What Students Really Learn Inside TekStream’s SOC (It’s More Than You Think)
By Michael Fazely, Senior Manager
Addressing the Cyber Talent Gap
It’s no secret that we have been in a bit of a talent crisis when it comes to skilled cybersecurity professionals. Organizations from Forbes to ISC2 have written and warned about this issue going back for a couple of years. Colleges and Universities now offer full blown Cybersecurity degrees or at least Computer Science degrees with cybersecurity concentrations that were uncommon even 10 years ago, and while these degrees supply students with knowledge of security, best practices, frameworks, and procedures relating to digital forensics and incident response; organizations are looking to hire employees who already have hands-on experience. This creates a bit of a Catch-22 where students who lack formal security experience are trying to enter the workforce after graduating with a relevant degree, but organizations are looking for employees who already have experience; leaving not only are students being left frustrated and jobless, organizations have unfilled positions that put them at risk.
So, the question becomes – How do we bridge this gap to provide graduates with an opportunity to enter the workforce and be able to assure organizations that they are getting quality employees who come in the door with necessary hands-on experience?
Student-powered SOCs provide a tremendous tool for combating this issue. It allows students to get hands-on experience with real-world security threats while they’re pursuing their degree. This experience can also begin as early as a freshman, providing students with the potential of up to 4 years of experience prior to graduation.
I’m sure as you’re reading this, you have a lot of questions relating the logistics of how this all works and how effective it is, so let me dive-in to some of the details:
Training and Onboarding
Applicants to the program are required to take a critical thinking assessment prior to being interviewed. The critical thinking assessment contains logic-focused questions that test an applicant’s attention to detail, which is a critical trait for security analysts to have. Upon passing the critical thinking assessment, the candidates are then interviewed and if hired, begin their onboarding process.
TekStream realizes that most institutions already leverage an LMS for technology related education, so initial training is mapped to some of the most widely used LMSs. This training lasts 1-2 weeks, and the students will then take a cybersecurity assessment to make sure that they have grasped the concepts covered in the training.
After passing the cybersecurity assessment, the students will enter into the shadowing and reverse shadowing portions of onboarding. This phase provides students with a hands-on opportunity to become familiar with the UI of tools they’ll use in the SOC, the workflow for closing and escalating investigations, and be able to get immediate feedback from professional security analysts while they perform investigations. During shadowing, the students join a call with TekStream analysts and can watch along as the analyst performs investigations. A tools assessment is performed after shadowing to make sure the students understand how the tools function. After passing the assessment, the final phase of onboarding begins, and the students will reverse shadow. In this phase, the students will share their screens and perform investigations using runbooks supplied by TekStream while analysts are present to answer questions or assist students if they get stuck.
Working in the SOC
After onboarding, the students will work in the queue in the SOC and will perform investigations on only use cases that have runbooks published. TekStream implements a complexity scoring system that insulates new students from investigations that are beyond their current capabilities. Students, however, will continue to receive training and mentorship while in the program. A leveling system has been put in place to allow students to progress through the program, and as the students mature through the system, more complex use cases will become available for them to work.
The students will also have some exposure to the engineering aspect of the SOC. To be able to perform in-depth investigations, they’ll receive training on Splunk’s search processing language and other query languages. Having this knowledge not only helps them to perform deeper analysis and pivot into other data sources but also will help them understand the detections. This level of understanding allows the students to dig into detections written for noisy alerts and via a custom playbook can submit tuning suggestions that are reviewed by the engineering team for validation. If the recommendations are valid, the engineering team will make changes, thus lowering noisy alerts. If the recommendations need some aren’t valid, the students can receive feedback from the engineering team that will help the students improve.
Throughout this program, the students will work in a tiered SOC with professional security analysts and will have direct experience with tools and procedures used in the security industry. The students that graduate from this program will be highly equipped to step into a SOC position after graduating without needing to learn everything from scratch. The combination of analysis skills that they’ll have along with the introduction to engineering related tasks will set them apart from the rest as they look for entry-level jobs in the field.
About the Author
Michael Fazely is an experienced IT professional with 15 years of background spanning Enterprise Campus, ISP, and data center environments. With 8 years of experience managing technical teams, Michael has managed both Networking and Cybersecurity teams. As Senior Manager, Security Operations Readiness he heads the Workforce Development program which mentors and trains students in the student-powered SOCs to become security professionals.
Michael holds a bachelor’s degree in electrical engineering from Louisiana State University. He also holds various industry certifications such as a CISSP and two MITRE ATT&CK DEFENDER certifications focusing on Cyber Threat Intelligence and Threat Hunting and Detection Engineering. Michael resides in Baton Rouge, Louisiana.