Greetings Folks, I'm looking to transition from working in a SOC. My current career objectives include threat detection and automation I'm not looking for advice on certs or degrees. I want to start building stuff, making things, participating in activities in my free time that will make me a stronger, more viable candidate for these positions. I studied some python automation this past year that was focused on data carving. But I still feel lost and under qualified. I'm having a hard time trying to design projects to complete which have the level of complexity beyond tutorial level concepts. I've tried putting in for some entey level positions that were asking for the lower end of experience, but I'm getting any interests. Instead of job hunting, I just want to work on becoming a higher tier of candidate. I'm aware of the different hack the box type resources, but I want to make something myself. Like if I got dropped in an infosec automation job and they said go, where is the start line? Should I be investing time in XDR? Splunk? Yara? Certain open source tools? I'd greatly appreciate any advice. Even if it's to let me know what I don't know I don't know. Thank you YOE: 3.5 #cybersecurity #automation #python #detection #threatdetection #siem
Ok, so I have a lot of respect for people in the SOC. your teams field tons of security events per day. This amounts to a ton of experience and knowledge that tends to be very broad. So you will need to specialize. The best advice I can give to get out of the SOC... start applying for security engineer roles in operations, like endpoint, seg, swg, or SIEM. These roles are more about answering the questions than anything else. So just keep applying, keep interviewing. Then you will learn the types of questions to expect and land one.
Can you code at all? That's the skill needed most for automation.
Specifically, Python and Powershell are most useful.
I learned python this past year through SANS training (SEC 573). It covered essentials, some basic file forensics, struct module, and network traffic analysis.
What security towers most interest you? Cloud Security (CASB, CSPM, IaaS/SaaS) Web sec Digital/code security Email security IAM Endpoint Network Attack surface management SIEM/SOAR CSIRT Red Team Governance
SIEM/SOAR and CSIRT
Get creative on automation then. Write scripts to ingest additional info like TLDs for phishing domains similar to you corp domain. DMARC data ingest and analysis Endpoint security tool saturation dashboards End user behavior anomaly detection Automatic adware/Spyware remediation/cleanup using malwarebytes (with auto Uninstall to conserve pro license) Script to ingest data from vuln scanner Script to ingest patch management data from Jamf, SCCM, chef/ansible, and InTune then a consolidated dashboard... The list goes on. If you come to an interview and I ask what have you built for SIEM/SOAR and you reply with a list like this, I wouldn't be worried about ability. For CSIRT... you will need to forensic experience. Not sure what stack you have to provide any guidance here. I would just start going to lunch with csirt guys at your current job and ask if you could get some insights on how they do their investigations and what tools they use.
Have you automated or scripted anything at your current job? Are you doing any your own lab stuff at home?
At my current job I have only written some simple scripts for string manipulation or dictionary lookups. However, I have the opportunity to do much more. But I'm not sure what is useful to develop. I feel like I can only come up with simple projects. I do not have a home lab at the moment. I am traveling too much and living in very small spaces for the next year.
Cloud Lab or GTFO
Can you transfer internally? Might be the easiest option as a stepping stone
I can try, but my team has little technical talent besides me and my company is very political. I'm sure legally they can't say no, but I'm almost positive there would be behind the scenes measures taken.
Are you trying to get out of all secop jobs and move to appsec/CloudSec/SecEng? For clarifications are you doing IR type work and want to move to threat detection/automation or are you currently doing threat detection/automation work?
I'm currently doing IR work and want to move to threat detection/automation. Yes, my objective would be to move out of secops.
Threat detection and automation is still in SecOps, so that’s the confusing part. You want to get of SecOps but you’re wanting to move to detection/automation…I think you mean you want to get out of IR, not SecOps?
Just get better at interviewing, it’s the one skill engineers seem unwilling to invest in. It’s often the difference between landing the rolls you feel like you’re missing out on.
No amount of interview prep is gonna help you if you only feel comfortable in a GUI and your only experience is working tickets.
This is not my experience, but I do witness people with only that background struggle to find roles. I'm a legitimately skilled security analyst, not just someone who stares at a SIEM all day and makes 2 sentence annotations.
TC ?
140k
Tech Industry
Yesterday
1645
Women, help me understand why this is inspirational
Health & Wellness
Yesterday
593
Lasik cost
Tech Industry
Yesterday
2927
What happens when most of your team is Indian?
India
57m
636
Racism against Indians on blind
India
2h
214
'Hindutva': The Radical Hindu Ideology That Seeks to 'Push Christianity Out of India’
🍿
Is this to follow this thread?
Yes