September 28, 2023 By Mark Stone 3 min read

As careers in cybersecurity become increasingly more specialized, Security Information and Event Management (SIEM) engineers are playing a more prominent role. These professionals are like forensic specialists but are also on the front lines protecting sensitive information from the relentless onslaught of cyber threats. SIEM engineers meticulously monitor, analyze and manage security events and incidents within an organization. They leverage SIEM tools to aggregate and correlate data, enabling them to detect anomalies, identify potential threats and respond swiftly to security incidents.

In their arsenal of tools, SIEM engineers also employ Security Orchestration, Automation, and Response (SOAR) and Extended Detection and Response (XDR) products. SOAR is a suite of solutions that allow organizations to collect data about security threats from multiple sources and respond to low-level security events without human assistance. It streamlines and automates the response process, enabling SIEM engineers to focus on more complex tasks. XDR solutions unify control and visibility across multiple security layers endpoints, network and servers, extending detection and response capabilities beyond the traditional perimeter, providing a holistic view of the threat landscape. By integrating SOAR and XDR into their workflows, SIEM engineers can enhance their threat detection capabilities, automate repetitive tasks and respond to incidents more efficiently and effectively.

This article aims to help aspiring SIEM engineers on their career journey, shedding light on the skills, qualifications and experiences that will equip them for this challenging yet rewarding profession.

In this exclusive Q&A, we spoke with Rod Soto, a senior principal security research engineer for a leading SIEM solution provider. He has years of experience as a SIEM engineer and is a regular presenter at many cybersecurity conferences, researcher for HackMiami and founder of Silicon Valley’s Pacific Hackers Meetup group.

What is SIEM?

Did you go to college?

Yes, I went to college. I have a bachelor’s degree in Psychology.

What did you go to school for? If not, what certifications did you obtain?

Psychology. I did obtain several IT Security certifications such as CISSP, Security+, Pentest+, GIAC, INE, etc.

What was your first role in IT?

System administrator.

If it wasn’t in security, what pushed you to pursue security?

I was always interested in information security and the hacking culture.

What is the most valuable skill you learned in your role?

Learn to think outside the box.

What soft skills do you think make a person successful a) in cybersecurity and b) specifically in SIEM engineering?

You have to have the ability to communicate and put yourself in someone else’s shoes, the ability to learn new things and technologies that will work with or integrate with SIEM.

Operating SIEM usually involves operators being able to pick up on abnormal signals, which then need to be triaged and discussed with teams of peers and superiors. The ability to spot and communicate the reasoning behind chosen alerts or incidents is fundamental to maintaining efficient operations. Also, many times when in SIEM, operators will have to communicate with either internal clients (other departments or users) or external clients.

Any parting thoughts or final piece of advice to someone looking into becoming a SIEM engineer?

Learning the fundamentals of manipulating texts and logs. Operation and knowledge of *nix operating systems are very important. Networking skills and knowledge of TCP/IP are also necessary, and this will also include packet analysis skills (Wireshark, tcpdump). Some security certifications, such as Security+ or CCNA Cyber, can help a lot in understanding security fundamentals, data labels and security operations center fundamentals.

Become familiar with SIEM technology vendors as well, download free versions of them and practice; many of them have free training and certifications — take them.

More from Security Services

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

How I got started: Attack surface management

4 min read - As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management. These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today