We have been talking about personnel tasks and employee development models in Solar JSOC for some time. Surely, you managed to read an article about
how a third-year student can get to the monitoring and response center , or
how an engineer can pump up experience for vertical movement in the Solar JSOC structure (from first line to second). The materials on the further vertical development of analysts and how a service manager can turn into a full-fledged CISO are not far off. But for now I would like to talk about something else.
Fish is always looking for where is deeper, and man is where is better. This conventional statement quite clearly reflects the aspirations of employees and candidates. Only the word “better” for each of them has its own meaning. It is not always associated with financial conditions, grades / crimson pants or travel time from home to office.
It often happens that the employee is simply tired of the current tasks and seeks not so much to “pump over” the experience, i.e. to do the same, but more deeply, how much to find new challenges in adjacent directions. In such cases, we do our best to help him find a new vocation and get not a “vertical”, but a “horizontal” development inside Solar JSOC. The only difficulty is not to miss this moment, and also to give a person all the necessary "equipment" for conquering new peaks.
Here we will try to tell about several such cases.
Hot hands, cold heart
The life of our team begins with the first line. But, as we have already mentioned several times, the first lines are two. The first focuses on picking logs, analyzing and analyzing incidents, turning them into analytical references or false positives.
This work is very high-tempered (during the day our 1st line grinds almost one and a half thousand suspicions of the incident), but at the same time it is somewhat typed. It requires, first of all, diligence, concentration and continuous clarity of mind (probably, including, therefore, the work in monitoring attracts the female gender - it is in the first line most girls).
There are several nuances here. First, after all, working with logs and restoring an incident often leave some sense of ephemerality and incompleteness. There is a process, but there is no result that can be touched by hands or felt on fingertips. And the desire to "feel" the result of their work is sometimes very important for a safe person.
Secondly, as already mentioned, the work, driven by the SLA, goes on continuously and at a high pace. If the soul requires the ability to thoughtfully and slowly rummage in a complex engineering problem, constant time pressure can be annoying.
This may not always be obvious even to the employee himself, but from the side is noticeable to the naked eye, especially if:
- A strong engineer conducts a very high-quality analysis and investigation of incidents, but at the same time regularly fails in timing determined by the SLA, especially for the “shortest” incidents.
- In parallel to the main tasks, the engineer is drawn to work with internal tasks of improving the efficiency of the infrastructure or starts writing scripts on his knee to automate his work tasks.
Well, in general, starting from the starting interview, we pay attention to how the future colleague thinks and what drives him - whether he is ready to work according to the algorithm and follow the instructions clearly, or if he prefers some voluntary search and independent research.
If the specifics of work in monitoring becomes a problem for a person, this does not mean that he needs to go in search of a new place. For us, this is a signal that, after passing through fire and water monitoring, he can try himself in the copper pipes of the administration and take up direct control and “screwing up” the policies of a wide variety of hardware, security features and information security systems. And such "transfer transitions" are not for us an exception to the rules or something undeveloped.
How does it work? Fortunately, with all the difference in the work of the teams, both the first lines have a similar basis for network technologies. Plus, for the monitoring engineers, the functionality and capabilities of the protection tools are quite transparent - with their logs, they work on a daily basis. Therefore, it is usually enough for an engineer to pump three skills for translation:
- Examine the functionality and interfaces of the security tools you will have to work with on a daily basis (antivirus, proxy, firewall, VPN).
- Strengthen the skills in the administration of network equipment using internal and external laboratory to get a hand in management, including in the planning of works.
- To learn how to diagnose problems and failures of protection, having dismantled a dozen practical cases from our accumulated knowledge base.
And one more thing: the phrase about the cold heart in the title of the paragraph was not a joke. Working with critical high-load systems does not tolerate fuss and emotional “And now I’ll do it quickly!” These are very balanced and rational actions with assessing potential consequences, developing a change application procedure (RFC) and planning a process window.
Such specifics of activity, and the atmosphere in the team leave an imprint on the mentality of the fighters of the first administration line, forcing them to think every minute about the consequences of the work being done, the changes being made and what cannot be laid in the Procrustean bed of regulations and job descriptions.
The mathematician should not count, the mathematician should think
There is also a reverse scenario of development of events, when at some stage the specialist’s hands begin to get tired of the hardware and equipment settings and means of protection, but there is no desire to move towards management or people management. At such times, you usually want to look at the client’s security system a bit from the outside, begin to operate with threat vectors, scenarios for their detection and response, look at the infrastructure a little wider, not limited to the means of protection and related systems. And it often pushes a person to move toward analyzing incidents and working with scenarios to identify them.
Our clients are very strong in helping to form such motion vectors for specialists. In particular, those for which we solve the end-to-end security management tasks, that is, we are engaged not only in monitoring and analyzing incidents, but also in administering protection facilities.
