herein lies the problem. As new operating systems are released, the older OSs are no longer maintained by Microsoft. This leaves these older operating systems without critical security patches required to combat new variants of malware. If we dig further into the data, we can glean that over 70% of Windows users are running an unsupported version. Okay, we covered why Windows is targeted, but how are they targeted? As previously stated, 74% of all malware comes in via user actions. Users clicking links or opening attachments in emails cause more initial compromises than any other method. This is called phishing , and it’s been around for as long as there’s been email. Have you ever been asked to help a wealthy, foreign prince by sending him $1000 with the promise of receiving millions in return? If you answered yes, count yourself among the millions of other users who received a version of the same email. Unfortunately, that scheme did trick many people into forking over their hard-earned money with no return on investment. Today, phishing has evolved into the number one malware delivery platform. The other common method for a compromised Windows endpoint is weak passwords . If your Windows endpoint is listening for Remote Desktop Protocol sessions, there is a good chance you’ll be targeted by a brute force attack sometime in your future. The strength of your password will determine how successful the attacker will be. When it comes to password complexity, there are two schools of thought. First, the longer the password is, the longer the brute force will take. And second, the more diverse the character set of the password, the longer the brute force will take . At the end of the day, both are true with one caveat. If you use words in your password, the easier it will be to guess. Modern password-cracking tools have the ability to ingest word lists and modify the letters by using modifier rulesets to lessen the time it takes to crack a password. Cracking passwords can be a fun, at-home experiment that any cybersecurity professional should learn to do. We suggest learning tools such as John the Ripper and Hashcat. Note: Here is our legal disclaimer: stealing or actively attempting to log in to services with passwords of others is illegal. Do not attempt any hacking activity without expressed or written permission. The final topic we’ll cover on Windows security is user permissions. Most at-home Windows users operate day to day as the local administrator of their endpoint, meaning they do not use a separate, non-admin account for daily activities . At home, this practice is acceptable. When a company allows their workforce to operate as the local administrator accounts on their company endpoints, the risk of malware infection is much higher. Let’s look at a scenario. Josh is Director of Sales at Acme Brick Company (ABC). ABC Information Security team allows all users’ local administrator accounts on their work laptops. Josh received an email from an old college buddy inviting Josh to join an alumni forum. Josh clicks the link and has become a victim of drive-by malware. The malware begins propagating across other systems in the company and soon spreads to every system on the Sales team. What’s the danger of having local administrator permissions in this scenario? Simply put, the malware gained total access to Josh’s system immediately upon infection. Comparably if Josh’s account had user level permissions, the malware would be severely limited within the rights of that user. Another key point against local admin is the ability to elevate to system-level privileges. If an attacker gains system-level access, there is nothing on the endpoint that’s safe. MacOS Apple’s MacOS is being adopted by more and more companies as their endpoints of choice making it the second most popular OS in the wild. MacOS is currently on release 14.x and can be found in all of Apple’s desktop and laptop products. MacOS is a proprietary flavor of Unix; this allows the OS to operate on lower system resources and provides greater user control. In 2023, MacOS owned 12.9% of the operating system market share. That might not sound like a lot, but that number translates into millions of individual Apple devices at homes and offices globally. Many people will say that Apple devices are more secure due to the lack of malware. While it is true there is less malware that targets MacOS, that’s not what makes MacOS more secure. Apple has taken endpoint security to the hardware layer with built-in security chips on the motherboard. These chips are dedicated to encrypting the file storage, ensuring a secure boot of the OS every time, and application runtime security. Other software-based technologies like execute disable (XD), address space layout randomization (ASLR), and system integrity protection (SIP) all work to ensure malware can’t affect critical system files. Despite being a very secure platform, signature-based detection is not built into MacOS. User permissions in MacOS are very similar to most modern Linux distributions. By default, the root user is disabled and cannot be accessed. Users in the administrator group have the ability to elevate their privileges as needed to conduct admin tasks on the local system. Overall, Apple’s