Friday, May 22, 2020

Splunk, 30 Bird Media, and the CompTIA CySA+ CS0-001 (Cyber Security Analyst or SOC Prep): Part 002

Good day, everyone! I was going to write a blog talking about the Splunk Fundamentals One course that I finished. Instead, I have decided to talk about how to set up your environment, with the intent of helping people be as prepared as possible to implement the training programs that I mentioned in the first posting.

From the perspective of hardware, which I will only briefly touch on here, having the right equipment is essential to your future progress. The first thing you really need, the one non-negotiable piece, is a CPU that supports virtualization in hardware. If you go to the Gibson Research Corporation website (here), you will find a program called SecurAble. It is free and, when you run it, it will show you if your CPU supports virtualization and if it is turned on in your UEFI (think modern BIOS). If virtualization is present but not on, you will have to follow your system or motherboard instructions on how to access your UEFI and change the appropriate settings.

The second most necessary component for you to have is plenty of RAM (random access memory). The RAM will be shared between your operating system, such as Windows 10, and the virtual machines that you will download from the 30Bird website or build (which you will have to do for the Splunk server...assuming you follow the suggestions in this blog). The absolute minimum amount of RAM I would recommend would be 8GB of RAM. Understand that using that amount will not be the most optimal configuration possible but, if you are patient, it will work. It is better to buy as much RAM as your system and wallet can take. One word of warning: the host operating system will use up some of the RAM (approximately 4GB for Windows 10). You must subtract that amount when figuring out how much RAM to allocate to each VM. So, if you have 8GB of RAM and use Windows 10, you will only have 4GB of RAM for the VMs to use.

The third, and last, component you will need is an adequate amount of hard drive space, preferably a drive (or drives) that have the best balance of cost, capacity, and speed. When you build your virtual machines, select the dynamic allocation option as this will only use the minimum amount of space on the drive while still letting the virtual machine's guest operating system think that it has more space available to it than it is using. For instance, if you build an Ubuntu VM, the minimum amount of spaced used is likely less than 8GB on disk. If you set it up to use a maximum of 20GB, the VM will still only take up 8GB of space on disk but the OS will "see" 20GB. As an example, I have a 2TB Seagate Solid State Hybrid Drive (SSHD) with 12 VMs, plus backups, and I still have approximately 1.5TB of free space available.

Assuming you have adequate hardware to meet at least the minimum requirements, you will also need the software in order to setup your virtual lab. I recommend using Oracle's VirtualBox  software. While not as full featured as VMware's offering, it is always free and it is more than good enough for our needs. In addition to the virtualization software, you will also want to purchase the 30Bird book and download the VMs they provide for labs. You will need to import the VMs once you have downloaded them. Since they are compressed using the zip format, you can use either the builtin compression/decompression software that typically comes in modern OSes, or you can use 7zip (from Once they are unzipped, open VirtualBox, choose the Import button, and choose the folder where the OVA file you need to import is located. Once it is done importing, you need to configure the network settings, according to the directions in the book. After that, you will be able to start the VMs, log into them, and follow the lab instructions in the book.

To set up Splunk, you will need to do a few things, in addition to what is mentioned in the previous paragraph. First, download your favorite distribution of Linux (I used Ubuntu). You can decide to download and install from an ISO file or use a prebuilt VM. It is your choice but I prefer to install from the ISO file. Once installed, launch the VM and go to the Splunk website to download the software. Follow the installation instructions.

That ends the instructions for now. In a future post I will show how to implement Splunk monitoring on the 30Bird provided VMs and how to use the lab environment to build practical experience with Splunk and any other technology that is able to be virtualized.

Until then, please be safe and thank you for reading this far.

Sunday, May 17, 2020

Splunk, 30 Bird Media, and the CompTIA CySA+ CS0-001 (Cyber Security Analyst or SOC Prep): Part 001

One of the eternal questions that it seems everyone asks when they want to break into cybersecurity is this: how do I develop the skills that will make me a great security analyst when I can't get a job without experience? Add to that a pretty common request or requirement on job requisitions is experience with various security tools. Some of those tools have free or community editions but a lot will require that you work for a company that can afford said tools. The need to develop marketable skills, coupled with the oftentimes expensive cost of the tools that get you noticed, creates a perfect storm of job seekers with great knowledge and "weak" skills, as well as a job market where hiring managers struggle to find good, qualified workers. So what are we supposed to do to create balance in this situation?

