I have been involved in the hiring process for our Security Operations Center (SOC) for about a year and a half. Throughout this time, I have reviewed resumes, conducted phone screens, and participated in the technical interviewing process. I have been both dumfounded by the audacity of some individuals and amazed by the sheer awesomeness of rising stars. One of my primary takeaways from this experience is that people simply do not know how to prepare for a technical interview in the security field.Approaching from another angle, people often ask me a derivative of the following question: “What is the best way to get into the security field?” My typical response is something akin to, “That, my friend, is a loaded question.” Why is this question difficult to answer? It is not difficult to answer per-se, but rather requires lengthy conversations. This article aims to distill the salient points in those conversations into a blog post.PassionAbove all else, you need to embody passion for information security. One of my favorite statements is: “The security realm is an ever-evolving creature.” To work in this field, you need to be able to learn constantly, adjust to change, and push forward at all times. A successful incident response analyst is eager to learn and does not shy away from accepting failures as a means to improve.Sounds great, right? Sure, but how does this translate to interviewing skills? Simple: The interviewers, who will henceforth be referred to as “the panel,” are going to want to know that you embody passion for your career. In an interview, be prepared to explain how you stay abreast of news in the security realm.“I read blogs and articles.”
“Great. Which ones?”
“Oh, you know, like… Reddit and stuff.”
FAIL.Your interview panel wants to hear about the Twitter feeds, blogs, and news resources that you read. Name them. Explain why you like them. Are you able to do that right now, this very moment? They want to know the names of people you follow on Twitter. Why do you follow those people? They want to know the last article you read that sent you into a research frenzy. For that matter, they want to know what you learned from said research. Be able to explain what you learned and why you found the research important.Skills to Pay the BillsPlease keep in mind that this article is specific to my experience with hands-on security positions, such as those in a SOC or a Computer Incident Response Team (CIRT). With that in mind, let us evaluate the skills you will need for such a position. I present a few of the pillars upon which the security realm sits:FoundationThese positions require a solid foundation in computing, networking (LAN/WAN), and information security. If you are a command-line junkie in both Windows and Linux/Unix-based environments, awesome. That is just the beginning. Are you familiar with how inter-process communication and memory management work at a low level? Taking a course or reading a book on operating systems (OSs) concepts is a great way to start down this route, as this provides a solid jumpstart into OS methodology, design, and programming.Network-Security MonitoringA team cannot monitor the security of a network without employing task-specific tools. If you have never touched a security information and event management (SIEM) platform, you will want to review some of the tools listed here: https://en.wikipedia.org/wiki/Security_information_and_event_management#Vendor_products.Additionally, you will want to have knowledge of some basic intrusion detection systems (IDSs), such as snort. In fact, if you are not familiar with reading and/or writing snort rules, it is time to hit YouTube. You will probably also want to look into another popular IDS, bro.For some awesome hands-on learning, try to spin up Security Onion. Security Onion is “a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring)” (Burks, 2015). This tool affords an amazing academic environment, providing numerous task-specific tools for your learning pleasure. Get your hands on this puppy and go nuts. The key is to look “under the hood” at all times. If you do so, you will be surprised at how much you can learn. Think about this: The information shown in Snorby, how is that populated? Those snort signatures that are firing, why are they firing?Other Related SkillsComputer forensics, network forensics, malware analysis, and penetration testing are all skills that fall into the “you should know about these bad boys” realm. However, I am going to cut this particular article short and simply mention them. If you would like to know more, you can Google around or simply ping me for additional details.To discover more about landing a hands-on security job, stay tuned for part 2.To learn more about what types of high-paying jobs you work towards in information security, please click here and here.
About the Author: Ryan J. Chapman (@rj_chap) works as a SOC Lead for Bechtel Corporation. In this capacity, he functions as an incident handler on a daily basis, which includes host- and network-based forensic analysis, along with malware analysis. Prior to this position, Ryan worked as an Application Developer during his transition from a full-time training career. Ryan has a zest for life-long learning and holds the GREM, GCIH, LPIC-1, SUSE CLA, Linux+, Security+, A+ and ACHDS certifications. Ryan also holds a graduate degree in Information Assurance and an undergrad in Networking, both from Regis University. Overall, Ryan loves retro gaming, “nerd vomitting” on people, and “geeking it up” with infosec pals.Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.Title image courtesy of ShutterStock