This was a tweet that really provoked a lot of feeling for me. It’s another great question. Do you expect an entry-level SOC analyst to know what Kerberoasting is? I wish this question got more discussion on Twitter because it’s something I’m very passionate about.
Now, I believe the definition for an entry level SOC analyst might vary across different companies and industries. So, before I can answer the question, I have to describe from my perspective what a SOC analyst is and what I would be looking for in one. A SOC analyst is a person that will look at alerts and detections and participate in the first steps to triage the alert.
An entry-level SOC analyst is an individual that already has experience with technology, for example has worked in HelpDesk for a year. They should have the fundamentals of networking to understand flow of traffic, take time to keep up with the security industry, and have some experience with pen-testing/red teaming (this could be doing CTF or HTB). Now, this might seem extreme for “entry-level” but I don’t believe SOC analyst is a starting point for somebody just getting into security.
I would like to compare two professions: doctor and SOC analyst. I believe both professions are fundamentally similar in that they make an observation from either the patient or alert, maybe ask a question to create a hypothesis, and try to get an answer until they come to a conclusion. The background needed to get into these professions are dramatically different though.
Doctors need roughly four years of undergraduate program, four years in medical school and three to seven years in a residency program to learn the specialty they chose to pursue. The requirement to be a security analyst is only a four year degree. This is dramatically different. I understand there’s a different focus for each career. Doctors are concerned with the well-being of humans, but a SOC analyst is the first line of defense for a company’s well-being and if it’s a hospital, making a wrong conclusion on an alert could put lives at risk.
I believe an entry-level doctor should be no different than an entry-level SOC analyst, both are professionals and have been trained to start working. Yes, they won’t know everything and will experience new challenges they never faced before, but they are able to diagnose a situation. Now I believe the security field could take something from the doctor field when it comes to schooling and that’s the residency program. I believe there needs to be a program set up to help ease new security professionals into the field and not be just thrown to the fire.
I know some degrees now incorporate internship programs, but just like for doctors, it needs to be several years. Since getting hands-on experience might be hard, that’s why I recommend starting in HelpDesk. It will give the fundamentals in troubleshooting, user interaction, networking, and sometimes it can have a security element to it. Now, this isn’t the best solution to the shortage of security professionals in the field, but I hope to see SOC analyst be looked at as a real profession that needs training for and not the equivalent of a starting point or a position that can easily be swapped out with anybody quickly.
So, to go back to answer the question above, should an entry-level SOC analyst know what Kerberoasting is? Absolutely! Below is my reply to @Haus3c and it’s a great question for the security industry.
Editor: Emily Domedion