What is life like within InfoSec

hayd · September 2016

Hi All

Currently my work involves route/switch with VPN technologies and managing rules base within Mcafee, ASA and watchgaurd firewalls. I am really interested in going down Infosec route.

What is day-to-day work life like? I know this may vary depending on the job and daily work load but would like to get a view and feel from someone already doing it.

636-555-3226 · September 2016

Depends on the job and the company. In companies with no/small infosec teams you'd wear many infosec hats, none of which you'd perform well since you'd be spread too thin. In companies with large infosec teams you'll be specialized to death and would get very tired after a few years of doing the same job over and over again.

Given your background, you'd probably line up with an InfoSec Analyst or InfoSec Administrator position. I'd place you behind our Network IPS where you'd be doing tuning & traffic analysis all day. Lots of pcaps. You can download and play with https://www.bro.org to get a feel.

Otherwise the sky's the limit with infosec. You can spend forever on every aspect of the business, ranging from securing help desk activities, level 2/3 deskside support, servers, WANs, LANs, network forensics, workstation forensics, securely coding apps, attacking apps, working with legal on contracts, working with PMO on integrating security into all projects (including pre-purchase security auditing & post-purchase security auditing), penetration testing, etc. InfoSec literally touches every aspect of not just IT, but also the business, so the world really is your oyster if you take the time (or have the time available) to get really good at it

MeanDrunkR2D2 · September 2016

Have you seen the TV Show Mr. Robot? It's absolutely nothing like that show.

Danielm7 · September 2016

MeanDrunkR2D2 wrote: »

Have you seen the TV Show Mr. Robot? It's absolutely nothing like that show.

Or, Hackers, the movie? Millions of threads on how to get into security were just stopped in their tracks!

On a more serious note, agree with 636-555-3226, it really depends on the industry, focus and company. Security is a HUGE field, in many companies what you do already is considered a network security job. You'll find people who do compliance policies, others who do forensics and IR, others might do pen testing, some might be more blue team / defensive work, etc. All of them are going to have very different day to day type work and even within the same focus their day to day is going to be different in different companies.

As I suggest in almost every one of these threads, what do you want to do in security? Figure that part out and it'll be a lot easier for people to answer the day to day or the best path to get there.

markulous · September 2016

What do you mean by the Infosec route exactly? Are you wanting to do more network security?

Kalabaster · September 2016

It's exactly like this

SpetsRepair · September 2016

Some days it's amazing, and some days it can be a boring day. For me, being in this field has been one of my favorite and best experiences so far.

SoCalGuy858 · September 2016

Jack-of-all-Trades security guy reporting in..

I'm part of a two-man security team for a 1000+ employee company that was brought into this role to assist in building our security processes from the ground up. With no previous (dedicated) security function at the company, my role is a lot of foundation laying. Policy writing, defining procedures, implementing systems, etc. This is in addition to the day-to-day operations of keeping these processes flowing. Everything from vulnerability management and remediation to antivirus, malware and HIDS monitoring, as well as security awareness, physical security, and other "not-quite-security-but-sorta-related" tasks like assisting our legal counsel with eDiscovery requests. Lately, I've also had a hand in working with our corporate marketing team to build our public-facing product security branding.

As others have pointed out, it'll be heavily dependent on the size of your company / team, the mission of your company (security for a local law firm will be vastly different than security for a global telecom giant), and the state of your organization's existing (or non-existent) security processes.

To build on the idea that all roles will be different (and playing into what 636-555-3226 said about Security Analysts), don't just assume a role's duties based off of the title. My title is "Information Security Analyst", however, nearly every other person I've come into contact with that shares the same title works in a SOC environment. I'm certainly the "oddball" among the similarly-titled, but it just goes to show that you shouldn't read a book by its cover (or a job by its title).

ramrunner800 · September 2016

As others have said, it's not like what you see in pop culture, though I do find it pretty exciting. I work in incident response at a big corporation, and I'll try to give you a little glimpse into what the day to day is like in my little corner of the universe.

I work a shift, as we are 24x7, so I come in at about noon, and have a shift handover with the folks who worked the morning. Then, if I have no cases, I wait for a case to come my way from the network monitoring team. I would spend this time working with tools, doing professional development.

