Training for a security operations team

Some say the only constant in life is change, and that's very true in the world of information security.

In the regular world it is happening all the time, and it takes some effort to keep aware of where necessary. Business processes change. Technologies change. Budgets change. People change. Teams change. Change isn't always well communicated either, which can slow things down at any organisation.

This isn't any different for what is going on in the wider world. Attack methodologies change because of technology, financial incentives or people. I'm not convinced it is possible to be aware of all of whilst still being aware of all the business context changes, and staying effective at defending against attacks.

For us to be able to tackle this constant change I feel strongly that security operations teams need to have time to develop. Technical skills, industry knowledge, mental agility, soft skills and more. By providing this our colleagues can find new things, get fresh perspectives and potentially add new value to the organisation. Importantly making this space for development can help the feeling of imposter syndrome be reduced.

As a leader, I try to find ways to help my team members grow and be equipped to keep going themselves. After all at some point they'll leave my team, or I'll move somewhere new, and I want to have added value to their career like others have to mine in the past.

Self driven learning

For those who are interested in the fields of security operations and wider information security, there's a lot of information out there. There also a lot of ways to consume that information. I'm not going to give an exhaustive list of everything, at the end of the day we can't read/watch/listen to everything so I can only advise people to go out there and find what works for them.

To get going, here are some suggestions:

• Podcasts - I find I fit in listening when walking the dog, or when commuting to the office. Personal taste will determine choices, presenters or content won't be interesting or engaging to everyone.
  
  These are my frequent listens:
  • Smashing Security
  • Darknet Diaries
  • Compromising Positions Podcast
  • Self-hosted (not infosec related but often there is cross over)
• Blogs - As with podcasts I find this comes down to finding the right content producers, and refining it over time (you can get a lot of overlap if its all security related). A good RSS reader will help make consuming this easier.
  • Bleeping Computer
  • MalwareBytes Labs
  • Sucuri blog
  • The Register - Security
• YouTube channels - This isn't something I myself use but I know various people in my network follow a number of content creators.
• User content sites - Reddit is the obvious example, but there are also forums out there.

Continuous learning

Generally I tend to encourage team members to do some learning outside of the working day, just to keep abreast of the news at least but for their career in general. However this isn't always going to work because of personal commitments, and going from certificate to certificate can be draining especially when it is lots of reading and theory.

This is where short sharp learning opportunities come in handy.

• Tabletop exercises - Absolutely make sure you do these from time to time, they take effort to set up and think through but they will help everyone understand things in business context
• Online labs - Regular hands on labs that take anything from 15 minutes upwards depending on your skill level and the lab itself.
  • Blue Team Labs Online - Fictional scenarios to test various skills
  • Cyber Defenders - Defensive labs to help grow knowledge
  • LetsDefend - Yet another option for labs, great to have choice
  • TryHackMe - More on the red team end of the spectrum
  • Hackthebox - The cyber ranges provide 'gamification'
• Team building exercises - If its solving a problem together, then the team can continue improving communication whilst still enjoying it. Some examples:
  • Escape rooms - you know about these right?
  • Bridge command - One of my colleagues recently tried this and came back certain it would be perfect as a team building exercise
  • Split room exercises - Use your imagination, a box or three of lego or even push fit pipes and you can create teachable lessons which aren't dry or dull

Recently I was fortunate enough to get my team access to BTLO, and that has proven to be really good. Different team members to better at different scenarios, and it gives us opportunity to discuss approaches.

Certifications

The topic of certificates can be quite opinion heavy, and you shouldn't rely on them alone to land your next job.

At this time I've generally recommended those starting in security operations go for the following as a good few stepping stones:

• Comptia "Security+" - will give you a baseline broad brush
• Comptia "Cybersecurity Analyst" - starts the path of learning for operations
• Blue Team Level 1 - gets you hands on enough to start applying structure

There are of course options which you can consider, these won't be a perfect fit for everyone. That said if someone has suitable background expertise then I might advise them differently. It really depends where you are in your career journey, and where you want to be.

If you want to find alternatives, and Paul Jerimy has done an excellent job of creating a security certification roadmap where you can see them. Just remember this isn't Pokemon, find the one you feel will work for you. Some countries and industries have preferences, do your research before buying any exams/courses.