WEBVTT

1
00:00:00.080 --> 00:00:01.960
<v Speaker 1>Welcome back to the deep dive. We're here to cut

2
00:00:01.960 --> 00:00:04.839
<v Speaker 1>through the noise from your source stack and get you

3
00:00:04.919 --> 00:00:07.799
<v Speaker 1>right to the good stuff exactly. Today we're tackling something

4
00:00:07.839 --> 00:00:13.960
<v Speaker 1>really important, mapping out an accelerated path into a security

5
00:00:14.000 --> 00:00:19.519
<v Speaker 1>operations center analyst role. It's that key first step in cybersecurity.

6
00:00:18.760 --> 00:00:21.679
<v Speaker 2>It really is, and it's high stakes, definitely high reward.

7
00:00:22.079 --> 00:00:25.079
<v Speaker 2>The timing for looking at this is well, it's critical.

8
00:00:25.280 --> 00:00:28.879
<v Speaker 2>Our sources are saying the industry needs something like sixty

9
00:00:28.920 --> 00:00:31.280
<v Speaker 2>two percent growth just to meet current demands.

10
00:00:31.320 --> 00:00:34.920
<v Speaker 1>Sixty two percent, that's huge. But what's interesting and what

11
00:00:34.920 --> 00:00:37.920
<v Speaker 1>we saw on the hiring sources is this kind of paradox.

12
00:00:38.079 --> 00:00:40.679
<v Speaker 1>The problem isn't strictly a lack of applicants.

13
00:00:40.799 --> 00:00:41.719
<v Speaker 2>Yeah, not exactly.

14
00:00:41.799 --> 00:00:44.359
<v Speaker 1>It's finding the right kind of applicants, people who've got

15
00:00:44.359 --> 00:00:47.679
<v Speaker 1>that tech foundation, sure, but also the critical thinking you

16
00:00:47.719 --> 00:00:49.479
<v Speaker 1>need for well triage.

17
00:00:49.719 --> 00:00:52.920
<v Speaker 2>Precisely the SEC analyst job. Yeah, it's often the entry

18
00:00:52.920 --> 00:00:57.079
<v Speaker 2>point with the lowest barrier technically speaking, but you're expected

19
00:00:57.119 --> 00:00:59.399
<v Speaker 2>to perform from day one, right, and the sources they

20
00:00:59.439 --> 00:01:02.359
<v Speaker 2>really nail what that first year feels like. It's overwhelming,

21
00:01:02.399 --> 00:01:05.959
<v Speaker 2>Like drinking from a fire hose is the classic phrase.

22
00:01:05.920 --> 00:01:07.120
<v Speaker 1>Huh yeah, I've heard that. One.

23
00:01:07.200 --> 00:01:09.599
<v Speaker 2>Our goal here is pretty simple, really, we want to

24
00:01:09.599 --> 00:01:13.040
<v Speaker 2>help shorten that, you know, that really uncomfortable period, get

25
00:01:13.040 --> 00:01:16.239
<v Speaker 2>you the knowledge to go from feeling swamped to being

26
00:01:16.280 --> 00:01:17.319
<v Speaker 2>productive faster.

27
00:01:17.640 --> 00:01:20.239
<v Speaker 1>Okay, let's talk about the scale here, the opportunity. You're

28
00:01:20.280 --> 00:01:25.280
<v Speaker 1>looking at the US Bureau of Labor statistics, they projected

29
00:01:25.319 --> 00:01:30.000
<v Speaker 1>cybersecurity analyst roles to grow thirty two percent over ten years.

30
00:01:30.079 --> 00:01:33.079
<v Speaker 2>Thirty two percent. Compare that to what five percent for

31
00:01:33.159 --> 00:01:36.519
<v Speaker 2>all other jobs combined in the US. It's massive growth.

32
00:01:36.599 --> 00:01:37.959
<v Speaker 1>It really puts it in perspective.

33
00:01:38.000 --> 00:01:41.760
<v Speaker 2>And remember when cybersecurity folks were designated essential workers. That

34
00:01:42.000 --> 00:01:45.560
<v Speaker 2>just underlined how serious the shortage is. We're talking like

35
00:01:45.719 --> 00:01:48.799
<v Speaker 2>almost half a million open cyber jobs in the US

36
00:01:48.879 --> 00:01:51.040
<v Speaker 2>alone when these sources were written, half a million.

