Sign up for your FREE personalized newsletter featuring insights, trends, and news for America's Active Baby Boomers

Newsletter
New

Really Struggling As A Soc Analyst

Card image cap

Hey guys, I've been a SOC analyst at a small MSSP for about three months now. Overall, the environment here seems fairly toxic with a lot of politics, shit talking, general lack of empathy for others, etc. I work overnights so I share an overlap with the morning shift (0500-1300) and mids (1500 - 2300). These two shifts have been at each other's throats over the most mundane shit. The morning shift person will come in and start trashing the mid shift's tickets for minor mistakes and complain to me about them.

She obviously does not like these two guys, but I have to hear this constant venting over what I consider to be the most minimal mistakes that could easily be corrected with a brief talk. It just feels immature to criticize people like that for their mistakes (like to the point where you're calling them stupid losers for it, grow the fuck up). One time the days person logged into slack at like 1 AM just to look through all of the tickets (she's a tier one who's been here for 6 months longer than I have btw, not any kind of management role) and found mistakes in one of the mids guys tickets and asked me to correct it for them, and then proceeded to bitch at the guy for the mistake he made. In this case the mistake was not great, he logged a ticket action instead of sending an email to the customer... but like the entire thing seemed like she was just taking out frustration on someone she disliked rather than some genuine good-faith attempt at correcting a mistake.

They also talk about politics (everyone here except me is a conservative it seems) and they'll just say some crazy ass bigoted shit to eachother, like how my manager said Kanye ended up being right about Jews because of what's going on in Israel. During training he worked with me on overnights to provide support and every day he would be playing podcasts featuring Tucker Carlson. Regardless of how you feel about politics; I don't see why you have to force them onto somebody that hasn't talked about politics at all with you. Just put on some normal ass Chris Williamson shit or an infosec podcast and be done with it. Also, during training he talked about some kid at his daughters' school killing themselves because of bullying and followed it up with "Kids these days are fucking pussies." This really bothered me b/c of my mental health past. I can tell you for a fact people who kill themselves are experiencing an overwhelming amount of suffering and fight against their every survival instinct to carry out the act. They are not "fucking pussies"

The mid shift is fine. But they always tell me about the changes that the company is going to make like how they're going to start installing cameras in the SOC, how the manager is going to start making fake SIEM events that we're expected to find and investigate to prove that we're going into the SIEM at all ( which is another can of worms. I have yet to find a single potential true-positive, all of the alerts are repeated false-positives that just haven't been tuned at all. How am I supposed to comb through the 1200 incidents that popped up over the past two hours when a quick cursory look at the investigation shows me that all traffic was dropped or it was just the customer's domain controller doing domain controller shit?)

My daily work consists of waiting for network devices to experience outages, acknowledge the alerts for them, contacting the customer... and that's the meat of it. I'll also go through the EDR and handle the alerts for a few customers we have per night, only for those same false-positives to show up for other customers. Like why is AdobeCC constantly showing up in our EDR dashboard? It comes back as inconclusive each time, and usually the behavior that it's tying it to is like, a file write attempt or something (I honestly have no idea how to even really analyze the events. It seems like I'm expected to do a quick analysis, handle the event and move on. We never really went super in-depth into our tools during our training, but certain tools like FortiEDR just seem like they lack any sort of depth.)

I do have bad habits, like I'll put off the EDR events till the end of the day and do other shift during the night shift. I didn't used to do that, but at this point I just feel this black-hole in my stomach that sucks out all meaning from my life when I look at the EDR dashboard. I'm so sick of flagging OneLaunch.exe as malicious and deleting it from a device, I'm so sick of the same four applications populating our dashboard. I feel like I'm not really learning anything here either, because I'm the only one on the night shift and don't get to interact with the T2s and management (although from what mid-shift tells me it's not like they learn much from them anymway, the T2 we have is stand-offish because he got upset that the newbies had to share his desk and like, moved some shit on it or something.) I also hate touching the SIEM because I feel like I don't know how to do any meaningful work in there and I'm kind of just expected to figure it out. I don't think that's a huuuge issue in and of itself, but the SIEM configuration just seems so shitty. I wish I could show somebody, I will also admit that this is also a skill issue though.

This whole thing feels like a dog-and-pony show with a collection of fake ass people that never matured past high-school. I kind of hate it here. I don't know what to do though, SOC positions in my area are dry and there isn't very many of them. This was the first and only infosec job I could find since I had to quit my last one. I feel like I can't really find a new job right now. What should I do? Stick it out for ~ a year and jump ship to a better opportunity?

Sorry for this massive dump. I just don't know man, like this shit is exhausting. This company seems to keep giving me active reasons to dislike them, or maybe I'm just overreacting.

submitted by /u/R3ICR
[link] [comments]