What I am about to relay through this article won't necessarily help unlock the doors to your first Security Operations Center (SOC) gig. What it will do is provide a blueprint that, if you follow it, will help you develop critical skills that are in demand and might even get you noticed. If you build those skills you may impress someone enough to give you the chance you want and probably deserve. By combining two different training opportunities into one, we can develop the knowledge and skills that will show we are hungry and as prepared as we can possibly be, given the lack of professional experience. So let's go!

Step one: we need a starting point for us to develop our SOC skills from. If you are fresh off of training/certification for the CompTIA Security+ exam, then you have a great baseline of knowledge. If you don't have that training or knowledge, then I think you should consider getting it before diving into this adventure. Back to the starting point...I think that one of the most attainable SOC analyst training and certifications is CompTIA's Cyber Security Analyst Plus or CySA+. There are certainly others out there, such as the Cisco Certified CyberOps Associate (formerly the Cisco Certified Network Associate: Cyber Ops), and you may choose to pursue that certification instead. For name recognition, I have had hiring managers comment positively on the CySA+ and ignore the CCNA: Cyber Ops certification (which had two exams and cost approximately $600 for the two exams, combined). Since it has the best name recognition (out of my rather small sample size), we will focus on this certification, and more specifically, the training needed to become certified.

Full disclosure: I took the CySA+ CS0-001 beta exam and passed it, thus becoming certified before the exam was publicly available. The exam was $50, whereas the full, non-beta exam costs $359 retail. Additionally, I teach CompTIA courses, which means I am biased toward CompTIA certifications. Besides teaching the courses, which helps pay the bills, I have also seen how life-changing the CompTIA certifications can be to those trying to break into IT.

Step two: training materials. I purchased the 30Bird Media book for the CySA+ exam (found here). One of the main reasons why I chose the book, besides the experience I've had using their materials for other CompTIA certifications, is that in the book they have virtual labs. You can go to their site (see link above) and download the virtual machines (VMs) in order to follow their labs. You will need a virtualization hypervisor, such as VirtualBox. as well as enough RAM, hard drive space, and CPU virtualization extensions. Choosing the best hardware platform is beyond the scope of this article but there are plenty of great tutorials on YouTube: check out the video from Black Hills Information Security for an example video.

The benefits of the labs include:
  • Access never expires since they are on your computer.
  • Beside the cost of the book, the labs won't add to the cost of the training (which is a frequent occurrence that can make affordable training anything but).
  • They allow you to reinforce the knowledge learned in the lessons.
  • When you are done with the book and get certified, you can continue to sharpen your skills by going back through the labs, again and again.
  • You can also add new VMs to the mix, allowing you to use the labs for other certifications and training that you may get access to in the future.
Since we've gone over the pros of the labs, here are a few possible cons:
  • The VMs are demonstration versions of the software that requires a license. This means that you will get warnings and possibly have some or all of the functionality disabled over time.  
  • The labs will, over time, become outdated. That means that their value will diminish over time. Not a huge deal, but something to consider.
  • The VMs may become incompatible with more up-to-date versions of your hypervisor. While unlikely in the near term, it is something that I try to pay attention to, just in case.
Step three: one of the problems with most training programs is that they rarely give you experience with actual tools used by SOC analysts. It is very expensive, in most cases, to give people access to the most in-demand tools. That cost would have to be passed along, which would make such training less accessible to the "average" student. Now that I've said that, I can imagine that some might be asking the questions "well if that's the case, how am I ever going to get experience with those tools? Is this a lost cause or pipe dream?". The honest answer to those questions is that you can get access to the tools and you can get free training to go with the tools. Where, you ask? Splunk, I say. Splunk offers training (Fundamentals I & II) and they also offer a free download and 30 days of access to the full, enterprise tools and features. After the 30 days, you will have the features reduced to the free version (500 Mbytes of data processed after the trial period ends, for instance). If you do a search online for "Splunk Fundamentals I", you will find the link to apply for the training.

In my next post, I will write about how I have merged the material in Steps 2 and 3, thus giving me practical knowledge, training, and experience.

Until then, cheers!