How to Close the Cybersecurity Skills Gap with a Student Powered SOC

Summary:

Timothy De Block speaks with Bruce Johnson of TekStream about a truly innovative solution to the cybersecurity skills shortage: the Student-Powered Security Operations Center (SOC). Bruce outlines how this three-way public-private partnership not only provides 24-hour threat detection and remediation serves as a robust workforce development program for university students. The conversation dives into the program's unique structure, its 100% placement rate for students, the challenges of AI "hallucinations", and how the program teaches crucial life skills like accountability and critical thinking.

The Student-Powered SOC Model

  • Workforce Development: The program tackles the cybersecurity skills shortage by providing students with practical, real-world experience and helps bridge the gap where new graduates struggle to find jobs due to minimum experience requirements.

  • Funding Structure: The program is built on a three-way private-public partnership involving the state, educational institutions, and Techstream. The funding for the SOC platform is often separate from the academic funding for student talent building.

  • "Investment Solution": The model is positioned as an investment rather than an outsourced expense. Institutions own the licenses for their SIM environments and retain built assets, fostering collaborative value building.

  • Reputational Value: The program provides significant reputational value to schools, boasting a 100% placement rate for students and differentiating them from institutions that only offer academic backgrounds.

  • Cost Savings: It serves as a cost-saving measure for CISOs, as students are paid an hourly rate to perform security analyst work.

Student Training and Impact

  • Onboarding and Assessment: The formal onboarding process, which includes training on tools, runbooks, and hands-on labs, has been shortened to six weeks. The biggest indicator of a student's success is their critical thinking test, which assesses logical reasoning rather than rote knowledge.

  • Progression and Mentorship: Students are incrementally matured by starting with low-complexity threats (like IP reputation) and gradually advancing to higher-difficulty topics, including TTPs (Tactics, Techniques, and Procedures), utilizing a complexity scoring system. Integrated career counseling meets regularly with students to review their metrics and guide their career planning.

  • Metrics and Productivity: The program has proven successful, with students handling 50% of incident volume within a quarter of onboarding, including medium to high complexity threats.

  • Beyond Cybersecurity: Students gain valuable, transferable life skills, such as collaboration, accountability, professionalism, and "adulting", which helps isolated students become more engaged.

AI and the "Expert in the Loop"

  • Techstream’s Overkill AI: Techstream uses its product, Overkill, for 24-hour threat detection and remediation, automating analysis, prioritization, and the creation of new detections to go "from zero to hero in 24 hours".

  • Expert Supervision: Their approach is "expert in the loop" , meaning humans (students and analysts) are involved in supervising the AI, with automation being adopted incrementally as trust is built.

  • The Hallucination Challenge: Timothy De Block raised concern about students lacking the experience to discern incorrect information or "hallucinations" from AI output. Bruce Johnson affirmed that the program trains students in three areas: using AI, supervising AI, and understanding AI broadly.

  • Training Necessity: Students must learn how to do the traditional level one work before they can effectively supervise an AI, as experience is needed to detect when the AI makes a bad assumption.

Support the Podcast:

Enjoyed this episode? Leave us a review and share it with your network! Subscribe for more insightful discussions on information security and privacy.

Contact Information:

Leave a comment below or reach out via the contact form on the site, email timothy.deblock[@]exploresec[.]com, or reach out on LinkedIn.

Check out our services page and reach out if you see any services that fit your needs.

Social Media Links:

[RSS Feed] [iTunes] [LinkedIn][YouTube]


What is threat intelligence? - Part 2

In this smart episode of the Exploring Information Security podcast, Rob Gresham formerly of McAfee joins me to explain threat intelligence.

Rob (@rwgresham) previously served as a practice lead in McAfee's security operations. I had the opportunity to meet Rob in person. He is deeply involved in the many things information security related in South Carolina. Including the National Guard and Palmetto Cyber Defense Competition. Threat intelligence is a topic he thoroughly enjoys discussing. Which is why this topic will be a two parter.

In this episode we discuss:

  • What is threat intelligence
  • How threat intelligence is useful
  • What are the benefits of threat intelligence
  • What needs to be done before threat intelligence

Resources:

What is threat intelligence? - Part 1

In this smart episode of the Exploring Information Security podcast, Rob Gresham formerly of McAfee joins me to explain threat intelligence.

Rob (@rwgresham) previously served as a practice lead in McAfee's security operations. I had the opportunity to meet Rob in person. He is deeply involved in the many things information security related in South Carolina. Including the National Guard and Palmetto Cyber Defense Competition. Threat intelligence is a topic he thoroughly enjoys discussing. Which is why this topic will be a two parter.

