INTRODUCTION:

TRAINING JOBS AND SECURITY INFORMATION AND EVENT

MANAGEMENT TOOLS (SIEM)

Host
Dr. Gerald Auger

and

Stefan Waldvogel
SIEM (Content) Engineer at
TRAINING COURSE OVERVIEW

Different jobs and activities related to SIEMs.

Get the idea, so you can create a home lab.

Cybersecurity has more to offer than

becoming a "SOC Analyst".
It is about the big picture for
beginners.
TRAINING WHAT IS A SIEM?
Event sources Events

We humans can
Software better work
with organized
Processing, Sort logs.
Organize
Way too much data to Searchable
understand the bigger
picture. Enrich
TRAINING What SIEM should I learn/focus on
30K+ Elastic was/is open-source Cloud services are exponentially
SIEM vendors and jobs growing.
- Huge community
- many SIEMs are based on Elastic -> Azure Sentinel is new (2019).
--> transferable knowledge -> Few have 3+ years in work             
3000        experience.
jobs -> SC-200, course is free
A lot of       cert: free - up to $165.
knowledge is  Splunk is the most requested skill
Cloud fast transferable
1500 growing -> Splunk Core training is free,
      cert: ~$100
 -> everything higher is expensive.
 -> probably highest salaries, but     
ElasticSearch Splunk ArcSight QRadar SumoLogic Sentinel LogRythm ExaBeam Graylog
       very expensive certs needed.
Flexible job descriptions
Market is fastly changing, vendors are coming and going.
 -> knowledge is transferable.
1/3 of jobs in Cybersecurity require SIEM knowledge  -> Job descriptions list many             
       vendors
TRAINING SIEM/(SOAR) job roles
On boarding
new customers
- Field Solution Engineer
- Training Specialist
Generic knowledge
can lead into a high demand
specialization.
Transfer into tech possible.
- Product Marketing
- Sales
- Advisor, Consultant
- specialized HR
- Recruiters
- SOC Analyst Most know SOC Analyst and
- SOC Manager other operative roles. Low entry-level salary,
- Threat Hunter entry-level job market out of balance.
- Security Operations
- Incident Responder
Product Managers
Operative need to understand all sides
roles - SIEM Engineer
- Cyber Security Systems Designer
- Product Manager
In this area are a lot of 
open jobs
Other Developer - (Information) Security Content
Developer
roles roles
- (Java/React/Full Stack) Programmer /
Developer
- Cloud Engineers
- Software Tester
- Support Engineer for
log management Sales and support roles
- Customer Support can easily transfer in different roles
TRAINING Understand these roles
Product orientated Customer focused Product in use

Developer Other Operative

roles roles roles

1 flexible work hours 1 talk active 1 24/7 365 days

2 remote 2 wide range 2 shift work

3 programming 3 good starting point 3 stressful

4 best work life 4 security

balance

Many high end people on the operative side

move to the dev side. 
TRAINING SIEM Content Engineer/Developer
Job titles:
Why this job? - Can be Information Security Engineer, SIEM
- Wide range of knowledge (never boring) Engineer or other titles.
- A ton of different security tools (firewall,
EDR, AV,...) Salary:
- Most jobs are remote Just a picture to show the
- Place to grow, entry-level to highest-end wide range, you might
- Salary start more on the left side

What you do:

- Develop security content (rules, alerts, dashboards)
- Understand logs (read a lot of vendor documentation) @ziprecruiter
- Install/use a cyber range to get the logs (developer 2+ years
access allows you to see a ton of products) 80K to 110K Senior / Splunk
@Joe Hudson
- Document your work for clients 120K to 140K
- Improve a product Idea: Apply for an unknown job
- Go to security conferences -> less competition
TRAINING Learning path (suggestion)
Create your own learning path (entry-level): Companies with such jobs:
- Look at job descriptions, try to catch most wanted things.
- The sequence does not matter.
- Few prebuild labs exist besides vendor courses.
SIEM vendors
Knowledge of common Security tools Splunk, LogRhythm, IBM,
security frameworks EDRs, Firewalls,... McAfee,  LogPoint, Elastic,
 MITRE -> Atomic Red Team Focus on logging SolarWinds, Exabeam, Rapid7,
AT&T, Fortinet, Microsoft,
Play with security and log Amazon, Graylog...
processing tools Familiarity with
Graylog, Splunk, QRadar, Windows & Linux
Elastic, Sumo Logic, Sentinel Focus on the logging side Large Companies:
-> send data into it and (what to log, how to log) indeed, Marriott, IBM,  Optiv,
develop dashboards, rules, JPMorgan, ...
alerts
-> take vendor courses Good documentation Engineer jobs are
skills
Knowledge of
programming logic Motivation to learn Document your home usually not the first IT
Regex, Grok, GitHub Passion! lab via a website!! job.
TRAINING How to get the knowledge
Where: Prebuild Labs and home lab
- Few specialized labs available.
- Vendors (courses, videos) - Install open source SIEMs like
- YouTube Graylog or ELK and play with them. 
- Use THM, HTB, INE and other
red/blue labs.

