Top 5 skills needed for a SOC analyst

Whether building a new Security Operations Center or revamping an existing one, staffing it with analysts that are equipped with the proper skills sets should be priority number one, says Palo Alto's Rick Howard.

Building a Security Operations Center (SOC) from scratch or revamping an underperforming one is a daunting leadership challenge. Of all the tasks you have to think about, finding and hiring a set of SOC analysts with the right skill set has to be a top priority.

These people are the last line of defense; if a cyber adversary gets past your SOC analysts, there is nobody else in the organization that can find them. You can purchase and deploy all of the latest and greatest tools for your security stack, but if you don't have the right people to run them and analyze the data they generate, you are wasting your time.

You need qualified people to make sense of it all and these people have to be experienced and passionate about what they do. As you might expect, folks like these can be heard to come by, so let's take a look at what makes a top-notch SOC analyst.

Are security certifications worth it?

In the past decade, our college programs and professional certification programs have surged to meet the demand for trained cyber-security experts. This is a good thing with one big caveat. This situation has flooded the employment space with cyber security wannabes who think that receiving a cybersecurity certification from some reputable program or an information assurance degree from an accredited institution qualifies them to sit in an SOC and defend the enterprise. That cannot be further from the truth.

Experience has shown me that passing a certification exam or getting a degree in information assurance simply shows that a potential employee is a good test taker or has the determination to plow through a degree program. Neither substitutes for the wealth of experience SOC analysts need to be good at their jobs.

Don't get me wrong. Certification programs can be an important piece of a cybersecurity practitioner's complete education. Information assurance degrees are a good place to start if you want to be a cybersecurity professional. But for an SOC analyst, they're not sufficient by themselves.

Certifications are absolutely not the first thing potential SOC analysts should get if they are thinking about a career in cyber security and an information assurance degree does not have enough depth in the basics of computer science to be of use in a SOC. You need more skills.

A couple of certifications I do think SOC analysts should pursue are the CISSP certification and the many of the courses offered in the SANS Curriculum.

SOC analysts need passion

In order to find good SOC analysts, you need to look for passion. SOC analysts have to deeply understand how computers and networks work at the ones and zeroes level and be able to sling code into useful tools for analysis. They have to love this stuff and be able to explain what they know to all kinds of audiences: fellow geeks, IT Management and the C-suite.

If they don't have a Linux box of some sort at home that they are playing with or that they use for their own home computing needs, they are not qualified. In other words, they have to have a basic understanding of computer science, a passion for the craft and an ability to explain what they know to anybody that will listen. But even with all of that, they're not ready to be a SOC analyst.

SOC analysts need experience

They also must also have spent time in the IT trenches. A career path for my fantasy SOC analyst includes spending time on the IT Help desk, managing servers in the data center, and finally, managing one or more of the security devices in the security stack; preferably all of them.

Once they have seen all the trouble they can get into by performing those functions, then they will have some context when an adversary starts to work his way down the kill chain into your network. They will understand the impact to your network when a cyber spy bypasses all of your controls to target your CEO. They will understand what has to be done when the hactivist attempts to destroy your business' reputation by leveraging a programming error on a public-facing website. And they will intuitively understand what the cyber criminal must do to steal your customer's credit card numbers. Without that IT background, they can't understand what they are seeing as incidents come flying into the SOC.

Top 5 entry-level SOC analyst skills

With all of this in mind, here are my top 5 skills required in an entry-level SOC Analyst:

  • 1. Strong understanding of basic computer science: Algorithms, data structures, databases, operating systems, networks, and tool development (not production quality software, but tools that can help you do stuff).
  • 2. Strong understanding of IT operations: Help desk, endpoint management and server management.
  • 3. Strong ability to communicate: write clearly and speak authoritatively to different kinds of audiences (business leaders and techies).
  • 4. Strong understanding of adversary Motivations: cyber crime, cyber hacktivism, cyber war, cyber espionage and the difference between cyber propaganda and cyber terrorism.
  • 5. Strong understanding of security operations concepts: Perimeter defense, BYOD management, data loss protection, insider threat, kill chain analysis, risk assessment and security metrics.

Top 5 specialties for senior SOC analysts

If you are hiring a more senior person, here are some specialties to look for:

  • 1. Strong understanding of vulnerability management: What are vulnerabilities, how do we find them, and how do we mitigate them?
  • 2. Strong understanding of malicious code: Reverse engineering skills; practitioner tactics, techniques and procedures from common motivations (See above)
  • 3. Strong understanding of basic visualization techniques; especially big data.
  • 4. Strong understanding of basic intelligence techniques as applied to cyber.
  • 5. Strong understanding of important foreign languages: (First Tier: Chinese, Russian, Arabic, and Korean. Second Tier: Japanese, German, French, Portuguese, and Spanish.

The skill that is the hardest to find in a potential SOC analyst is the ability to communicate: to write or present actionable intelligence derived from the raw information they have at their fingertips. I know this is not intuitive. I just outlined the set of complex technical skills that a SOC analyst needs to have in order to be successful. Then I said the hardest skill to find is the ability to write sentences. At first glance, these two things do not seem to go together, but it's true.

It's tough to relate the impact of a security event to a business leader, a government leader or a techie if the SOC analyst cannot transform the information they have into something the audience cares about. They can be the smartest malcode reverse engineer on the planet, but that's meaningless if they cannot translate geek speak into something the CISO can use to determine if they should dedicate resources to solving the problem. They might have a lucrative career as a cyber criminal, but they will fail as a SOC analyst.

Compensating your SOC analyst

As for salary, SOC analysts that have most of the basics covered and have mastered one or more specialties are pulling down an annual salary north of $100K; some are as high as $150K. This, of course, is dependent on where they live (the previous numbers are based on employees living in or near a big city). Your mileage will vary.

It goes without saying that the more complete their basics are and the more specialties they have both drive up their salary. You can pay less, but your analyst will likely not have the skills you need. This may not be a problem provided you already have a stable of qualified SOC Analysts who can help train the newbie.

The bottom line here is that as you build your shiny new SOC or upgrade your old one, you should not neglect the skill sets of the analysts you will hire. And do not be fooled by newly minted cyber security professionals with their brand new certifications or Information Assurance degrees. They are on the right path, but they need some seasoning first.

Rick Howard is the CSO of Palo Alto Networks.

Copyright © 2014 IDG Communications, Inc.

The 10 most powerful cybersecurity companies