I’ve been doing some training lately and this little gem of an article on building up network analysts to staff a new Security Operations Center (SOC) caught my attention. One of the key points the author, Jack @jackcr Crook, made was it taking up to six months for a newer person just to be comfortable in their new analyst role and then an additional six months for them to really be effective at it. Hopefully, you could get at least some experienced people to shortcut a year-long process but I feel this is an accurate estimate. As expected with the first set of new analysts, they didn’t have much of a formal training program. Instead, Jack and his staff just started instructing them on tools through “weeks upon weeks” of coaching and mentoring and teaching lessons off that.
That first session sounded brutal but with some time between their first and second classes they were able to pull together a five week training program based on experiences from the first class. The high level topics they covered included:
- Organization structure
- Linux overview
- Networking fundamentals
- PCAP analysis
- Network flow analysis
- HTTP / SMB protocol analysis
- Log analysis
- Alert analysis
- Regular expressions to aid in reading detection rules
- Host identification
- Hands on labs and testing centered around positive and false positive alerts
- Live supervised alert analysis
Jack also appended a written test at the end to test student knowledge as well. After the class I imagine traditional coaching and mentoring continued throughout the first year to get them to a level where they were at first capable and then later successful in their new role.
Given the need for companies to staff unfilled security positions and lack of funding for formal training, organizations are going to have to turn to developing internal training programs like Jack’s to fill those roles. Yes, it’s no SANS, but it’s cost effective … and even better, tailored to your organization.
Today’s post pic is from TheUnbounded.com.