Times without cases are pretty rare, usually I have several. When I'm working on a case, I am spending my time trying to verify what the monitoring team saw, find the cause of the behavior, figure out how it got there, what it did, and how to get the business back to normal. I get to do a pretty wide range of activities to do this. The bread and butter is host-based forensics, as in IR we use forensic techniques to find the badness. I also review alot of network logs, and PCAP's. If I find the badness, and it's malware, I will spend time analyzing/reversing the malware to determine what it may have done on the host and what our exposure is. I find the malware analysis to be the most fun and exciting part of the job. Finally, my team will come up with a plan to get rid of the badness and restore the business to a good operating state.

Like any job, there are some days that are slower than others, and some that can seem a bit repetitive. Still, I find it very exciting and rewarding, as I get to spend every day interacting with systems that have been popped, solving the puzzle of how it happened, and figuring out how to keep it from happening again. It also doesn't hurt that it's a field that is well paid, and that I'm constantly hit up on LinkedIn for new jobs. That adds a feeling of security in what I do, at least for now.

beads · September 2016

Currently in a two person security team, one architect and one journeyman administrator who is fantastic (as well). Environment is roughly 2,000 people. Two billion in annual revenue. Today, the security manager and director above were fired due to gross negligence along with two other director level folks. Unusual but GRC is what it is.

Average workday. Much of it revolves around auditing what happened the day before in the form of logs. Tons and tons of logs in the SIEM. Its boring and route but has to be done. Investigate anything flagged as being malicious or bad to include people. End users generally don't like us much because we often carry bad news or your about to be fired. See first paragraph.

Next section of the day is generally involves support tickets and troubleshooting whatever administration and internal audit cannot do on their own - which is to say most of their work. This team of two is the ultimate backstop for network architecture, internal audit and support desk. We operate as what could only be referred to as "special teams". If the other guys and gals cannot figure it out, it comes to us. The buck stops at our desk. We share a large cubical to "increase our efficiency". Since we are rarely home long enough to do much more than sleep, we often stink by Friday morning. Why? Because we can count on working at least til 7:00PM at least three days a week and usually VPN'd in once or twice on the weekends.

When I get time to bill for it. I am writing all the policy, procedure, standards and guidance for the InfoSec department complete with two year plan. These are based on the assumptive idea that the organization will really implement those grandiose ISO 9000 and 2700x plans. Other than that the procedures are so good. So complete they should be used everywhere. Built in risk assessment, accurate risk modeling and auto-review. The type of security that proves it pays for itself in the longer run. No arguing CAPEX here. We use my 7 reasons a business invests in security (TM) mantra (spreadsheet).

What's in it for us? Well, we are compensated very well for being a couple of large sweaty guys in a small cubical with no immediate supervision till told otherwise. Oh! Yeah. We have nifty tools to play with and lots of training bucks to go around. Though that might come to a close soon with all those bosses missing and an open CAPEX and OPEX looking to carved up.

Really, this client is as good as it is screwy but I am just a mercenary to the cause.

- b/eads

Edit: line break

Cyberscum · September 2016

Its boring as hell....compared to drag racing.

tmtex · September 2016

Kalabaster wrote: »

It's exactly like this

This was awesome

tmtex · September 2016

They basically sit there and look at screens

cyberguypr · September 2016

This is a typical day for me in Infosec land. A cathartic roller coaster.

UnixGuy · September 2016

Kalabaster wrote: »

It's exactly like this

+1
HAHAHA OMG this is epic!!!!!!!!

snowchick7669 · September 2016

Kalabaster wrote: »

It's exactly like this

And on the flip side of this

Kalabaster · September 2016

snowchick7669 wrote: »

And on the flip side of this

I will always love that video meme, I don't care how many times it's adapted. Also, Godwin's Law applies here.

shochan · September 2016

Kalabaster wrote: »

It's exactly like this

8^D
that was great!