MacOS is a great option for increased security in your enterprise environment. Most small businesses adopt Microsoft’s Active Directory services as their authentication mechanism, so Windows devices make more sense. While there are identity managers that allow MacOS to join Active Directory, it usually calls for a high level of IT support and costs. The price for an Apple device also plays a large role in the fight for endpoint supremacy, leading most small- to middle-sized companies to choose Windows devices as they can be 75% cheaper than a comparable Apple device. Unix/Linux Unix and Linux have grown more popular over the last couple of decades as the open source community has increased in size, owning 2% of the market share in 2023. We won’t be covering the differences in Unix and Linux, but if you’re interested, there is a great article on Opensource.com that goes into the history and differences in the operating systems. The most important note to take away about Unix or Linux is how many different flavors or versions exist. Today’s most common Linux distributions are derived from either Debian or Fedora. Most Unix/Linux distros are free to download and use, and we would encourage you to pick a flavor of Linux and start experimenting. Unix/Linux devices are in more places than you would think. With the advent of the Internet of things (IoT), Unix/Linux have infiltrated their way into every home and office. Some of the older, more common office devices that run Unix/Linux are printers, A/V systems, and VoIP telephones. Today, all modern smart devices run some form of Unix/Linux under the hood. As the idea of a connected home or office has grown over the last decade, so have the increased number of attacks on the Internet of things. Botnets are the most common use of compromised IoT devices. In 2016, the Mirai botnet was used to cripple much of the online infrastructure in the eastern United States when attackers used it to perform a DDOS attack against the Dyn Company. Attackers have been targeting Unix/Linux since the very beginning, but not with malware. The majority of compromised Unix/Linux hosts are due to misconfigurations in either the OS or the applications hosted on the system. The majority of all websites are running on a distribution of Linux; a simple misconfiguration in the web application could allow a would-be attacker to gain credentialed access to the underlying operating system. But we’re talking about endpoints. Even though the majority of the Internet’s infrastructure relies on Unix/Linux, end users haven’t fully adopted Linux as a personal operating system, largely in part to the difficulty in managing the OS. Today, we see the largest adoption of Linux as an endpoint OS in the cybersecurity and software development communities. The biggest challenge to any enterprise environment using Unix/Linux is managing the variety of distributions, despite the existence of tools that manage multiple Unix/Linux distros. Much like MacOS, malware does exist for Unix/Linux but not widespread. Also the user permissions are basically the same, since MacOS is based on the Linux kernel . Most commonly, Unix/Linux systems are compromised by the tools and packages installed on the system. Many Linux distributions come with a preinstalled programming language like Python. Python is a very powerful toolset that allows administrators and developers to code out some pretty impressive tasks. Unfortunately, the functionality that makes Python a power admin tool also makes it a favorite toolset for attackers. Python’s popularity has skyrocketed over the last several years, and we would suggest adding Python courses to your “to-do” list. However, Python isn’t the only language of its type. Every year, there are new scripting languages released, and every one of them can be used to compromise a system. Early on in his career, Jarrett learned of an esoteric programming language that uses spaces, tabs, and new lines as its programming syntax. This language was called Whitespace; it was developed in 2003 by Edwin Brady and Chris Morris. With the number of programming languages in the wild, no one is expected to know them all. I’ve found the best method is to pick one language and dedicate yourself to it. Learning one will help you interpret most of the others when you see it in use. Other Endpoints We’ve covered the three largest categories of operating systems for endpoint devices, but there are some honorable mentions we should cover; we’ll start with mobile devices. According to GSMA Intelligence’s 2023 State of Mobile Internet Connectivity Report , 4.6 billion people are using the mobile Internet. That is almost half of the world’s population. These mobile devices include cell phones, cellular-enabled tablets, and cars with built-in Wi-Fi hotspots. Mobile devices come in a few flavors of operating systems; they are Android, iOS, and Linux. Just like the endpoint discussion above, the vulnerabilities for Unix/Linux are shared with Android/Linux mobile OS. iOS, however, is a bit more secure. This is due to the limitations that Apple has placed on their user’s ability to install untrusted, third-party software. This is called the “walled garden” strategy. If you control the application distribution