37
00:01:51.159 --> 00:01:53.200
<v Speaker 1>Wow. And this leads to what our source is called

38
00:01:53.200 --> 00:01:57.640
<v Speaker 1>the revolving door opportunity, which sounds maybe negative, but it's

39
00:01:57.640 --> 00:01:59.760
<v Speaker 1>actually an advantage for someone trying to get in.

40
00:02:00.120 --> 00:02:03.159
<v Speaker 2>Definitely a challenge for hiring managers, yeah, but good for applicants.

41
00:02:03.400 --> 00:02:05.719
<v Speaker 2>The average time an analyst stays with one company, it's

42
00:02:05.760 --> 00:02:07.640
<v Speaker 2>only like one to three years.

43
00:02:07.439 --> 00:02:10.159
<v Speaker 1>Usually before they move up or move on exactly.

44
00:02:10.240 --> 00:02:12.680
<v Speaker 2>So positions are just constantly opening up. It means there's

45
00:02:12.680 --> 00:02:14.159
<v Speaker 2>this built in career ladder.

46
00:02:14.360 --> 00:02:17.199
<v Speaker 1>So if you're hitting the job boards, what titles should

47
00:02:17.280 --> 00:02:19.919
<v Speaker 1>you focus on? The sources mentioned three specific ones.

48
00:02:20.000 --> 00:02:22.360
<v Speaker 2>Yeah, the top three entry level ones they recommend are

49
00:02:22.800 --> 00:02:26.319
<v Speaker 2>security analyst, Information security analyst, and the one we're really

50
00:02:26.319 --> 00:02:31.000
<v Speaker 2>digging into today, Security Operations center analyst or SoC analyst.

51
00:02:31.199 --> 00:02:34.639
<v Speaker 1>Okay, and you mentioned earlier the SoC analyst role might

52
00:02:34.759 --> 00:02:37.080
<v Speaker 1>start out paying a bit less than the others, but

53
00:02:37.120 --> 00:02:38.360
<v Speaker 1>it has the best trajectory.

54
00:02:38.400 --> 00:02:41.159
<v Speaker 2>Why is that exposure? Simple as that in the SoC

55
00:02:41.639 --> 00:02:44.840
<v Speaker 2>you are right there, hands on with the biggest security tools.

56
00:02:44.879 --> 00:02:49.120
<v Speaker 2>You see every alert the company generates, you're alerting constantly, constantly,

57
00:02:49.159 --> 00:02:52.960
<v Speaker 2>you get practical real time experience and triage, detection response,

58
00:02:53.199 --> 00:02:56.319
<v Speaker 2>all of it. That experience being in the trenches, that's

59
00:02:56.360 --> 00:03:00.280
<v Speaker 2>the most valuable, most transferable skill sets. Starting out out

60
00:03:00.599 --> 00:03:04.120
<v Speaker 2>sets you up perfectly for bigger roles, specialization, more money

61
00:03:04.199 --> 00:03:06.840
<v Speaker 2>down the line. It really is the crucial first step.

62
00:03:06.919 --> 00:03:09.759
<v Speaker 1>All right, let's unpack the skills you absolutely need. This

63
00:03:09.840 --> 00:03:11.960
<v Speaker 1>is how you show your that right kind of candidate.

64
00:03:12.000 --> 00:03:14.400
<v Speaker 1>We talked about the prerequisites exactly.

65
00:03:14.479 --> 00:03:18.039
<v Speaker 2>You need a technical baseline. Think around the level of

66
00:03:18.120 --> 00:03:20.759
<v Speaker 2>knowledge you'd get studying for CERTs like Network Plus and

67
00:03:20.800 --> 00:03:24.479
<v Speaker 2>Security Plus up. That kind of foundational understanding.

68
00:03:23.919 --> 00:03:27.759
<v Speaker 1>And networking is ground zero, right, The absolute plumbing of

69
00:03:27.759 --> 00:03:29.520
<v Speaker 1>how everything connects online.

