The Importance of Training on A High Functioning Security Operations Center (SOC)

Transcript

Opening

Hello, everybody, and welcome to What's the problem, the show that explores problems, issues, considerations, and any hot topic discussion in the world of cybersecurity.

Today, we are fortunate to have Jaqueline Lundie.

Conversation

Mike Krass: Jaqueline, say hello to our listeners.

Jaqueline Lundie: Hello, listeners. Good afternoon.

Mike Krass: All right, Jaqueline, let's get into it. Tell our listeners why you are qualified to talk about cybersecurity.

Jaqueline Lundie: I walked into cybersecurity the hard way. I've been doing cybersecurity for about six going on seven years now. I worked with different companies and have a lot of SOC experience. I've taken several certifications and assisted coworkers with certifications, and I can tell you a great deal about SOC's cyber security experience.

Mike Krass: Well, I think our listeners are dying to hear it. So today, we are not going to talk about a problem per se. We will explore the advantages of training well within the Cyber Security Operations Center. A lot of our listeners are going to hear that and go well. What are we talking about here? I'd like to go deeper with your experience and expertise. Jaqueline, can you just get us started on that topic? Tell us a little about some advantages of a well-trained security operations center. What does that look like?

Jaqueline Lundie: When you have a well-trained security operations center, you don't have to worry about a high turnover rate impacting the SOC team. When you bring a person in and train them, sometimes it takes three or four months to train one person. If that person should leave, their work will fall on the other team members, which means I have to. It's a lot more work on them. My issue when I worked in a SOC was the training. I'm familiar with CompTIA Security Plus, and I've taken that test and passed it. So when I had my first SOC job, their training entailed the security to come to your security plus, and I didn't understand why. And then, after that, I was thrown out into what we call the SOC. They call it a bubble. They went over with me, and no one explained what I would see, how to apply those concepts and terms I learned in security plus, and what I will see in the SOP. I know the term phishing, virus, and all different types of malware, but in their environment, I didn't know what that looked like.

Mike Krass: A moment ago, you said to hire somebody new and bring them into the security operations center. You're looking at a three to four-month investment. Is that a three to four-month investment until they start recognizing some of these events? Or is that just three to four months of getting their feet under them, and they still have more time to start to become proficient at identifying threats and mitigations?

Jaqueline Lundie: It varies. Some companies do it, and that way, they'll check you with somebody, and you'll be able to look at what comes in and assault, and you have this coworker who's explaining this to you. And that takes a while because it kind of slows that I'm the person turning you down a little bit. So that takes a while, but each SOC I've been in has been a little bit different. Sometimes you just never know what you're going to get. I've had the experience where they went over the certification and threw me out there. I was not familiar with the environment. I've had situations where I was told that all sim basically work the same. So since you've worked in assembly before, you should be familiar with it, which is true. But there are some things that there are some features that are different in each sim, and I've had to be thrown out there and had to learn on my own. But when you do that to somebody just starting in this field, that is scary.

Mike Krass: What does it feel like? Is it stressful?

Jaqueline Lundie: It's very stressful. I've had to do my time to reach out to co-workers who have been in this field longer than I have. I have a lot more experience. I've had to reach out to people or YouTube. I have even been in a job where you had to work and train at the same time. I didn't quite understand that.

Mike Krass: What you're talking about is co-workers and an online source like you to help him get you up to speed are some of the different products or solutions you're employing within the SOC. Do they have training that you felt was accessible, it was either on demand, or there was somebody you could call, and they could step you through things?

Jaqueline Lundie: The current position that I have now, I'll be honest with you, is the best experience I've had. Thus far, in all the years I've been in this, they make sure I have somebody to call if I run into a problem or something I do not understand. Because to me, each SOC environment is different. They do things differently, and with this current job, they have everything very organized and laid out. I didn't have too many questions. The only issue I had to learn was their sim, I had never used their sim before what they use, and I had to learn their process and how to respond to their customers. If I needed to reach out to them, or even a CISO, I could, and I never had that. He even offered and wanted us to take the certification, and said, “If you need to take some time off to prepare for that, you can,” I was in shock because I'm so accustomed to training and warping at the same time.

Mike Krass: You're like bolting and screwing in the wings on the airplane as it's rolling down the runway, and then we've got until the end of the runway to get this thing off the ground.

Jaqueline Lundie: And as I stated to you before, I'm not making the money that I normally make, but I just love the company and how they go about doing things.