The "creative" way: Security Onion:

- Do affordable training labs and get the the logs. Digest - It is a special OS and includes a SIEM.
these logs in your home lab SIEM and understand what you -> It is very large, has high hardware
see.
- Often you need to change system settings to get the wanted requirements and complicated to set up, but if
logs (what2log). --> Cool way to learn. you can do that you are on the right way.
This path is not an easy "pay and take a course" path. It's an engineer path.
-It is up to you to find valuable stuff. Install a SIEM, google a lot, attack, log, detect and
learn.
TRAINING Create a matching home lab
The server side
Windows, Linux, Mobile Devices Your SOC Client

Dashboards

syslog,
filebeat,
The client side winlogbeat
Logs

Network, Firewall,  IoT,pfSense

SIEM Server SOC ANALYST
The operative side
Someone who  needs the information

Creates logs Start simple:

You can use physical hardware, Docker
container, Cloud or virtual machines.
-> Use what you have or learn a new
skill.
- One machine is client, server and the SOC
-> If you feel good, improve your lab to make it
as realistic as possible.
TRAINING Entry-level work example (for all kind of SIEM's)
Example log:
1619032507.590973113 ip_flow_end src=1.1.1.1 dst=2.2.2.2 protocol=icmp
What is it? Research!!

epoch_time_stamp, key-word for this kind of log, source_ip, destination_ip, network_protocol

-> Dig into the vendor documentation.
Look at more logs Research!!

What is the general pattern?

Research!!
Expression to parse out the data/fields or message identification: GROK, regex
^(?:[0-9]\s)?[0-9]{10}\.[0-9]{3,9}\s(?:ip_flow_start|ip_flow_end|\S+\s(?:flows|events))\s
Number of processing steps: Quality control
34  (very good)
-> You need to know how expensive your expression is. What happens if you digest 20K logs at the
same time?
Customer (SOC Analyst )focused 
Develop rules, mapping, dashboards/alerts and other things.
TRAINING Tech skills are great but there are more ways to get a job
Documentation Create a website/GitHub
Document what you are doing in Notion, -> Show your skills.
Cherrytree or any other software. -> Get a link for your resume.
You will need these skills later. -> Build your portfolio.
Creating pictures Open-source?
If you have a website, create cool pictures. Help to improve the software.
Write a blog for a company
Many companies have blogs about their
product. YOU can help a company.

Tech skills are fine...

... but use other skills to
stand out and increase
Be an ambassador for a company. your visibility!
The interview question: "Why us?"
becomes obsolete.
TRAINING Get visibility and (maybe) a job
Spray and pray vs. high quality approach Target a specific company: Create content for them
Writing 400 applications vs. 5 Be part of
Create guides and Community
how-to-do something open-source Member
Open Your skills
jobs? Your creativity

Marketplace GitHub
is the key to stand out!
Growth? Reputation? Hire people?
YouTube Don't be a copy cat or a Website
sheep.
Go to conferences & meetups
Speaker Part of a
Networking Be active village? What is with:
DefCon Social media like
Networking Organize Discord, LinkedIn
Networking something or Twitter?
vendor conferences
TRAINING Maturity level: You do not have to be an expert to start
- Each company has different
needs and jobs.
- Each level adds complexity and
OPEN increases the price.
- Each level needs a different
training. You can start from
scratch.
Log Management Data Analysis Alerting Real time analysis Future: - The best and most advanced SIEM
& response Detecting unknown
threats
does not prevent or detect all
breaches.
Price and required knowledge to use a product -> It gets better, but it is never
perfect.
-> Same with you as a learner. Start
from the beginning and move up.
TRAINING SIEM Engineer/Architect (next level)
Job titles:
Where:
- Wide range. Can be Information Security Engineer,
- Bigger companies Cyber SIEM Engineer, Senior Solutions Architect, Senior
- Some SOCs SIEM Security Consultant or other titles.
Salary:
What you do: Engineers 2+ years
130K to 160K Senior Engineers
- Take care of the provided SIEM 150K to 165K Architects
@Joe Hudson, Principal
- Adjust/configure inputs Recruiting Lead at HuntSource 160K to 190K
- Fine tune the SIEM
- Troubleshooting Needed knowledge:
- Installation, archiving, backup, user - Regex, Grok
management - Knowledge about used security tools and how they
- Create matching dashboards, alerts work
- Log formats Why switch?
- Networking, Security tools besides money:
Good Content Engineers can easly move up - a lot more, list is endless ->non-compete rules
due to the wide range of knowledge.
TRAINING Questions?

Thank you for

your time...
.....now it is your time to ask
questions!