TechGromit · September 2016

Generally lots of paperwork, updating anti-virus definitions on kiosk via sneakernet, meetings, If no threats are detected, generally by Wednesday it's pretty smooth sailing until Friday unless there's network issues. I had to go into the power block two weeks ago to replace a Cisco switch, fortunately my radiation exposure was minimal. (.1 millirads) If a threat is detected, I could spend half the day depositing a threat, analyzing malware, submitting it to corporate cuber security to get there opinion on it. If anything comes up true positive, than it becomes reportable to the NRC, that's a whole another nightmare of incident response paperwork.

dustervoice · September 2016

Very boring.... Asking everyone the same question everyday "whats the risk to the business?" and then i listen to this https://www.youtube.com/watch?v=9IG3zqvUqJY

Remedymp · September 2016

Eyes on glass, 24x7....

chrisone · September 2016

Danielm7 wrote: »

Or, Hackers, the movie?

wait.... you never hacked a gibson?

LeBroke · September 2016

If my side job is any indication, it's running a scan and then spending 2 weeks looking at network diagrams and writing reports about how client sysadmins shouldn't be allowed to secure a home network, let alone production infrastructure for a financial company.

Also, if you put enough effort into doing phishing properly, at least 10% of the targets will give you their login credentials.

But mostly writing reports. You've been warned.

Cyberscum · September 2016

LeBroke wrote: »

But mostly writing reports. You've been warned.

That's why I always crack up when I see the thousands of threads about people wanting to get into security...I'm like "you have no idea what you are getting yourself into"

shochan · September 2016

I am starting my new infosec job on Monday the 3rd...this will be my 1st dive into it...I have been in IT for over 17yrs but just now getting into this specific role...I am kinda excited, but from the looks of it, most are bored with it. I guess I am just sick of working in the field & dealing with customers all of the time. Ransomware has been a booger the last few years and no matter what you tell people (or try to educate them), they will never listen...they will continue to ignore advice and continue to infect their pc/networks. cheers!

UnixGuy · September 2016

LeBroke wrote: »

....
..
But mostly writing reports. You've been warned.

Guys not necessarily! Lots of InfoSec jobs don't have a massive amount of report writing. You do need documentation and reporting, but looks like some jobs require a lot more report writing than others. I've been jobs that needed minimal report writing, so they exist.

ramrunner800 · September 2016

shochan wrote: »

I am starting my new infosec job on Monday the 3rd...this will be my 1st dive into it...I have been in IT for over 17yrs but just now getting into this specific role...I am kinda excited, but from the looks of it, most are bored with it. I guess I am just sick of working in the field & dealing with customers all of the time. Ransomware has been a booger the last few years and no matter what you tell people (or try to educate them), they will never listen...they will continue to ignore advice and continue to infect their pc/networks. cheers!

I think that it appears that way because alot of people work in vestigial infosec fields, which don't involve the more interesting aspects of the field. It's not that infosec is boring, it's that people are working boring jobs in 'infosec.' Honestly, if your network is being ravaged by ransomware, you need to fire your CISO or your sysadmins. Fix your Group Policy to disallow execution from Temp, don't let macros talk to the internet, lock down your shares to users who actually need them, and back your data up. There's no excuse for that crap.

TheFORCE · September 2016

Spending 4-5 hours in meetings and then staying after hours to complete the work. Plus having to write projects for all the meetings. Very boring, the true infosec guys are still the guys that work hands on with the equipment.

Cyberscum · September 2016

TheFORCE wrote: »

Spending 4-5 hours in meetings and then staying after hours to complete the work. Plus having to write projects for all the meetings. Very boring, the true infosec guys are still the guys that work hands on with the equipment.

That's the problem. In large enterprise environments there are so many employees that the duties do not and will not overlap.

We have a team that takes in the latest vulnerability. A team that logs the vulnerability and assigns a fix to the appropriate work center. A team to implement the fix and the other team to verify the implementation. Then finally a team to write a report and suggest any future protective measures that need to be followed.

If you can stay in a small to medium sized biz you might be alright, otherwise if you are chasing the dollars sit back and get ready for an extremely boring job that pays extremely well for an extremely exciting private life.

markulous · September 2016

All depends on how much downtime you have and what you consider boring. If you've got a couple hours a day to study for certs, look at security blogs, etc., that's good for me. That way even though some of the work may be a little dull, you've at least got time to get certified and learn more.

What is life like within InfoSec

Comments