70
00:03:29.199 --> 00:03:31.159
<v Speaker 2>Couldn't have set it better. You need to understand the

71
00:03:31.240 --> 00:03:34.919
<v Speaker 2>layered models, like the difference between the conceptual OSI model,

72
00:03:34.919 --> 00:03:36.360
<v Speaker 2>the seven layer one and the.

73
00:03:36.240 --> 00:03:40.159
<v Speaker 1>More practical TCPIP model the four layer one that actually runs.

74
00:03:39.960 --> 00:03:43.400
<v Speaker 2>The Internet precisely. And addressing is key. We all know

75
00:03:43.439 --> 00:03:45.919
<v Speaker 2>we're running out of IPv four addresses the thirty two

76
00:03:45.960 --> 00:03:48.000
<v Speaker 2>bit ones, and IPv six.

77
00:03:47.919 --> 00:03:49.599
<v Speaker 1>Is coming slowly but surely.

78
00:03:49.800 --> 00:03:52.719
<v Speaker 2>But as a SOOC analyst, you're going to spend a

79
00:03:52.759 --> 00:03:56.360
<v Speaker 2>lot of your time focused on public IPS versus private ips,

80
00:03:56.719 --> 00:04:00.319
<v Speaker 2>specifically that RFC nineteen eighteen private address.

81
00:04:00.520 --> 00:04:03.520
<v Speaker 1>Okay, here's the so what moment? Then? Why does an

82
00:04:03.520 --> 00:04:06.680
<v Speaker 1>analyst need to have those three private IP ranges memorized?

83
00:04:06.800 --> 00:04:08.719
<v Speaker 1>You know, the tens dot, the one ninety two dot

84
00:04:08.719 --> 00:04:12.039
<v Speaker 1>one sixty eight, the one seventy two dot sixteen.

85
00:04:11.719 --> 00:04:14.479
<v Speaker 2>Because that's where internal traffic should live. If you suddenly

86
00:04:14.479 --> 00:04:17.560
<v Speaker 2>see an alert, say showing a private IP address trying

87
00:04:17.600 --> 00:04:20.240
<v Speaker 2>to talk directly to the outside Internet. That's a huge

88
00:04:20.240 --> 00:04:23.839
<v Speaker 2>red flag. Ah because it's nonrootable. It shouldn't be trying

89
00:04:23.839 --> 00:04:27.560
<v Speaker 2>to leave exactly. It means something inside your network might

90
00:04:27.600 --> 00:04:30.680
<v Speaker 2>be compromised and trying to phone home or move laterally

91
00:04:30.720 --> 00:04:33.920
<v Speaker 2>in unexpected ways. Knowing that big companies often use the

92
00:04:34.000 --> 00:04:37.399
<v Speaker 2>ten point zero point zero po eight range just gives

93
00:04:37.439 --> 00:04:39.199
<v Speaker 2>you a sense of scale for what you're watching.

94
00:04:39.360 --> 00:04:43.279
<v Speaker 1>Got it? That makes it instantly practical. Okay. Beyond IPS

95
00:04:43.439 --> 00:04:44.480
<v Speaker 1>TCP versus.

96
00:04:44.360 --> 00:04:47.879
<v Speaker 2>UDP, right, TCP is your reliable connection. It uses that

97
00:04:47.920 --> 00:04:51.160
<v Speaker 2>three way handshake. Think file transfers, things where you need

98
00:04:51.279 --> 00:04:53.480
<v Speaker 2>every single bit to arrive correctly.

99
00:04:53.600 --> 00:04:53.879
<v Speaker 1>Okay.

100
00:04:54.279 --> 00:04:58.120
<v Speaker 2>Then there's UDP, sometimes called the unreliable dang protocol. It's

101
00:04:58.160 --> 00:05:02.160
<v Speaker 2>fast connectionless good streaming where losing a packet isn't the

102
00:05:02.279 --> 00:05:02.879
<v Speaker 2>end of the world.

103
00:05:03.079 --> 00:05:05.120
<v Speaker 1>But from a security angle, well think about it.