platform, you can ensure that dangerous software never makes it onto your device. Expect Apple’s “walled garden” approach to falter as legislative bodies force laws that open these devices to other application stores not controlled by the manufacturer. Let’s talk about the Internet of things or IoT devices; odds are you have these in your home already. This is an all-encompassing term for smart devices. The biggest risk to IoT devices is unsecured application vulnerabilities. Since the majority of IoT devices are unmanaged, we place a lot of faith in the developers who made the product. There are countless white papers and articles on IoT devices with security vulnerabilities. If you have a smart device, you should research their vulnerabilities on websites such as Exploit-db.com and Mitre.org . The final endpoint device we’ll cover is the Chromebook and ChromeOS by Google. This is a very low-cost solution for the laptop market. The Chromebook is running a custom flavor of Linux known as ChromeOS, based on the Gentoo Linux distribution. Google has stated that ChromeOS is the most secure OS on the market. Regardless of how true that claim might be, the system is only as secure as the apps installed. Google has taken efforts to limit the apps installed on their system, but there are methods of circumventing these protections. Summary We covered a lot in this article. We started off talking about networking, and the key to remember here is to make sure you know the difference between a public and a private network. RFC1918 governs the Internet for what is considered a private network address space. It is important to know! We also covered common port numbers. It is common to get a pop quiz in a SOC analyst interview to ask you what port number matches which service. The items that we want you to make sure you remember from network security are that firewalls draw the imaginary circle around your private Internet address space and define the perimeter . If you know what a private IP and public IP address is, you can visualize if it goes inside the perimeter or outside of the perimeter, and firewalls create the boundary. Note: There is a concept in networking called Network Address Translation (NAT) that allows public IP addresses to communicate with private IP addresses using a NAT table. This would be a great concept to study on your own. For user endpoints there are three major categories for endpoint security: Windows, which has the lion’s share of market, MacOS, which has a growing market share, and Unix/Linux, which come in third. Additionally, there are mobile and IoT devices to consider in a separate bucket as far as security is concerned. ARTICLE QUIZ (ANSWERS FOLLOW) Which of the following isn’t true about the TCP/IP model? Ⓐ It’s made up of seven layers. Ⓑ The US Department of Defense adopted it. Ⓒ It’s made up of four layers. Ⓓ It was launched in 1983. _______ addresses are 32-bit while _______ are 128-bit. Ⓐ IPv6, IPv4 Ⓑ IPv6, IPv8 Ⓒ IPv2, IPv6 Ⓓ IPv4, IPv6 TCP relies on an established connection called a(n) _______. Ⓐ two-way handshake Ⓑ three-way handshake Ⓒ UDP Ⓓ encryption ______________ create the boundaries of a network and ensure the general Internet can’t access private networks. Ⓐ Firewall’s access control lists (ACLs) Ⓑ Intrusion Detection Systems (IDS) Ⓒ Intrusion Prevention Systems (IPS) Ⓓ Switches ____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable. Ⓐ Hashing, encryption Ⓑ Encryption, hashing Ⓒ Perimeters, hashing Ⓓ Encryption, perimeters Which of the following OSs grew with the advent of the Internet of Things (IoT)? Ⓐ MacOS Ⓑ Linux Ⓒ Windows Ⓓ Raspberry PI Which of the following does not properly represent endpoint OSs and their market share? Ⓐ MacOS, 10% Ⓑ Windows, 87% Ⓒ Unix/Linux, 2% Ⓓ Unix/Linux, 10% ARTICLE QUIZ SOLUTIONS Which of the following isn’t true about the TCP/IP model? Ⓐ It’s made up of seven layers. The TCP/IPmodel is made up of four layers. The OSImodel is made up of seven layers. _______ addresses are 32-bit while _______ are 128-bit. Ⓓ IPv4, IPv6 IPv4 addresses are 32-bit while IPv6 addresses are 128-bit. TCP relies on an established connection called a(n) _______. Ⓑ three-way handshake TCPrelies on an established connection process called a three-way hand-shake. ______________ create the boundaries of a network and ensure the general Internet can’t access private networks. Ⓐ Firewall’s access control lists (ACLs) Firewalls and their Access Control Lists (ACLs) create the boundaries of a network and ensure the general Internet can’t access private networks. ____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable. Ⓐ Hashing, encryption Hashing adds a unique fingerprint to data while encryption changes data from a readable state to an unreadable state with the intent of returning it back to readable. Which of the following OSs grew with the advent of the Internet of Things (IoT)? Ⓑ Linux Most Internet of Things devices run on some flavor of the Linux Operating System. Which of the following does not properly represent endpoint OSs and their market share? Ⓓ Unix/Linux, 10% For endpoint Operating System usage, Unix/Linux represents only around 2% of the market share (though growing). Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .