One of the eternal questions that it seems everyone asks when they want to break into cybersecurity is this: how do I develop the skills that will make me a great security analyst when I can't get a job without experience? Add to that a pretty common request or requirement on job requisitions is experience with various security tools. Some of those tools have free or community editions but a lot will require that you work for a company that can afford said tools. The need to develop marketable skills, coupled with the oftentimes expensive cost of the tools that get you noticed, creates a perfect storm of job seekers with great knowledge and "weak" skills, as well as a job market where hiring managers struggle to find good, qualified workers. So what are we supposed to do to create balance in this situation?
What I am about to relay through this article won't necessarily help unlock the doors to your first Security Operations Center (SOC) gig. What it will do is provide a blueprint that, if you follow it, will help you develop critical skills that are in demand and might even get you noticed. If you build those skills you may impress someone enough to give you the chance you want and probably deserve. By combining two different training opportunities into one, we can develop the knowledge and skills that will show we are hungry and as prepared as we can possibly be, given the lack of professional experience. So let's go!
Step one: we need a starting point for us to develop our SOC skills from. If you are fresh off of training/certification for the CompTIA Security+ exam, then you have a great baseline of knowledge. If you don't have that training or knowledge, then I think you should consider getting it before diving into this adventure. Back to the starting point...I think that one of the most attainable SOC analyst training and certifications is CompTIA's Cyber Security Analyst Plus or CySA+. There are certainly others out there, such as the Cisco Certified CyberOps Associate (formerly the Cisco Certified Network Associate: Cyber Ops), and you may choose to pursue that certification instead. For name recognition, I have had hiring managers comment positively on the CySA+ and ignore the CCNA: Cyber Ops certification (which had two exams and cost approximately $600 for the two exams, combined). Since it has the best name recognition (out of my rather small sample size), we will focus on this certification, and more specifically, the training needed to become certified.
Full disclosure: I took the CySA+ CS0-001 beta exam and passed it, thus becoming certified before the exam was publicly available. The exam was $50, whereas the full, non-beta exam costs $359 retail. Additionally, I teach CompTIA courses, which means I am biased toward CompTIA certifications. Besides teaching the courses, which helps pay the bills, I have also seen how life-changing the CompTIA certifications can be to those trying to break into IT.
Step two: training materials. I purchased the 30Bird Media book for the CySA+ exam (found here). One of the main reasons why I chose the book, besides the experience I've had using their materials for other CompTIA certifications, is that in the book they have virtual labs. You can go to their site (see link above) and download the virtual machines (VMs) in order to follow their labs. You will need a virtualization hypervisor, such as VirtualBox. as well as enough RAM, hard drive space, and CPU virtualization extensions. Choosing the best hardware platform is beyond the scope of this article but there are plenty of great tutorials on YouTube: check out the video from Black Hills Information Security for an example video.
The benefits of the labs include:
- Access never expires since they are on your computer.
- Beside the cost of the book, the labs won't add to the cost of the training (which is a frequent occurrence that can make affordable training anything but).
- They allow you to reinforce the knowledge learned in the lessons.
- When you are done with the book and get certified, you can continue to sharpen your skills by going back through the labs, again and again.
- You can also add new VMs to the mix, allowing you to use the labs for other certifications and training that you may get access to in the future.
- The VMs are demonstration versions of the software that requires a license. This means that you will get warnings and possibly have some or all of the functionality disabled over time.
- The labs will, over time, become outdated. That means that their value will diminish over time. Not a huge deal, but something to consider.
- The VMs may become incompatible with more up-to-date versions of your hypervisor. While unlikely in the near term, it is something that I try to pay attention to, just in case.
In my next post, I will write about how I have merged the material in Steps 2 and 3, thus giving me practical knowledge, training, and experience.
Until then, cheers!