When you are working on your plan to get into cyber security, you hear two distinct suggestions for cyber security jobs: help desk or SOC. You can’t study for both positions simultaneously, so what do you do?
In a world that requires certifications for any type of IT role, you must choose a path. You can’t go wrong with either one. But in my experience, one option sets you up for much faster career progression.
This article will explain why I am a strong proponent of starting in the SOC. I will list the top reasons why I think the security operations center is the best place to begin your journey in cyber security as an entry-level candidate with no experience.
What is a SOC Analyst?
First, let’s start with a quick discussion of what a SOC analyst is. If you haven’t, check out my last blog on a day in the life of a SOC Analyst. In it, I detail what it’s like as a SOC analyst.
A SOC Analyst, also known as a Security Operations Analyst, uses their knowledge of networking, operating systems, and cyber-attacks to investigate security alerts for organizations. These alerts come in from various places, including antivirus software, firewalls, networking equipment, and other security appliances.
To successfully analyze activity, the analyst needs to translate what they are seeing in the event logs into a story. They start by describing why the alert triggered with the who, what, when, where, why. Next, they state their opinion on whether the activity was malicious. And for the final part of the story, they recommend the next steps that should occur.
So why start as a Junior SOC Analyst? Great question. I am glad you asked.
Reason 1: Your Jobs Focus is Cyber Security
My first reason to start in the SOC is that your focus will be security. In any other role, security will always take a back seat.
Let’s take Desktop Support into consideration. Here your focus is operations. Keep everything working and the revenue flowing. Everything else is secondary.
If you don’t believe me, pull the CEO’s laptop for a malware infection and see what happens. They may have a mild meltdown. Much like you, the CEO has a job. They are there to make the company money and can’t do this without his laptop, even if it is infected with malware.
In the SOC, you will almost always look at security events on one or more networks. Your job isn’t to keep something working but to understand how an event occurred and to ascertain if it is a security issue. See the difference?
For me, I find that immersing myself in a topic helps me learn faster. If that is the case for you, the SOC is the right place to start.
People often say that support experience is vital to learning the operating system side of things. But if you are looking up low-level operating system behavior to investigate an alert, wouldn’t you say you are learning OS skillsets? I would 100% say you are learning the skills and at a level that most support specialists never do.
Security specialists and administrators look at things from different viewpoints. We rely on each other to do our jobs well. I don’t know how often an administrator has asked me security questions or how many times I ask them admin questions.
There is a reason for this relationship. Let’s not forget that there is a striking difference between maintaining and using a system. The only way to get better at something is to actually do it.
To illustrate this point, I will tell you a quick story about a Splunk Engineer who is my friend. He is awesome at what he does. He can make that SIEM purr like a kitten. He can even write some speedy queries. But one day, we did the Boss of the SOC CTF together, and the differences in our roles became very apparent.
He could make wicked queries, but he had no idea what he was looking for. He wasn’t sure what logs or fields he needed to look for. Or how to interpret the logs he was seeing. This resulted in him spending more time figuring out how to read security logs and solving few of the challenges.
On the other hand, I was pretty decent at queries and was well versed in event logs. This resulted in me being able to consistently solve challenges throughout the day.
My Splunk friend can use the tool well, but without the security background, he has trouble solving security-centric problems.
I tell you that story to say stick to security because the only way to get better is to, like Nike says, “Just do it.”
Reason 2: You May Get To See Security Architecture at Multiple Companies
This isn’t always the case. But, if you are lucky, you may get your start in a SOC run by a Managed Security Services Provider (MSSP) who offers “SOC-as-a-Service.” In these types of SOC’s you see alerts for various companies with a range of architectural configurations. Exposure to these differences is crucial to you learning security quickly.
See, the thing is, no single network is designed the same. Which is good. Design is rooted in the personnel’s skillsets and the requirements of the individual companies. This means that even two companies in the same line of work will likely look different.
For the analyst, this translates to getting exposed to more technologies and understanding how design impacts the overall security. And as a bonus, you get to see a variety of tools at work in the real world. By the way, which is hard to replicate in a lab.
All this exposure results in you hopping on the speedy train to learn cyber security. In the SOC-as-a-service environment, you will learn very fast. Still, it may also seem a little overwhelming in the beginning.
