EXPEL BLOG

20 tips for aspiring security operations center analysts

· 3 MIN READ · JON HENCINSKI · AUG 21, 2023 · TAGS: Careers

TL;DR—Candor, curiosity, passion for learning, humility, empathy, and a commitment to teamwork can take those seeking cybersecurity analyst jobs far.

This is a great time for those thinking about cybersecurity careers. There’s a talent shortage, which means the market is slanted in your direction. And unless the world’s cyberattackers decide to retire (note: seems unlikely), it’s a field with solid job security prospects.

If you’re a new security pro, congrats. If you’re still looking at cybersecurity analyst jobs, we wish you the best of luck. Either way, here’s some advice that should serve you well.

  1. Curiosity and a passion for learning will take you far. Not only do you need to know a lot to succeed as a security pro, learning begets learning. The more you know, the better you learn.
  2. Candor is a strength, not a weakness. All the top leaders in the field have one thing in common: once upon a time, they knew less than you do right now. It’s okay to admit you don’t know—in fact, it’s a core requirement. If you encounter a question or problem you’re not familiar with, it’s an opportunity to learn something valuable. It’s actually a gift. Take advantage.
  3. When you encounter something you don’t know (this will happen often), and it bothers you that you don’t know, convert that energy into action. If it doesn’t bother you, cybersecurity may not be the right path for you.
  4. You’ll make mistakes. Don’t sweat it. Learn from them so you never make them again, and move on.
  5. Before you solve a problem, own the problem. Letting things slip through the cracks isn’t an option in security, and that means accountability is essential.
  6. Learn how the internet works. (Not as duh as it sounds.) You open Chrome and type “google.com” and hit enter. What happens next? What do you see in the pcap? (If you don’t know what that is, start learning right now by looking it up.) This way, you’ll begin to truly understand protocol.
  7. Lead with empathy. Care about the organizations you protect, the employees you defend, and your teammates.
  8. Learn the basics of file systems. You open a file on Windows computer. What happens next? What about on Linux or macOS?
  9. Learn how to think like an attacker. Sun-Tzu said, “if you know the enemy and know yourself, you need not fear the result of a hundred battles.” Start by learning the basics of penetration testing and red teaming. CCDC, CTFs, YouTube are all great places to begin (again, if you don’t know, those acronyms, go look them up).
  10. Internalize this mental model: access, elevate, movement, storage. Attackers will gain access, find privileges that enable them to move to other systems (lateral movement), and then repeat until they find the data (storage) or path to complete their objective.
  11. The quality of your investigation hinges on the quality of the questions you ask. Ask: what is it (backdoor, utility, API key), what does it do (allow remote access by communicating to c2), when did it get there, how did it get there, where else is the activity, and what do you need to do?
  12. Speaking of investigations, many of the great ones are stories (based on evidence), so learn how to tell great stories via verbal and written communication. Keep a copy of Strunk & White’s Elements of Style within reach. Practice writing. “The Windows Security Event log recorded a type 3 network login using the ‘admin’ account originating from the IP address 10.10.10.1.”
  13. Know what you need to know. I don’t know every Windows event log type. I don’t need to (neither do you). But, I do know how to establish a timeline of activity. Windows event log recorded event blah blah during known periods of attacker activity? Look it up. Interpret what happened. Establish new leads. Pursue them.
  14. Speaking of event logs, /var/log on a Linux-based system can get you really far in terms of live response analysis.
  15. Read open source reporting. Understand what’s happening and ask, “how would we detect this?” And then, “how would we investigate and respond?”
  16. Cybersecurity is a team sport. So be a great teammate. Share knowledge. Build shared experiences. Help the new person.
  17. Engage with the #security community (however much you feel comfortable with). There are many talented folks that are willing to share what they know and help others.
  18. Networked apps are cool and all, but building your professional network is just as important. Not only is it important for your professional growth, it can also be important to solving problems at work.
  19. CTFs are a great way to level up your knowledge and experience. Set a goal to participate in one per quarter.
  20. Unfortunately, you won’t always have direct evidence. Sometimes you’ll need to infer what happened to find the next investigative lead. Problem-solving skills are as important as technical ones.

In sum: stay curious, stay humble, never stop learning, and be a good person and teammate. You’ll be amazed how far ‌this will take you.

Oh, one more: bookmark our careers page and check in frequently.