104
00:05:05.199 --> 00:05:08.639
<v Speaker 2>Attackers often prefer reliable TCP for things like command and

105
00:05:08.680 --> 00:05:12.199
<v Speaker 2>control channels because they need that guaranteed communication back and

106
00:05:12.240 --> 00:05:17.160
<v Speaker 2>forth makes sense. But UDP, because it's fast and connection lists,

107
00:05:17.480 --> 00:05:20.279
<v Speaker 2>they might use it for things like data exfiltration, fast

108
00:05:20.360 --> 00:05:24.399
<v Speaker 2>DNS tunneling, maybe speed and stealth over perfect reliability.

109
00:05:24.600 --> 00:05:26.600
<v Speaker 1>That has a whole new layer, and of course the ports.

110
00:05:26.759 --> 00:05:29.160
<v Speaker 1>You got to know your common ports and protocols cold.

111
00:05:29.040 --> 00:05:33.000
<v Speaker 2>Oh, absolutely twenty and twenty one for FTP, twenty two

112
00:05:33.079 --> 00:05:37.959
<v Speaker 2>for SSH, port ad HTTP four forty three for ssltls.

113
00:05:38.240 --> 00:05:42.240
<v Speaker 2>You need to spot those instantly in logs, no hesitation and.

114
00:05:42.279 --> 00:05:44.839
<v Speaker 1>Kind of overarching all this networking stuff is that core

115
00:05:44.879 --> 00:05:46.759
<v Speaker 1>security principle, the CIA.

116
00:05:46.519 --> 00:05:53.399
<v Speaker 2>Triad confidentiality, integrity availability. Yep, every attack, every control maps

117
00:05:53.399 --> 00:05:55.720
<v Speaker 2>back to one of those three launch a denial a

118
00:05:55.759 --> 00:05:56.600
<v Speaker 2>service attack.

119
00:05:56.360 --> 00:05:59.399
<v Speaker 1>You're hitting a availability exactly. So if CIA is what

120
00:05:59.439 --> 00:06:02.360
<v Speaker 1>we're protecting, where are attackers focusing? The sources were pretty

121
00:06:02.360 --> 00:06:02.800
<v Speaker 1>clear on this.

122
00:06:03.040 --> 00:06:06.759
<v Speaker 2>The end point overwhelmingly. That Verizon report sided's something like

123
00:06:06.959 --> 00:06:10.160
<v Speaker 2>ninety percent of malware infections start with email. Phishing is

124
00:06:10.199 --> 00:06:11.399
<v Speaker 2>still king ninety percent.

125
00:06:11.560 --> 00:06:12.279
<v Speaker 1>That's staggering.

126
00:06:12.360 --> 00:06:14.120
<v Speaker 2>And when you're looking at those endpoints, you have to

127
00:06:14.120 --> 00:06:16.720
<v Speaker 2>know the risks of the OS. Windows. Yeah, it's everywhere,

128
00:06:16.720 --> 00:06:19.759
<v Speaker 2>but lots of places still have old unsupported versions running

129
00:06:19.759 --> 00:06:21.639
<v Speaker 2>Windows seven even older.

130
00:06:21.399 --> 00:06:24.000
<v Speaker 1>Sometimes and if users have local admin rights on those.

131
00:06:23.879 --> 00:06:25.519
<v Speaker 2>Big trouble, huge risk escalation.

132
00:06:25.639 --> 00:06:28.839
<v Speaker 1>What about max lex Unix systems.

133
00:06:28.720 --> 00:06:32.920
<v Speaker 2>Generally maybe less susceptible to mass malware, but often they

134
00:06:32.920 --> 00:06:37.040
<v Speaker 2>get hit because of misconfigurations, big security holes left open

135
00:06:37.079 --> 00:06:41.120
<v Speaker 2>by mistake. Plus they run powerful scripting tools like Python.

136
00:06:41.519 --> 00:06:43.920
<v Speaker 2>If an attacker gets in, they can use those native

137
00:06:43.959 --> 00:06:46.439
<v Speaker 2>tools to move fast and do a lot of damage.

138
00:06:46.519 --> 00:06:50.439
<v Speaker 1>Okay, fundamentals down, Let's step into the actual sc paint

139
00:06:50.480 --> 00:06:53.079
<v Speaker 1>the picture for us. The sources mentioned the classic setup.