How is it that customers influence our internal HR processes? Mainly for two reasons:
- The SIEM platform itself, in addition to identifying incidents, is a very good tool for Log Management and a posteriori analytics. Some of the tasks associated with the operation — diagnosing the cause of the load on the channel, determining the list of external addresses used in the operation of the application, restoring the chain of changes in policies and configurations — can often be done much faster and more efficiently in SIEM. Therefore, all engineers, starting from the first line of administration, have access to reading logs of customers' systems. Quickly enough, this leads the inquiring mind to want to create micro-automation for itself, report templates, etc. Thus the engineer is involved in the adjacent area and sometimes finds it more interesting.
- The second, no less important part of our life is investigating atypical incidents or responding to complex attacks. In this case, especially if the countdown goes on for minutes, everyone is doing everything, and administrators are also involved in brainstorming according to the method of analyzing, counteracting and eliminating the consequences of the attack. Such brain stimulation for analytics and the search for implicit connections also quickly enough crystallizes in the employee an awareness of the comfort and fascination of such tasks.
How is the movement of this transfer from employees? Usually training and translation goes in three directions:
- Experience in log analysis and incident investigation. Of course, laboratory examples help a lot, but also the life of the MDR provider throws up new interesting case studies on a weekly basis, where you can test and improve your skills. Moreover, as I have already said, administrative experts have a basic experience with logs.
- Work with SIEM to create or adapt content. “Avian” language of writing correlation rules in different SIEM is not immediately given to children. But again, the experience of working with logs and the basic construction of reports greatly reduces this route.
- Well, skills in platform deployment, connection and setting up sources for any administrator have long been familiar. Just another product in the portfolio.
Such transitions give rise to very strong analysts, since the combat experience with working with remedies greatly helps them both in interpreting the journals, and in developing more specific and mundane recommendations on how to respond and eliminate the consequences of an attack.
There will never be a second opportunity to make a first impression
A very separate story in the Solar JSOC is the sales support activities, especially the pilot projects. The pilot project should be a quintessence of the quality of the services provided:
- The pilot's time is always tight and limited, so the pace of work on connecting services both on the part of the customer and ours should be maximal.
- The pilot should show our capabilities and processes as fully as possible so that the customer can evaluate the applicability of our services for themselves as objectively as possible and without embellishment (otherwise, at the service provision stage, there may be a lot of trouble on both sides).
- In a short time and at a limited pilot's scopes, we have to “dig up” a certain number of incidents and infrastructure vulnerabilities that will allow the business to explain the actual benefits of the service.
Such projects require a presale analyst of an extremely unusual complex of qualities: on the one hand, systematic, in order to properly manage resources and terms, and at the same time, some recklessness and thirst for achievement, to do it time and again ahead of expectations . On the one hand, the demonstration of the benefits of the service requires a sufficiently substantial process immersion in the service and experience in sales support. On the other hand, the excavation of incidents requires both exceptional information security expertise in working with logs, and simply instinct for potential bottlenecks in the customer's security system.
The case has led us to a possible method of growing and selecting such personnel. We were deeply convinced that without technical understanding of the work of SOC, experience with logs and SIEM, the skills of pre-sale in our case are rather meaningless. But one day one of the candidates turned the whole situation upside down.
He was perfectly trained as a presale - as one of the interview participants said, “I didn’t need it at all, but I almost bought it.” He really "burned" his business and was overwhelmed with the desire to grow and develop. But, unfortunately, his technical knowledge was infinitely far from the subject of SIEM and other SOC subsystems.
Nevertheless, by the will of the HR service, the candidate came to work for us and began to join the team. And quite unexpectedly, it became clear that the desire to grow and develop in conjunction with the right environment, when SOC processes and tasks are absorbed in the smoking room, at lunch, and just in the study room, give a good result. Literally in a month and a half, he had already taken the first pilot project into his hands, not just as a manager and a time controller, but with an almost autonomous technical implementation of the tasks. Now he successfully implements pilots of any category of complexity already in the role of a playing coach.
As a result, we found a two-pronged approach to a very non-standard task of growing such personnel as pre-analytics of Solar JSOC services:
- “Pollination” of the team of pre-sales with technical knowledge and spirit of life in cybersecurity operations,
- search among techies those people who would like to be reformed from technical specialists to a role closer to the commercial one.
Both approaches are useful and promising not only for us, as a growing team of the monitoring center, but also for employees who receive another career development option.
Of course, these are not all the options for moving employees within the Solar JSOC. There were cases when the engineer of the administration group, tired of continuous communication with the client and having a desire to focus on the exploitation of something “his”, was relocated to the architects of our spreading infrastructure JSOC. In the first line of engineers sometimes aroused a passion for low-level analysis and work with the Assembler (the first signs of a beginner forener). Experienced fighters of the first and second line, tired of engineering work, gradually shifted to the tasks of the service manager and communication with the customer, or became local team leaders.
As it was already said in the
first article of the cycle, the main thing in a person is not “finger fluency” or a “burning” look in the search for momentary happiness, but an orientation towards one’s own development, the ability to search and find new horizons for oneself. Next is our task - not to miss the moment when the internal, basic for this person need to figure out and get to the point of some not entirely core activity will prevail over the need to solve the tasks of current operations.
At this point, it is important to give the person the opportunity to take the next step, to offer options that will allow him to do what the soul really is. And in which direction it is not so important: there are few bright heads, and there are always enough tasks in a large company.