I got curious about what kind of people are most desired in a Security Operations Center (SOC). I wondered how accepting InfoSec blue teamers would be to having a team member with a great attitude and system administration or network management skills, versus someone with deep InfoSec knowledge and skills. So I did a poll on Twitter to learn more.
After reviewing the Twitter poll results and the very insightful comments, I was even more curious about how SOC hiring decisions are made. Luckily, one of my Twitter pals reached out via DM and indicated he is a SOC hiring manager! And he’d be happy to have a call with me to give me the scoop on what he looks for when hiring for his SOC as long as he remained anonymous!
While I can’t name him, I can tell you he has 20+ years of experience in the InfoSec industry and is in the process of building his second SOC. The first team he built had about 25 people, was focused on infrastructure rather than cloud, and encompassed both SOC and GRC. The team he is building out now is focused on outsourcing (MSSP), which is a different story entirely. Here are his insights:
Age is a Number
He made the excellent point that the terms "junior" and "senior" SOC analysts relate more to experience in a SOC vs the person's age. Older folks doing a career transformation might well be considered “junior" and someone in their 20’s who has had a home lab and network might have years of useful experience and be considered “senior”.
A Balanced SOC Team
The best team mixes some senior folks with junior people. A lot of SOC work is a *grind* with eyes always on the glass. Whereas junior folks can be quite happy to do that for a few years, some more senior folks may want to get into other roles than the front line of defense.
In addition, your first job in InfoSec may be a stepping stone to where you want to get. You might want to be a malware researcher, but starting as a blue team defender is an excellent way to learn more about malware.
Times are changing – whereas deep skills on particular hardware, like a specific firewall, may have been important in the past, now SOC hiring managers tend to me more cloud oriented. They’re looking for a blend of skills, including DevOps, SecOps, scripting, cloud instrumentation and understanding of cloud infrastructure. Hiring managers are looking for nimble applicants with a flexible skill set. For example, to be good in a SOC job today, you will likely need to know how to monitor application logs as well as traditional security controls.
Advice for Students
Don’t be afraid to get your hands on tech. Classes are one thing – but also build yourself a home lab. Show some enthusiasm and initiative. Be flexible – avoid just knowing a few specific tech tools. Network! (More to come on that).
Advice for Curmudgeons
If you’ve “seen it all” – you might appear grumpy. Grumpiness is OK, as long as you work with and support the junior folks. The SOC team isn’t a great place for a grump who wants to just be left alone. Toxic people are not welcome on a SOC team, no matter what skills they may have.
Important Tech Checklist for SOC
- Coding / scripting
- Understanding of network stack and knowing things like how routing, VLANs and ACLs work
- Machine Learning / Automation (at least take some free courses for awareness)
- Core security controls
- Cloud technology infrastructure
Can a Red Teamer Be Good in a SOC?
Sure, if they want to be on the Blue Team. They typically have the right skill set. However, Red Teamers live to find and exploit weaknesses. Red Teamers don’t always have to follow rules. Blue Team is defense in depth. Blue Teamers have to follow rules.
On social, Twitter is great. LinkedIn can be useful too. There are local meetup groups all over that are free to attend. You can hear talks and meet other people in the industry without having to travel to attend an expensive conference.
Here's the Poll and Some Excellent Comments and Observations:
In a SOC, would you rather hire a person new to infosec w good attitude & great sys admin / network mgt skills or a curmudeon with badass infosec knowledge & proven track record in SOC. Comments on rationale appreciated.— Kate Brew (@securitybrew) November 25, 2018
The best part was the comments! Here are a few excerpts to demonstrate the common threads.
A Good Attitude Is Clearly Appreciated
Good attitude every time. Much easier to train technical skills than people skills.— Chris (@church_of_chris) November 25, 2018
There r 2 many opptys in the market for ppl to stay and be treated like crap. People will leave. We are seeing burnout up the wazzoo, ppl leaving, ppl afraid of making a mistake, let alone a suggestion.
Hire the noob
Train, train, train them
Hard to say without knowing what the responsibilities would be, but generally I'd take the good attitude. People who are hungry and driven can learn the skills they lack, but it's harder to get someone to unlearn being jaded and negative, and spreading that vibe to everyone else.— ��l̶u̶0̷ (@blu0x30) November 25, 2018
In Defense of Curmudgeons
Dark humour is not the same as a bad attitude and burnout can heal— Heidi ������ (@winter_heidi) November 25, 2018
I feel like in tech (not sure about infosec) curmudgeon is a euphemism for "straight-up jerk". But I'd easily take someone competent over someone who's not, provided they're *just* a little grumpy.— Vanessa McHale (@vamchale) November 25, 2018
No Love for Toxic People!
A SOC has to work closely together. A curmudgeon stops the communication flow.— Nasty Woman Voter (@sforslev) November 25, 2018
Yet if a curmudgeon doesn’t have the soft-skills necessary to navigate conflict, challenges etc & instead they utilize FUD (fear, uncertainty & doubt) as their professional strategy - no matter how badass their infosec knowledge is - they kill the positive vibe of the SOC & org— Kyle F. Kennedy (@Kyle_F_Kennedy) November 25, 2018
years ago we hired the most brilliant system admin I've ever worked with, but he had 0 people skills and started to make it a toxic work env he was so bad working with others people were on the verge of quitting to not have to deal with him, i'd lean towards good attitude.— Space Force Panda (@TrashPandaFTW) November 25, 2018
I’d rather invest time in developing potential than repairing damage from a curmudgeon. That said, it depends on the mission and cultural context. Theoretically, the mission (and culture) might force acceptance of the trade-offs that come with a highly-capable curmudgeon.— ＜script›alert（＇ｃｈｒᎥｓ ｃɑｌνｅｒｔ＇）;‹／script› (@securedaemon) November 26, 2018
SOC Needs a Team / Balance
I'm the curmudgeon, and I balance the 5 neophytes. It's a good ratio - for a Red Team. I suspect the ratio would work differently on the blue side, coming from there. Company culture also plays a role in quantifying these ratios, I think.— Abe Snowman - Yeti Vigilante ☃️ (@AbeSnowman) November 26, 2018
I’d hire either. It would also depend on the current makeup of the team. If you have a bunch of info sec people with out sys/net admin chops then the new blood will be good. If it’s the other way then the curmudgeon would be good. Cross pollination is good.— Michael Fourdraine (@mfourdraine) November 25, 2018
One curmudgeon to five enthusiasts - and a good manager over them all.— John (@JohnDCosby) November 25, 2018
Regardless if they are in a SOC or not. Challenging concepts & ideas is healthy. Conflict can be good for orgs as it encourages open-mindedness & helps avoid the tendency toward group thinking (which could become bully thinking) that many organizations fall prey to.— Kyle F. Kennedy (@Kyle_F_Kennedy) November 25, 2018
I really appreciated the insights I got from the Twitter poll and speaking with my Twitter pal who is a SOC hiring manager. I hope this info is helpful to folks looking to move into Blue Team. Here’s another blog with career and networking advice.