140
00:06:53.120 --> 00:06:56.240
<v Speaker 2>Yeah, the dark room, wall to wall screens, maybe a

141
00:06:56.279 --> 00:06:59.759
<v Speaker 2>big global threat map up somewhere. That's the stereotypical image.

142
00:06:59.759 --> 00:07:01.279
<v Speaker 2>And sometimes it's true that's your.

143
00:07:01.120 --> 00:07:03.560
<v Speaker 1>New office and right at the center of it all.

144
00:07:03.680 --> 00:07:05.800
<v Speaker 1>The tool you'll be glued to is the.

145
00:07:05.800 --> 00:07:10.480
<v Speaker 2>SAM, the SAM Security Incident and Event Management System. Absolutely,

146
00:07:10.959 --> 00:07:13.839
<v Speaker 2>it's the heartbeat of the sec. Analysts call it the

147
00:07:13.879 --> 00:07:14.879
<v Speaker 2>single pane of glass.

148
00:07:15.079 --> 00:07:21.079
<v Speaker 1>Let's clarify what it actually does, pulling in logs from everywhere, right, firewalls, servers, laptop, everything.

149
00:07:21.439 --> 00:07:25.759
<v Speaker 2>But critically, it then normalizes those logs. You mentioned this earlier,

150
00:07:25.759 --> 00:07:28.560
<v Speaker 2>and it's crucial. Think about time zones, oh.

151
00:07:28.600 --> 00:07:32.199
<v Speaker 1>Right, logs from London, Tokyo, New York all time.

152
00:07:32.000 --> 00:07:35.399
<v Speaker 2>Stamp differently exactly and maybe in different formats too. The

153
00:07:35.439 --> 00:07:39.800
<v Speaker 2>SUM cleans that up standard format adjusted timestamps, so you

154
00:07:39.839 --> 00:07:42.879
<v Speaker 2>can actually trace an attack step by step across the globe.

155
00:07:42.959 --> 00:07:45.680
<v Speaker 2>If that normalization breaks, you're basically trying to solve a

156
00:07:45.680 --> 00:07:47.800
<v Speaker 2>puzzle with all the pieces having the wrong time written

157
00:07:47.839 --> 00:07:48.879
<v Speaker 2>on them. It's chaos.

158
00:07:49.240 --> 00:07:51.439
<v Speaker 1>Yeah, I could see how that would be impossible. And

159
00:07:51.519 --> 00:07:53.879
<v Speaker 1>the good SEMs now are using you eba.

160
00:07:54.000 --> 00:07:58.199
<v Speaker 2>User entity and behavior analytics esflow watching for weird user activity,

161
00:07:58.279 --> 00:08:01.319
<v Speaker 2>stuff that deviates from their normal baitin and you know,

162
00:08:01.560 --> 00:08:05.120
<v Speaker 2>being able to casually mention vendors like Splunk or cure

163
00:08:05.160 --> 00:08:07.920
<v Speaker 2>it r or Elastic in an interview. It shows you

164
00:08:08.040 --> 00:08:08.759
<v Speaker 2>the landscape.

165
00:08:08.839 --> 00:08:11.600
<v Speaker 1>Okay, good tip. Now alongside the CM.

166
00:08:11.480 --> 00:08:16.600
<v Speaker 2>There's sower so security orchestration, automation and response. Yeah, big topic.

167
00:08:16.920 --> 00:08:19.519
<v Speaker 2>The key takeaway from the sources is it's not there

168
00:08:19.560 --> 00:08:20.639
<v Speaker 2>to replace analysts.

169
00:08:20.720 --> 00:08:22.680
<v Speaker 1>It's a force multiplier exactly.

170
00:08:22.839 --> 00:08:25.600
<v Speaker 2>It's there to make the analyst more effective, faster, and

171
00:08:25.800 --> 00:08:26.720
<v Speaker 2>frankly happier.

172
00:08:26.879 --> 00:08:29.879
<v Speaker 1>How does it do that? Practically? Speaking for a junior.

