Sunday, May 17, 2020

Splunk, 30 Bird Media, and the CompTIA CySA+ CS0-001 (Cyber Security Analyst or SOC Prep): Part 001

One of the eternal questions that it seems everyone asks when they want to break into cybersecurity is this: how do I develop the skills that will make me a great security analyst when I can't get a job without experience? Add to that a pretty common request or requirement on job requisitions is experience with various security tools. Some of those tools have free or community editions but a lot will require that you work for a company that can afford said tools. The need to develop marketable skills, coupled with the oftentimes expensive cost of the tools that get you noticed, creates a perfect storm of job seekers with great knowledge and "weak" skills, as well as a job market where hiring managers struggle to find good, qualified workers. So what are we supposed to do to create balance in this situation?

What I am about to relay through this article won't necessarily help unlock the doors to your first Security Operations Center (SOC) gig. What it will do is provide a blueprint that, if you follow it, will help you develop critical skills that are in demand and might even get you noticed. If you build those skills you may impress someone enough to give you the chance you want and probably deserve. By combining two different training opportunities into one, we can develop the knowledge and skills that will show we are hungry and as prepared as we can possibly be, given the lack of professional experience. So let's go!

Step one: we need a starting point for us to develop our SOC skills from. If you are fresh off of training/certification for the CompTIA Security+ exam, then you have a great baseline of knowledge. If you don't have that training or knowledge, then I think you should consider getting it before diving into this adventure. Back to the starting point...I think that one of the most attainable SOC analyst training and certifications is CompTIA's Cyber Security Analyst Plus or CySA+. There are certainly others out there, such as the Cisco Certified CyberOps Associate (formerly the Cisco Certified Network Associate: Cyber Ops), and you may choose to pursue that certification instead. For name recognition, I have had hiring managers comment positively on the CySA+ and ignore the CCNA: Cyber Ops certification (which had two exams and cost approximately $600 for the two exams, combined). Since it has the best name recognition (out of my rather small sample size), we will focus on this certification, and more specifically, the training needed to become certified.

Full disclosure: I took the CySA+ CS0-001 beta exam and passed it, thus becoming certified before the exam was publicly available. The exam was $50, whereas the full, non-beta exam costs $359 retail. Additionally, I teach CompTIA courses, which means I am biased toward CompTIA certifications. Besides teaching the courses, which helps pay the bills, I have also seen how life-changing the CompTIA certifications can be to those trying to break into IT.

Step two: training materials. I purchased the 30Bird Media book for the CySA+ exam (found here). One of the main reasons why I chose the book, besides the experience I've had using their materials for other CompTIA certifications, is that in the book they have virtual labs. You can go to their site (see link above) and download the virtual machines (VMs) in order to follow their labs. You will need a virtualization hypervisor, such as VirtualBox. as well as enough RAM, hard drive space, and CPU virtualization extensions. Choosing the best hardware platform is beyond the scope of this article but there are plenty of great tutorials on YouTube: check out the video from Black Hills Information Security for an example video.

The benefits of the labs include:
  • Access never expires since they are on your computer.
  • Beside the cost of the book, the labs won't add to the cost of the training (which is a frequent occurrence that can make affordable training anything but).
  • They allow you to reinforce the knowledge learned in the lessons.
  • When you are done with the book and get certified, you can continue to sharpen your skills by going back through the labs, again and again.
  • You can also add new VMs to the mix, allowing you to use the labs for other certifications and training that you may get access to in the future.
Since we've gone over the pros of the labs, here are a few possible cons:
  • The VMs are demonstration versions of the software that requires a license. This means that you will get warnings and possibly have some or all of the functionality disabled over time.  
  • The labs will, over time, become outdated. That means that their value will diminish over time. Not a huge deal, but something to consider.
  • The VMs may become incompatible with more up-to-date versions of your hypervisor. While unlikely in the near term, it is something that I try to pay attention to, just in case.
Step three: one of the problems with most training programs is that they rarely give you experience with actual tools used by SOC analysts. It is very expensive, in most cases, to give people access to the most in-demand tools. That cost would have to be passed along, which would make such training less accessible to the "average" student. Now that I've said that, I can imagine that some might be asking the questions "well if that's the case, how am I ever going to get experience with those tools? Is this a lost cause or pipe dream?". The honest answer to those questions is that you can get access to the tools and you can get free training to go with the tools. Where, you ask? Splunk, I say. Splunk offers training (Fundamentals I & II) and they also offer a free download and 30 days of access to the full, enterprise tools and features. After the 30 days, you will have the features reduced to the free version (500 Mbytes of data processed after the trial period ends, for instance). If you do a search online for "Splunk Fundamentals I", you will find the link to apply for the training.

In my next post, I will write about how I have merged the material in Steps 2 and 3, thus giving me practical knowledge, training, and experience.

Until then, cheers!


  1. Thanks for this Article I fall rightb into this category. Cant wait until your next article. Thanks.

  2. I hope these articles are useful. I should be writing another article soon, so stay tuned.