Being a Cyber Security Analyst means different things to different Analysts, in this post we will discuss our experiences of being a security analyst.
Firstly, it is not an easy role to fulfil. The core responsibility of a Security Analyst will be to perform Incident Analysis and Notification. Incident analysis by itself is challenging given the nature of the task, Incidents are driven from the detection method being used, this could be from a use case determining some suspicious behaviour, it could have come from threat intelligence letting you know of a suspicious connection to a known bad C2C server or blacklisted domain. Analysing sophisticated phishing emails, unusual DNS requests, to potential attack traffic hitting a webserver. The list goes on with what we have to analyse on a daily basis.
This sounds challenging but varied, so a day in the life is always different depending on what is happening on the network you are monitoring. The real challenges comes whether you work for a commercial SOC or an internal. You need to know core information to perform your role affectively, such as contacts, admins who make changes, unknowingly an Analyst will start to track detection behaviour, raw events, user behaviour and scheduled tasks for the network or networks you are monitoring. It how analysts perform their analysis by learning your network, users and behaviours all from the raw logs that are being collected, the feedback to incidents and general knowledge of the attacks.
They also have to know how to defend against a live attack in flight and where the best and most efficient place is to add a block or containment action/change to protect the network from an attack. Incident Management is now part of the Analyst role as they are critical in the chain from detection and tracking to notification and remediation guidance to discussing the attack on incident management calls and continuing to monitor the attack while remediation takes place.
Post incident activities are also key with an Incident report, giving guidance and configuration best practices that could stop a similar attack in the future (if controls are in place, just not configured fully).
Analysts also perform threat hunting to identify attacks that are more sophisticated and designed to evade traditional detection methods. Hunting in the logs for indicators, anomalous behaviour etc is now critical to the proactive side of being analyst as opposed to being a reactive analyst.
You may think that that is enough responsibility, but incidents don't always come from tools or hunting, sometimes you can be alerted to incidents via users, third parties, customers etc and each reported incident will need to be investigated and validated.
Service Level agreements mean that a SOC as a whole work to an agreed deliverable in terms of time usually set against the priority of the incident, personally given the level of correct analysis on a per incident basis 30 minutes of analysis/triage time is adequate to reduce false positives, give confidence to the information that has been prepared and give you reassurance that the Analyst has understood the events and alerts and the risk to the business, some MSSP's and analysts will have very tight SLA's, such as 15 minutes for Triage/Analysis, on paper its very attractive as your incidents are reviewed very quickly and that's where the problems lie, in 15 minutes to look at the incident, understand it, complete addiotnal searching and compile the initial notification is adding addiotnal pressures. This is where mistakes can be made and incorrect priorities assigned increase false positives and deliver a substandard service.
Why is that important? at the heart of a security analyst is customer service, whether you are an internal analyst or commercial you will deal with internal customers, external customers or both, so customer focus and service delivery mindset is essential.
what other skills are required?... well to name a few.....
Knowledge of attacks and attack structures
Impact of an attack, understanding the risk.
Attention to detail
Working against strict deadlines
There are some of the skills you will need to be a successful Security Analysts, but what is it like?
Everyday is different, attacks can change direction in seconds and you need to be able to adapt, the impact of missing a live attack could be the difference from the business stopping trading to network rebuild. As an analyst we are under pressure to check, double check and triple check connections, behaviours, anomalies in an effort to protect the network. We cover all technologies, read and understand raw logs, incidents, we design and develop content. We detect and investigate and can provide containment and IR capabilities, we can provide reports and guidance from networking, applications, server hardening, logging and configuration.
Again we are only naming a few within the above, a good security analyst will have a rewarding career and will always being learning, its challenging be keeps you at the top of your game!