Professional Documents
Culture Documents
|
Security
Solutions All Microsoft
Products
Search
Operations & Intelligence
Sign in
Partners
June 6, 2019
Resources
Lessons learned from the Microsoft SOC Part 2b: Career
paths and readiness
Trust Center
The “Lessons learned from the Microsoft SOC” blog series is designed to share our
approach and experience with security operations center (SOC) operations, so you
can use what we learned to improve your SOC. The learnings in the series come
primarily from Microsoft’s corporate IT security operation team, one of several
specialized teams in the Microsoft Cyber Defense Operations Center (CDOC). We’ve
also included lessons our Detection and Response Team (DART) have learned
helping our customers respond to major incidents and insights from the other
internal SOC teams.
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 1/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
When an analyst walks into our SOC for a shift, they never know what to expect.
They must be ready for anything as they face off with intelligent, adaptable, and
well-funded adversaries who are intent on evading our defenses. For each problem,
they must apply their unique knowledge and experience, the accumulated learnings
from our SOC, and the expertise of their SOC teammates.
Our investments into readiness programs, career paths, and recruitment strategies
are designed so our SOC analysts are prepared to succeed in their duties, increase
mastery of their discipline, and grow as individuals. This ensures that our SOC staff
brings their best to every shift, every time.
You may have to adapt some of these practices to the unique needs of your
security operations team to be successful. We’re fortunate to have dedicated
security operations teams, dedicated facilities, and experienced peers to learn from
already on staff, but understand not all security organizations have these resources
available.
Empowering humans means investing in them. A SOC analyst is a high stress job
and we know our success is built upon actively engaged people applying their
experience and problem solving creativity. The longer our analysts do this work the
better they get, so it’s important to nurture a long-running, sustainable workforce.
This starts by clearly defining a career path. Our tier model not only organizes the
work of the SOC, but also guides our analysts in building their knowledge and skills
and shapes their careers with increasing levels of skills and different challenges.
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 2/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
Because we strive to empower and attract smart people with a continuous learning
mindset, we’re motivated to promote from within. An analyst’s career path typically
progresses from Tier 1 to Tier 2 to Tier 3 or to incident response, program
management, security product engineering, or leadership tracks. There are
exceptions, but this tends to be the norm.
Tier 1—Analysts acquire and refine core skills including attacker mindset
and techniques, using detection and investigation tools, working with
internal teams and processes, and calmly applying a thoughtful approach in
a high pressure situation. This is similar to martial arts where beginners
acquire basic competencies (marked by a progression of colored belts) until
they have achieved their black belt and move to the next stage of skills.
Similarly, transition from Tier 1 to Tier 2 is a key turning point in the career
of an analyst.
Tier 2—Analysts continue to hone their skills as they move from executing
well-defined playbooks for (mostly) predictable incidents at Tier 1 to
investigating advanced incidents with greater unpredictability. Tier 2
analysts investigate attack operations conducted by organized groups with
specialized skills and a specific targeted goal. Analysts investigating these
incidents continue growing skills while learning from Tier 2 peer analysts
and the incidents themselves. Over time, senior Tier 2 analysts often
shadow different Tier 3 teams as they try out potential career paths and/or
prepare for the next stage of their career.
Tier 3—At this level, the analyst career paths typically start to diverge more
into deeper specialties. Analysts can choose to pursue mastery of a
particular skill or increasing competency/mastery across multiple skills. Tier
3 is increasingly requiring more data analytic skillsets on the team. This is
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 3/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
Careful balancing
Defining a clear career path is important, but like all disciplines dealing with people,
we must carefully balance and manage some nuances along the way.
Balancing short and long term goals—As our analysts learn new skills and
progress through their career, they learn to balance goals, such as ensuring
alerts and cases are handled as top priority while simultaneously
developing creative solutions that can reduce toil and increase efficiency
over the long term.
Recruiting people and developing their skills is one of the most critical aspects of
the SOC’s success. The biggest challenges in this space are the scarcity of people
with the right skillsets, the speed at which skillsets must evolve, the potential for
analyst burnout, and the need to blend diverse skills and perspectives to address
both the human and technical aspects of attacks.
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 4/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
Much has been written about the scarcity of cybersecurity skills. We recommend
reading a relevant blog on this topic that offers different ways of addressing the
scarcity of talent in security. Additionally, you may want to watch a recent RSA
Conference Keynote from Ann Johnson (Corporate Vice President of Cybersecurity
Solutions Group at Microsoft), which addresses many related topics including the
mental health and burnout risks our industry faces.
