Telekom SOC Analyst Training Roadmap

Summary:

This document outlines a comprehensive 24-month training program designed to prepare new analysts for entry-level roles in Deutsche Telekom's Security Operations Center (SOC) focusing on Arcsight logging administration. The program is divided into four phases, each building upon the skills and knowledge of the previous phase, culminating in advanced certifications such as SANS 504 - GIAC Certified Incident Handler (GCIH). Participants are introduced to foundational cybersecurity concepts using Arcsight exercises, expand their skills through threat reporting, business skills, presentation skills, and computer forensics, prepare for industry-standard exams like the SANS 401 - GIAC Security Fundamentals and SANS 503 - GIAC Certified Incident Analyst (GCIA), and ultimately prepare for upper-level positions with additional specialized training. Additionally, recommended further studies include ITIL Foundation and ethical hacking courses such as CEH or CREST. Prerequisite certifications for specific roles include Arcsight Content Engineer (SANS 401) and Arcsight ESM Engineer (Arcsight ESM Administration).

Details:

This document outlines a comprehensive training program designed for new analysts joining Deutsche Telekom's Security Operations Center (SOC). The program is tailored for professionals with no prior experience in cybersecurity or SOC, aiming to equip them with essential skills and knowledge to effectively contribute to the team. The training roadmap covers a period from months 0 to 3, with specific focus on the first week of the new analyst's tenure. During this initial phase, the analyst is introduced to the SOC structure, mission, vision, and general operation. They are also given an overview of key tools such as Arcsight, ESM console, and other relevant technologies for cyber threat monitoring. The program includes a mix of classroom training (e.g., fundamentals of Cyber Security, networking basics) and hands-on experience in the lab environment where analysts engage in practical exercises with the mentioned tools to develop their skills in areas like packet analysis, incident response, case management, and more. The curriculum also emphasizes defensive strategies, malware threats, and understanding common intrusion patterns through practical applications within the Arcsight Filter exercises. Throughout the program, participants are encouraged to refer to a Wiki for networking information and cheat sheets as well as glossaries of security terms specific to SOC operations. This comprehensive approach is intended to prepare new analysts for an entry-level role in cybersecurity monitoring and incident response within Deutsche Telekom's SOC environment. This is a structured educational program designed to train individuals to become proficient in the field of cybersecurity, specifically focusing on becoming an Arcsight logger administrator and operations specialist. The curriculum is divided into several phases spread over two years (24 months), with each phase building upon the skills and knowledge gained from previous phases. **Phase 1: Months 1-3** During this initial period, participants are introduced to foundational cybersecurity concepts through a series of exercises focused on Arcsight, including rule, query, report, trend, and integration command exercises. They also engage in volatile data collection methods and Boolean logic exercises, converting binary codes to hexadecimal representations. General technology training and SOC analyst training are included as part of this phase. **Phase 2: Months 4-6 & Weeks 12-20** In the subsequent months, participants continue with Arcsight exercises while expanding their skills into threat reporting, business skills, presentation skills, report writing, troubleshooting human communications, and analysis skills through tabletop exercises and scenario simulations such as Worm and DDoS attacks. They also participate in a Capture the Flag exercise for practical application of skills and an Analyst Skills Assessment Exam to test understanding. **Phase 3: Weeks 20-26 & Months 7-9** During this phase, participants delve deeper into Arcsight administration by learning about ESM (Extended Security Module) and take courses focused on computer forensics, preparing for the SANS 401 - GIAC Security Fundamentals exam. This is crucial as it lays a strong foundation for more advanced certifications in cybersecurity. **Phase 4: Weeks 27-40 & Months 10-12** Continuing from Phase 3, participants prepare for the SANS 503 - GIAC Certified Incident Analyst (GCIA) exam alongside their ongoing studies and practical exercises related to cybersecurity operations. This phase is crucial as it prepares them for roles involving incident handling and analysis. **Additional Training: Months 13-24** For those aspiring to Level 2 analyst positions, additional training is provided in advanced topics such as SANS 504 - GIAC Certified Incident Handler (GCIH) and use case workshops. Recommended further studies include ITIL Foundation and courses specific to ethical hacking like the CEH or CREST programs. **Assessment: Month 24** The final assessment, which involves passing a comprehensive exam, determines whether an individual is ready to transition from Level 1 Analyst to Level 2 Analyst. Throughout this program, participants are exposed to real-world scenarios and practical exercises that simulate the challenges faced by cybersecurity analysts in professional environments. The curriculum culminates with advanced certifications and specialized training tailored for upper-level positions in the field of cybersecurity. The document SO27001 outlines recommended additional training for SOC members, focusing on specific certifications such as CISSP (Certified Information Systems Security Professional) and PMP (Project Management Professional Certification). For the role of Arcsight Content Engineer, a prerequisite includes courses like the Arcsight Certified Security Analyst (SANS 401 - GIAC Security Fundamentals), a Foundations boot camp, Arcsight ESM Administration, specific training courses related to use cases in Arcsight ESM, and workshops for Flex Connector and Smart Connectors. For the role of Arcsight ESM Engineer, prerequisites include Arcsight ESM Administration and Logger administration, along with additional specific training courses like Smart Connectors and Oracle or CORR database engineering. Additionally, recommended courses for Engineers include RedHat Certified Engineer and a Database Engineering course (either Oracle or CORR).