In this episode we discuss:

  • What is threat intelligence
  • How threat intelligence is useful
  • What are the benefits of threat intelligence
  • What needs to be done before threat intelligence

Resources:

What is it like to work in a security operations center (SOC)?

In this operational edition of the Exploring Information Security podcast, Jeff Lang from Virginia Tech joins me to discuss his day-to-day in a SOC.

Jeff is a good friend of mine and one that I leaned on heavily when I was working in a SOC. He's been a IT Security Analyst for a while now and loves what he does. We've spent countless hours discuss SOC life. We've talked about nuances and some of the things he sees on a regular basis monitoring a college campus. I decided it would make for an interesting podcast episode.

In this episode we discuss:

  • What is a security operations center (SOC)?
  • What are some of the roles in a SOC?
  • What are some of the day-to-day things seen?
  • What are the skills needed to work in a SOC?

More resources:

How to build a SOC - Part 3

In this SOC it to me edition of the Exploring Information Security Podcast, I talk with Paul Jorgensen of IBM to figure out how to build a SOC.

Fellow co-host of the PVC Security podcast, Paul (@prjorgensen) spends most of his day thinking about socks. Once he's decided on a pair, he goes out into the world to help organizations build a SOC or security operations center. He's got extensive knowledge of how to put one together and that showed in the recording. For the first time in EIS history, we have a three part series.

In part 3 we discuss:

  • What's after step one
  • Resources for building a SOC

How to build a SOC - Part 2

In this SOC it to me edition of the Exploring Information Security Podcast, I talk with Paul Jorgensen of IBM to figure out how to build a SOC.

Fellow co-host of the PVC Security podcast, Paul (@prjorgensen) spends most of his day thinking about socks. Once he's decided on a pair, he goes out into the world to help organizations build a SOC or security operations center. He's got extensive knowledge of how to put one together and that showed in the recording. For the first time in EIS history, we have a three part series.

In part 1 we discuss:

  • How to quantify the value of a SOC
  • The first step in building a SOC

How to build a SOC - Part 1

In this SOC it to me edition of the Exploring Information Security Podcast, I talk with Paul Jorgensen of IBM to figure out how to build a SOC.

Fellow co-host of the PVC Security podcast, Paul (@prjorgensen) spends most of his day thinking about socks. Once he's decided on a pair, he goes out into the world to help organizations build a SOC or security operations center. He's got extensive knowledge of how to put one together and that showed in the recording. For the first time in EIS history, we have a three part series.

In part 1 we discuss:

  • We define what a SOC is
  • We discuss it's structure
  • What skills are needed for a SOC

What is a SIEM?

In this most excellent edition of the Exploring Information Security podcast, I talk with Derek Thomas a senior information security analyst specializing in log management and SIEM on the topic of: "What is a SIEM?"

Derek (@dth0m) has a lot of experience with SIEM and can be found on Linkedin participating in discussions on the technology. I had the opportunity to hang out with Derek at DerbyCon in 2015 and I came away impressed with his knowledge of SIEM. He seemed to be very passionate about the subject and that showed in this interview.

In this episode, we discuss:

  • How to pronounce SIEM
  • What is a SIEM
  • How to use a SIEM
  • The biggest challenge using a SIEM
  • How to tune the SIEM
  • Use cases, use cases, use cases.

More Resources:

How to apply network security monitoring

In this most excellent edition of the Exploring Information Security, I talk with author Chris Sanders about how to apply network security monitoring to an organization.

Chris (@chrissanders88) is the co-author, along with Jason Smith, of Applied Network Security Monitoring: Collection, Detection, and Analysis. I recently finished the book and found it a valuable book for those operating within a SOC or those looking to start network security monitoring. Chris and Jason walk through the basics of network security monitoring including low-cost tools, snort, and how to investigate incidents. I highly recommend the book for those wanting to learn more about network security monitoring.

Before I get to what was discussed in the podcast, I want to make special mention of a cause Chris is very passionate about. The Rural Technology Fund, which strives to, "reduce the digital divide between rural and non-rural communities." The organization tries to get funding for kids in rural areas who might not have the resources available to explore technology fields. I love this idea and think it's a great idea, especially with all the talent shortage talk lately.

In this episode, we discuss:

  • What is network security monitoring (NSM)
  • What is needed for implementing NSM
  • Steps on how it should be applied.
  • How to tune after everything is up and running.

More Resources: