What It Takes to Make It in a SOC

I got curious about the kind of people who are most desired in a security operations center (SOC). I wondered how accepting InfoSec blue teamers would be to having a team member with a great attitude and system administration or network management skills, versus someone with deep InfoSec knowledge and skills. So I did a poll on Twitter to learn more.

After reviewing the Twitter poll results and the very insightful comments, I was even more curious about how SOC hiring decisions are made. Luckily, one of my Twitter pals reached out via DM and indicated he is a SOC hiring manager. He said he would be happy to have a call with me to give me the scoop on what he looks for when hiring for his SOC, as long as he remained anonymous.

While I can’t name him, I can tell you he has 20-plus years of experience in the InfoSec industry and is in the process of building his second SOC. The first team he built had about 25 people, was focused on infrastructure rather than cloud, and encompassed both SOC and GRC. The team he is building out now is focused on outsourcing (MSSP), which is a different story entirely. Here are his insights:

Age is a number.

He made the excellent point that the terms “junior” and “senior” SOC analyst relate more to experience in a SOC than a person’s age. Older folks doing a career transformation might well be considered “junior,” and someone in their 20s who has had a home lab and network might have years of useful experience and be considered “senior.”

The Best Team Is a Balanced Team

The best team mixes some senior folks with junior people. A lot of SOC work is a grind, with eyes always on the glass. Whereas junior folks can be quite happy to do that for a few years, some more senior folks may want to get into roles other than the front line of defense.

In addition, your first job in InfoSec may be a steppingstone to where you want to eventually go. You might want to be a malware researcher, but starting as a blue team defender is an excellent way to learn more about malware.

Consider the Cloud

Times are changing: Whereas deep skills on particular hardware, like a specific firewall, may have been important in the past, SOC hiring managers now tend to be more cloud-oriented. They’re looking for a blend of skills, including DevOps, SecOps, scripting, cloud instrumentation and understanding of cloud infrastructure. Hiring managers are looking for nimble applicants with a flexible skill set. For example, to be good in a SOC job today, you will likely need to know how to monitor application logs, as well as traditional security controls.

Experience Counts

Students should not be afraid to get their hands on tech. Classes are one thing, but students should also consider a home lab. Show some enthusiasm and initiative. Be flexible–avoid just knowing a few specific tech tools. Network!

Advice for Curmudgeons

If you’ve “seen it all,” you might appear grumpy. Grumpiness is OK, as long as you work with and support the junior folks. The SOC team isn’t a great place for a grump who wants to just be left alone. Toxic people are not welcome on a SOC team, no matter what skills they may have.

Important Tech Checklist for SOC

Can a Red Teamer Be Good in a SOC?

Sure, if they want to be on the Blue Team. They typically have the right skill set. However, Red Teamers live to find and exploit weaknesses. Red Teamers don’t always have to follow rules. Blue Team is defense in depth. Blue Teamers have to follow rules.

Career Networking

On social, Twitter is great. LinkedIn can be useful, too. There are local meet-up groups all over that are free to attend. You can hear talks and meet other people in the industry without having to travel to attend an expensive conference.

Conclusion

I really appreciated the insights I got from the Twitter poll and speaking with my Twitter pal who is a SOC hiring manager. I hope this info is helpful to folks looking to move into blue team.

Kate Brew has over 15 years experience in product management and marketing, primarily in information security.

This guest blog is part of a Channel Futures sponsorship.