173
00:08:29.600 --> 00:08:34.279
<v Speaker 2>Analyst, think about the boring, repetitive stuff copying an IP address,

174
00:08:34.480 --> 00:08:37.440
<v Speaker 2>pasting it into five different thread Intel websites. I kind

175
00:08:37.440 --> 00:08:40.039
<v Speaker 2>of think the grunt work that leads to bring out

176
00:08:40.159 --> 00:08:42.759
<v Speaker 2>SR automates that so maybe a phishing email comes in

177
00:08:43.120 --> 00:08:47.320
<v Speaker 2>sim flags the attachment. SR can automatically sandbox the attachment,

178
00:08:47.480 --> 00:08:50.600
<v Speaker 2>check the sender's IP against block lists, maybe even block

179
00:08:50.639 --> 00:08:53.360
<v Speaker 2>the IP on the firewall if it's definitely bad. All

180
00:08:53.360 --> 00:08:54.039
<v Speaker 2>in seconds.

181
00:08:54.159 --> 00:08:58.320
<v Speaker 1>Well, okay, so it's streamlines things, keeps responses consistent and

182
00:08:58.440 --> 00:09:00.840
<v Speaker 1>cuts down the time it takes to spots thing MTTD

183
00:09:01.200 --> 00:09:03.120
<v Speaker 1>and respond MTTR.

184
00:09:02.639 --> 00:09:05.279
<v Speaker 2>Precisely major goals for any SCR.

185
00:09:05.399 --> 00:09:08.960
<v Speaker 1>One last thing on the sec environment the terminology. Getting

186
00:09:09.000 --> 00:09:10.600
<v Speaker 1>these terms mixed up seems like a big deal.

187
00:09:10.759 --> 00:09:14.080
<v Speaker 2>Huge deal, especially during an actual incident. There's a funnel

188
00:09:14.120 --> 00:09:16.240
<v Speaker 2>basically based on volume and severity.

189
00:09:16.279 --> 00:09:18.960
<v Speaker 1>Okay, start us at the bottom most common security logs.

190
00:09:19.279 --> 00:09:22.240
<v Speaker 2>That's just the raw data firewall logs, network flows, Windows

191
00:09:22.240 --> 00:09:24.440
<v Speaker 2>event logs, tons of it.

192
00:09:24.600 --> 00:09:24.799
<v Speaker 1>Yeah.

193
00:09:24.879 --> 00:09:27.240
<v Speaker 2>Up a level you get a security event. This is

194
00:09:27.320 --> 00:09:30.399
<v Speaker 2>usually a notification from a tool like the SIMIM, A

195
00:09:30.519 --> 00:09:33.840
<v Speaker 2>rule fired based on analyzing those logs. Still pretty common.

196
00:09:33.960 --> 00:09:37.639
<v Speaker 2>Next incident this is less common. An incident gets declared

197
00:09:37.679 --> 00:09:40.799
<v Speaker 2>when you suspect sensitive data might have been lost or exposed.

198
00:09:41.240 --> 00:09:43.799
<v Speaker 2>This kicks off the formal incident response process.

199
00:09:44.360 --> 00:09:46.759
<v Speaker 1>In the top level, the rarest one.

200
00:09:46.559 --> 00:09:50.120
<v Speaker 2>The security breach. This is critical a breach means it's

201
00:09:50.240 --> 00:09:54.000
<v Speaker 2>verified that sensitive personal data was lost or stolen. This

202
00:09:54.120 --> 00:09:57.240
<v Speaker 2>usually requires legal involvement, public notification.

203
00:09:57.840 --> 00:10:00.679
<v Speaker 1>It's serious and the crucial advice.

204
00:10:00.240 --> 00:10:02.960
<v Speaker 2>Here as a new analyst, do not use the word

205
00:10:03.000 --> 00:10:06.960
<v Speaker 2>breach ever, unless you're CISO or the legal team specifically

206
00:10:07.000 --> 00:10:09.600
<v Speaker 2>tells you to. That word has massive weight. Stick to

207
00:10:09.679 --> 00:10:12.320
<v Speaker 2>event or incident until told otherwise.

208
00:10:12.480 --> 00:10:15.879
<v Speaker 1>Okay. Final hurdle getting the job. The interview. It tests

209
00:10:15.919 --> 00:10:17.440
<v Speaker 1>the technical stuff we covered.