The evolving skillset challenge is particularly acute for our SOC because classic
SOCs tend to be network centric, but our detection and investigation have evolved
to rely primarily on device, identity, and application specific tooling. While we still
have and use advanced network security tools, we’ve seen the utility of these
network tools diminish significantly over the years to supporting investigation and
advanced hunting. As of the writing of this blog, it’s been over two years since the
last primary detection of an attack on our corporate environment came in from a
network tool. We expect this trend to continue and have oriented our analyst
readiness accordingly.
When it comes to recruiting and building skilled analysts, we’ve found that we
require a combination of diverse perspectives and some common traits. As with any
role, success requires having a diverse team with different backgrounds, mindsets,
and skillsets to bring more perspective to the problems at hand and surface better
solutions faster. We’ve also found certain personality traits tend to make analysts
more successful in a fast-paced high-pressure work environment of a SOC.
Its critical to note that the following observations are general trends and not
absolute rules. The primary factor of success in hiring an individual into a role is
most heavily reliant upon that particular person and how well they fit that role. With
that said, we tend to look for people with a kind of “grace under pressure” as we
find it’s easier to train technical and security skills to people with a growth mindset
and calm demeanor under pressure than it is to do the reverse.
For example, we have found that people with military experience are often a good
fit because they have experience focusing on the mission despite the strong
distractions in ambiguous situations with active hostile adversaries.
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 5/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
We’ve also had success with recruiting and investing into people early in their
careers who are eager to learn and have few preconceptions. We’ve had good
results with integrating seasoned professionals, but there are simply not enough
available for the needs of the marketplace today.
Because of the high complexity required to be an effective SOC analyst, it’s difficult
to educate new analysts in the ways of the SOC through formal training alone.
We’ve tried different training approaches to build skills over the years and have
found the apprenticeship model to be most effective at rapidly and consistently
building skills. For new analysts we take an “I do, we do, you do” approach that
progresses from observation to hands on with supervision of a seasoned analyst to
independent investigation with support from peers and mentors.
This is similar to other industries with a need to transfer rich context and nuance
during real world practice, such as an internship or a residency during a medical
career.
1. Technical tools/capabilities.
These competencies map well to established doctrine on human conflict. Sun Tzu’s
advice to “know thyself” and “know thy enemy” map well to the second and third
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 6/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
domains. Our SOC processes also map well to thinking from Colonel John Boyd’s
OODA ‘loop’ on real-time human conflict: observe, orient, decide, act.
Beyond the competencies, we also need to train our analysts to be big picture
thinkers and maintain an end-to-end view of the attack. It’s not enough to focus on
a single threat, but to also “look left and right.” We need our analysts to think about
how else the attacker might be trying to gain access and what else they may be
after. For example, a password spray may be a potential entry to a multi-stage
attack. An attacker may be using a distributed denial-of-service (DDoS) attack to
provide a smokescreen to distract from their real objective.
This approach has been successful allowing us to train new Tier 1 analysts in
approximately 10–12 weeks and we’re continuously looking for ways to improve
our readiness processes. In addition, our staffing approach has been critical at
mitigating burnout risk.
Learn more
For a visual depiction of our SOC philosophy, download our Minutes matter poster.
Also, read previous posts in the “Lessons learned from the Microsoft SOC” series,
including Part 1: Organization and Part 2a: Organizing people as well as see our full
CISO series to learn more.
For more discussion on some of these topics, see John and Kristina’s session
(starting at 1:05:48) at Microsoft’s recent Virtual Security Summit.
Stayed tuned for the next segment in “Lessons learned from the Microsoft SOC”
where we discuss the technology that enables our people to accomplish their
mission.
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 7/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
Filed under:
between
engineering and
security.
Read more
Microsoft is a leader in
cybersecurity, and we embrace our
responsibility to make the world a
safer place.
LEARN MORE
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 9/10
14/04/2020 Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
Surface Pro 7 Microsoft Store Office 365 for Government Developer Privacy at
support schools Network Microsoft
Windows 10 apps Healthcare
Returns Deals for TechNet Investors
students & Manufacturing
Order tracking parents Microsoft Diversity and
Financial services developer inclusion
Store locations Microsoft Azure program
in education Retail Accessibility
Buy online, pick Channel 9
up in store Security
Office Dev
In-store events Center
Microsoft
Garage
Sitemap Contact Microsoft Privacy & cookies Terms of use Trademarks Safety & eco About our ads
© Microsoft 2020
https://www.microsoft.com/security/blog/2019/06/06/lessons-learned-from-the-microsoft-soc-part-2b-career-paths-and-readiness/ 10/10