Feeling overwhelmed with the amount of information you have to learn every day is expected at this stage. I don’t know anyone who has started in the SOC that didn’t feel that way. Just remember, you were hired because your employer felt you could do the job. They have faith in you. Put your head down and work through the pain. After a month or so, things will start to slow down as you become more familiar.
The knowledge you will gain in the MSSP SOC environment will be priceless in any future role. Engineer, penetration tester, threat logic engineer, or incident responder. It doesn’t matter. All of these cyber security positions will make use of the information.
Reason 3: Multiple Cyber Security Career Progression Options
Let’s say your first job is at an MSSP, and you absolutely love the company. Great! These companies typically have several support roles you could move to, such as engineering, red teaming, or detection engineer.
This is great for those starting out in information security. You will interact with these teams during the day-to-day work and learn about what they do.
Building a relationship with the other teams will have a two-fold effect. On one side, you will learn about the positions through conversation and cross-training. This will help you decide if that role would be a good option for you.
On the other side, you are building rapport with another team. If the team has an opening and you are interested, you will have an easier time snagging the role. Not just because the team members know you but because you will be a better fit than anyone else for the position.
You become a good fit by learning from the team. People love when others are interested in what they do. Ask them for study materials, resources, and for explanations.
While you interact, they are slowly giving away the secrets to their job. Perfect! You are learning the stuff they actually use. Wouldn’t it be great if we could all shadow and learn from a team for months before interviewing? The external candidates can’t, but you can. So take advantage of the inside track and gain a competitive advantage.
To put things further in your favor, many companies are more inclined to hire internal candidates for their other teams. They know you are a good culture fit and your work ethic. Essentially, they have already taken you for a test drive.
If they have hired a candidate outside the company, they are getting a bunch of unknowns. All they know about the candidate is from the few interactions during the hiring process. Not much at all.
Most people don’t know this, but, in my experience at MSSPs, the SOC Analysts are used as a pool of candidates for the other teams.
Companies use the SOC as a proving ground to find candidates with potential for other roles. They focus recruiting resources on SOC Analysts, creating a massive pipeline of candidates. The analysts then can participate in internal cross-training opportunities or help on various projects. As people begin to set themselves apart or show an aptitude in other areas, other teams will start to take an interest. When positions open up, the analyst a stolen away.
This means companies count on junior analysts to step up and assume other available roles.
Things just keep looking up for you!
To expedite this process, you can take a couple of steps. The first is to ask one of the team members to be your mentor. They advise you along the path to their team.
Another step is to approach the following role with the same vigor as the SOC Analyst role. Put in the hours of hard work. Maybe even show up early or stay late at work to shadow someone on the team you are interested in. These small acts will have a significant result.
Even if, for some reason, you didn’t get the job you had your heart set on, you have gained new skills, and they translate to other organizations.
With a little bit of experience in cyber security, your options are wide open.
You now have experience investigating cyber events using a variety of technologies. The only thing lacking will be the unique qualifications for the next position.
Certifications are usually the biggest roadblock. Start looking at certifications for your next role after you get to a cruising speed in the SOC. AKA, you don’t feel like you are being sprayed with a water hose of information every day. Choose a cert and knock it out. Then keep practicing the skills.
When you are ready, start applying for jobs.
It sucks to leave coworkers you love, but there are benefits to changing employers.
The major benefits of moving on from your first employer are that other companies will likely pay you more, and you get a new learning. It is hard to find experienced infosec practitioners. Companies are very competitive in their benefits and salaries to attract talent. You will find the hunt for the next job much easier.
I won’t dig into this topic too much in this article because I plan to do that in a future blog. With that, we have covered my top 3 arguments for starting in the SOC.
In my opinion, the SOC is the best place to start as a budding practitioner. There are just too many benefits to overlook this role as a viable option. And once there, you have a wider choice of paths to take as your next step in cyber security.
But first things first. We need to get you your first job! For more information on how to become a SOC Analyst, check out my “Getting Into Infosec” blog series. Keep an eye out for a free training program outline in the near future.
Top 5 Reasons to Not Start at a Help Desk
11 Steps for Setting Up Your LinkedIn for Maximum Results
10 Resources for Junior SOC Analyst Job Listings