210
00:10:17.159 --> 00:10:21.279
<v Speaker 2>Definitely, network plus as security plus level knowledge, the OSI model,

211
00:10:21.360 --> 00:10:25.120
<v Speaker 2>TCQUDP ports, CIA, TRIAD, all that, but just.

212
00:10:25.080 --> 00:10:28.360
<v Speaker 1>As important, maybe more so, our critical thinking and cultural fit.

213
00:10:28.480 --> 00:10:31.320
<v Speaker 2>Absolutely, and they often test this with scenario questions. One's

214
00:10:31.360 --> 00:10:34.759
<v Speaker 2>designed to gauge your soft skills, your judgment, like the example.

215
00:10:34.440 --> 00:10:37.960
<v Speaker 1>And the sources. The VP of HR emails you they

216
00:10:38.000 --> 00:10:41.039
<v Speaker 1>need a policy exception right now to access their personal

217
00:10:41.039 --> 00:10:44.440
<v Speaker 1>cloud drive. They say, it's urgent business. What do you do?

218
00:10:44.679 --> 00:10:46.480
<v Speaker 2>Yeah, that's a classic. What are they testing?

219
00:10:46.720 --> 00:10:50.360
<v Speaker 1>Well? First, do you get easily intimidated by a VP? Second?

220
00:10:50.720 --> 00:10:54.000
<v Speaker 1>Do you understand risk? You can't just say.

221
00:10:53.840 --> 00:10:57.080
<v Speaker 2>Yes, right, You can't just make that call yourself. You

222
00:10:57.120 --> 00:11:01.840
<v Speaker 2>need to explain politely but firmly, that policy applies to everyone,

223
00:11:01.919 --> 00:11:05.320
<v Speaker 2>even vps, and you need to escalate it. Tell them

224
00:11:05.360 --> 00:11:08.200
<v Speaker 2>you'll need to get management or risk assessment involved to

225
00:11:08.279 --> 00:11:09.240
<v Speaker 2>approve an exception.

226
00:11:09.559 --> 00:11:12.200
<v Speaker 1>It shows you understand process and aren't just going to

227
00:11:12.240 --> 00:11:13.440
<v Speaker 1>break rules under pressure.

228
00:11:13.519 --> 00:11:15.559
<v Speaker 2>And the other thing they're looking for in those scenarios

229
00:11:15.559 --> 00:11:19.240
<v Speaker 2>and technical questions too, is honesty. The sources were unanimous

230
00:11:19.279 --> 00:11:21.960
<v Speaker 2>on this. The absolute last thing a SoC manager wants

231
00:11:22.080 --> 00:11:22.919
<v Speaker 2>is a know.

232
00:11:23.000 --> 00:11:25.320
<v Speaker 1>It all so one who guesses confidently but is totally

233
00:11:25.360 --> 00:11:26.200
<v Speaker 1>wrong exactly.

234
00:11:26.200 --> 00:11:28.720
<v Speaker 2>If you don't know an answer, just say so. Say

235
00:11:28.759 --> 00:11:30.960
<v Speaker 2>I'm not sure about that specific detail, but here's how

236
00:11:30.960 --> 00:11:32.919
<v Speaker 2>i'd find out, or I'd need to look that up.

237
00:11:32.919 --> 00:11:35.639
<v Speaker 2>But my understanding is X. Show you're willing to learn,

238
00:11:35.919 --> 00:11:36.519
<v Speaker 2>not bluff.

239
00:11:36.879 --> 00:11:40.200
<v Speaker 1>That makes sense. We also pulled some great real world

240
00:11:40.240 --> 00:11:44.279
<v Speaker 1>advice from the analysts featured in the Sources. One analyst

241
00:11:44.440 --> 00:11:48.720
<v Speaker 1>Kaaliel Davis really hammered home that experience is king. Search

242
00:11:48.799 --> 00:11:52.000
<v Speaker 1>and degrees help, sure, but hands on work often counts

243
00:11:52.000 --> 00:11:53.519
<v Speaker 1>for more, especially early on.