Mike Krass: You mentioned that to me, and that's a good point talking about that environment you find yourself working in. You've said that once, and now you're saying it the second time. It's not just about money. I could make more money elsewhere. I would also pay for that for a higher salary in the form of gray hair, stress, and confusion. If you feel that way in that environment, you're probably not the only one. You've got this bubble filled with colleagues who I shouldn't speak generally, but I'll say many of them are in that bubble in that same headspace, and they're not feeling supported and not feeling prepared. That's one thing I've also heard in this interview today about being prepared. It's preparing for an exam or assert, preparing for responding to an incident, and preparing to do tabletop games. It's just a simulation. It's about feeling prepared to do your job.

Jaqueline Lundie: That is correct. Because working in a SOC can be stressful. I've been in situations where we've had DDoS come in where a customer, client, workstation, or laptop was compromised, and you will go through the process as to what to do to SOPs, and it's outdated.

Mike Krass: What do you do then?

Jaqueline Lundie: I get on the phone. I go to the co-workers. I say I went to the SOPs, but it's outdated, and in a situation like that, you need to move fast before anything spreads get out of hand. I've been in situations like that. I was making more money. It could be very stressful if that company doesn't have everything together and is not organized. I can't do that.

Mike Krass: Would it be safe for us to say and be honest with them here? Would it be safe to say that, being in a bubble, you feel prepared and supported? Safe to say that there is a reduction or a lower turnover than the average security operation center? Do you think it's a wide margin?

Jaqueline Lundie: Even my current company and those people have been there for a while. I was impressed with it, and that's unusual for a SOC, to be honest with you.

Mike Krass: And that attracted you to want to be there. You said, “There had been here for a while. I want to be part of that.” I'm drawing this, and the listeners can probably hear him drawing this correlation between the value of the benefits of being prepared for training and the value the business value of reducing turnover within your security operations center. People should be more prepared to handle and address incidents with fewer 911 phone calls. Something is happening right now, and every second counts, and we don't know what to do because going to get out the training materials or IRP is or out. Something is not there. The plan exists, but it's not that useful for us now. We’ll leave the listeners with one more thought here. I'll ask one final question about training. Do you think that there is such thing as too much training? Can you be overtrained?

Jaqueline Lundie: No.

Mike KKrass: All right, a one-word answer. I love it. Jaqueline Lundie: Oh, sorry. I just went into deep thought because the attackers out there are two steps ahead of us. I just can't see myself having too much training or being overly prepared because they're out there, and they're not going away. I just don't see you. You have to stay trained in this field. It's continuous training, and you have to stay ahead of the attackers. They're not going anywhere.

Mike Krass: Now, let's talk about training in a different life. The different context and this is our final question of the podcast. You know barbers have to get trained, and hairstylists have to get trained. You still see folks walk out of a salon or a barbershop, and it's not looking that good, to be honest with you. Sometimes it's just bad.

As it gets the show, we always ask three questions. Put on a smile, and be a little bit vulnerable. Put yourself out there and smile on some of our listeners' faces. Tell our listeners about a terrible haircut you've had at some point.

Jaqueline Lundie: I did get my hair cut short, and my barber was booked. I had an on-site interview. I had my nephew, who was my in-law; he wanted to be a barber and was learning in training, so I let him cut my hair. I looked in the mirror, and all I could say was, “Oh my God. Why have I done this? Do you think I could fix it? I don't think I can fix it.” So I had to explain to the people and the one interviewing me what had happened where they found it funny when I showed up. I was dressed nicely.

Mike Krass: There are times to be brave, and there are other times when you just gotta go with, and that's one of those times where it's like, “I'll come back. I'll be by tomorrow. Don't worry.”

Well, Jaqueline, I appreciate you joining the podcast and sharing some of your expertise with our listeners. It's not uncommon for the listeners to hear an episode, and then they want to reach out and speak to one of the guests' experts about something that he or she said or anything on the topic of cybersecurity. If folks want to get a hold of you, what's an appropriate avenue for them to reach out? Is LinkedIn a good place for you? Or where are you comfortable?

Jaqueline Lundie: I'm always on LinkedIn, and it’s the best route.

Mike Krass: Alright, listeners, you heard it here, Jaqueline is a big LinkedIn user, and we’ll include her LinkedIn profile in the show notes if you want to reach out.

Jaqueline Lundie: Thank you so much for having me. I appreciate it.

Mike Krass: We appreciate you taking the time, Jaqueline. And to our listeners, we are always very grateful. Thank you for joining What's the Problem, the show that explores problems, situations, scenarios, and just those hot and sometimes cold-button topics in the world of cybersecurity. Until next time.