244
00:11:54.159 --> 00:11:57.159
<v Speaker 2>Yeah, and Matthew Arius, a Tier three analyst, shared something

245
00:11:57.200 --> 00:11:59.720
<v Speaker 2>I thought was really insightful. He wished he'd left his

246
00:11:59.759 --> 00:12:02.759
<v Speaker 2>ego go out the door sooner listen more to everyone,

247
00:12:02.879 --> 00:12:06.759
<v Speaker 2>regardless of their title. He also mentioned imposter syndrome, which,

248
00:12:06.919 --> 00:12:09.879
<v Speaker 2>let's be honest, almost everyone feels starting out in this field.

249
00:12:10.039 --> 00:12:13.559
<v Speaker 1>That's comforting to hear, actually, and for actually finding the job.

250
00:12:13.679 --> 00:12:15.279
<v Speaker 1>Networking came up again and again.

251
00:12:15.559 --> 00:12:19.519
<v Speaker 2>Relentlessly go to local meetups def con. Besides, if you can,

252
00:12:19.960 --> 00:12:23.519
<v Speaker 2>the security community is smaller than you think, and connections matter.

253
00:12:23.679 --> 00:12:25.879
<v Speaker 1>Finally, there was a great point from a SoC director

254
00:12:25.879 --> 00:12:28.320
<v Speaker 1>about mindset assume goodwill.

255
00:12:28.519 --> 00:12:31.039
<v Speaker 2>Oh I like that one too. Not every weird alert

256
00:12:31.120 --> 00:12:33.960
<v Speaker 2>is some malicious insider trying to steal secrets. A lot

257
00:12:33.960 --> 00:12:36.759
<v Speaker 2>of the time it's just someone clicked a bad link

258
00:12:36.799 --> 00:12:37.320
<v Speaker 2>by mistake.

259
00:12:37.480 --> 00:12:40.600
<v Speaker 1>Keeping that perspective helps avoid burnout. Right, Yeah, let's you

260
00:12:40.639 --> 00:12:43.240
<v Speaker 1>focus on the real threats. So wrapping this all up,

261
00:12:43.360 --> 00:12:47.320
<v Speaker 1>this deep dive really shows that success here isn't just

262
00:12:47.399 --> 00:12:50.639
<v Speaker 1>about the tech, the networking, the someme know how. It's

263
00:12:50.679 --> 00:12:55.080
<v Speaker 1>blending that with well being humble, honest and thinking critically.

264
00:12:55.480 --> 00:12:59.240
<v Speaker 2>Totally agree. The demand is undeniable. The sec role is

265
00:12:59.279 --> 00:13:02.279
<v Speaker 2>that perfect long lunch pad, and hopefully the stuff we've

266
00:13:02.279 --> 00:13:06.200
<v Speaker 2>covered today gives you the operational context, the confidence to

267
00:13:06.279 --> 00:13:09.960
<v Speaker 2>make that fire hose phase feel a bit less intense

268
00:13:10.120 --> 00:13:11.240
<v Speaker 2>and maybe even shorter.

269
00:13:11.440 --> 00:13:14.120
<v Speaker 1>Yeah. Absolutely, And as you move forward in this field,

270
00:13:14.120 --> 00:13:17.919
<v Speaker 1>which is challenging, but as the sources say, incredibly rewarding,

271
00:13:18.279 --> 00:13:20.399
<v Speaker 1>maybe keep this final thought in mind. It kind of

272
00:13:20.440 --> 00:13:21.840
<v Speaker 1>sums up the attitude you need.

273
00:13:21.960 --> 00:13:24.559
<v Speaker 2>It's a great quote around here. However, we don't look

274
00:13:24.559 --> 00:13:27.440
<v Speaker 2>backwards for very long. We keep moving forward, opening up

275
00:13:27.440 --> 00:13:30.440
<v Speaker 2>new doors and doing new things because we're curious and

276
00:13:30.519 --> 00:13:32.960
<v Speaker 2>curiosity keeps leading us down new paths.

277
00:13:33.279 --> 00:13:36.200
<v Speaker 1>Couldn't say it better myself. That's our deep dive for today.

278
00:13:36.360 --> 00:13:38.559
<v Speaker 1>Thanks as always for sharing your sources and letting us

279
00:13:38.600 --> 00:13:41.519
<v Speaker 1>walk through the essentials of becoming an SEC analyst. We'll

280
00:13:41.559 --> 00:13:42.480
<v Speaker 1>catch you on the next one.