Any Cybersecurity Analysts around?

I am interested in hearing your day to day and how you feel about the role and career path?

Thank you!

Find more posts tagged with

Comments

Different companies different definitions of what a Cybersecurity analyst is/does. Personally I consider myself in this category.
I work on the following on a daily basis
1. Vulnerability Management, scan, remediate, research. Does not include patching or changes, basically i do not have access to the systems.
2. SIEM management and log analysis.
3. IPS/IDS event analysis and follow ups with the vendor, users, IT etc on the validity of events.
4. Awareness training program developement.
5. Liaison with external Pen-testers and conduct the activities, social engineering etc.
6. IAM
7. Policies and procedure creation, create and manage IT controls(this can include implementing new solutions and tools)
8. Fulfill IT Audit requests.
9. DB monitoring, PAM monitoring, DLP monitoring, Firewall log monitoring, AV monitoring,[enter security tool]
10. Some vendor risk stuff
11. Whatever else comes my way that has security under the requirements section.

If you want to transition to a Cybersecurity role you would be a good fit based on your certifications. However, I would inform you that you will lose a lot of access that you currently have, no more managing servers, virtual infra, network equipment etc. It might depend on the company but the norm is usually no access except your security tools.

NetworkNewb

My day consists of a lot of IAM management, auditing access, SIEM monitoring/management, and a small amount of vulnerability management.

I don't mind my job at all and there is definitely a lot of room to go up. Been a security analyst for about a year and a half and plan going after a security engineer role soon. Been told I'm almost a shoe in for one opening up at my current place, hopefully within the next year. (been told things like that before that didn't ever seem to happen so not holding my breath) In that role I would developing our security strategy more, researching security threats, improving our monitoring systems, work with other teams on the security side of things when new applications/programs get implemented in our environment...

ramrunner800

As others have pointed out, CyberSecurity analyst can mean a lot of different things depending on the company and the role. There are a lot of folks who hold the title Cybersecurity Analyst who perform roles like sysadmining security tools, audit, Governance Risk and Compliance, among others. These roles are drastically different from roles like pentesters, network security monitoring, incident response, threat intelligence, and the like. When discussed on a forum like this one, these are often discussed under the umbrella term, Cybersecurity. Alot of the cybersecurity career advice dispensed in here might be good advice in one part of the larger security ecosphere, but is fantastically terrible in another. In my career I have found that 'Cybersecurity Analyst' is not usually a job title that offers hands on work with bad guys, so if that's what you're looking to do, make sure you research the positions you interview for, and ask the hiring manager questions.

I work in the operations and incident response portion of the field. When something bad happens on the network, I contain, investigate, and eliminate the threat.

The meat and potatoes of my job is doing forensics on machines that are part of security incidents. I also spend alot of time collaborating with network security monitoring analysts and threat intelligence analysts to identify threats or items of interest for analysis. We also do a fair amount of time doing deep dive research trying to see if we can identify trends or commonalities in different pieces of malware and the infrastructure it uses (i.e. massive amounts of whois lookups).

I also spend a significant amount of time on professional reading and labbing. The reading consists of things like intelligence products, and tons and tons of blog posts on the latest techniques attackers are using, how they work, and how to analyze/detect them.

We also get pulled in to be advisors on various different projects to provide subject matter expertise.

I think the role is incredible, and the career outlook is awesome for the time being. There are not enough cybersecurity professionals out there, and there are even fewer who can do "hands on" cybersecurity work. Because of that, when you get into an interview and they realize you can do real security work, companies throw themselves at you. I think I have the second coolest job in the world, only behind fighter pilot.

It's not all sunshine and rainbows. If this isn't your passion, you're gonna have a hard time. You must be committed to your professional development. If you don't wanna go home and keep labbing and reading, seriously consider if this is for you. Attack techniques are constantly evolving, and you must be too. I also think there's a bubble right now. Companies are getting absolutely outclassed by attackers, and it can't continue. Someone will disrupt this, and flip everything we think right now on it's head. I don't feel that I can sit back comfortably and count on my job existing in 20-30 years. The market simply isn't going to bear it.

markulous

About the same as TheForce. Also web filtering and threat hunting

ice9

As a DoD Contractor Risk Analyst, I would also agree I cover all of the listed items as

TheForce

has listed there.

The Addition of CyberSecurity is on the rise for sure in the DoD and DoD Contractor job openings because there a budgets and managers looking for a more technical job scale is it were...more money and ability for future compensation solely based on the title of "CyberSecurity" anywhere in your titles or job code. At the end of the day, most positions are going to entails Risk Compliance, Information Assurance, Auditing and more Auditing with the help of SIEM tools or Continuous Monitoring tools...AKA Con-Mon tools.

To avoid the confusion of being mostly a paperwork pusher analyst, it is est to figure out right away that if you want to put your hands on networking hardware or configure Cisco switches and firewalls, then you would be better suited for a titles of CyberSecurity Engineer. Just my two-cents, I think that is one of the biggest differences.

636-555-3226

How the heck do you do all of the following in a week, let alone a day. Well, while doing it well at least?

TheFORCE wrote: »

Different companies different definitions of what a Cybersecurity analyst is/does. Personally I consider myself in this category.
I work on the following on a daily basis
1. Vulnerability Management, scan, remediate, research. Does not include patching or changes, basically i do not have access to the systems.
2. SIEM management and log analysis.
3. IPS/IDS event analysis and follow ups with the vendor, users, IT etc on the validity of events.
4. Awareness training program developement.
5. Liaison with external Pen-testers and conduct the activities, social engineering etc.
6. IAM
7. Policies and procedure creation, create and manage IT controls(this can include implementing new solutions and tools)
8. Fulfill IT Audit requests.
9. DB monitoring, PAM monitoring, DLP monitoring, Firewall log monitoring, AV monitoring,[enter security tool]
10. Some vendor risk stuff
11. Whatever else comes my way that has security under the requirements section.

636-555-3226

ramrunner800 wrote: »

Companies are getting absolutely outclassed by attackers, and it can't continue. Someone will disrupt this, and flip everything we think right now on it's head. I don't feel that I can sit back comfortably and count on my job existing in 20-30 years. The market simply isn't going to bear it.

I disagree. Security's been around for 30 years and to be honest hasn't really changed that much. Know what you've got, configure it securely, patch against known vulns, etc, etc, etc. The same rules as in the 80s/90s apply just as well in the 2000s/2010s. Talking to people from dozens of companies on a yearly basis from around the globe and I haven't heard a single thing that makes me think anything is going to be getting any better any time in the foreseeable future. Job security my man!!!!

markulous

Yeah, unless some magical silver bullet for security is introduced, it's going to be more of the same. Tools may change but the way we protect will remain consistent.

ramrunner800

636-555-3226 wrote: »

I disagree. Security's been around for 30 years and to be honest hasn't really changed that much. Know what you've got, configure it securely, patch against known vulns, etc, etc, etc. The same rules as in the 80s/90s apply just as well in the 2000s/2010s. Talking to people from dozens of companies on a yearly basis from around the globe and I haven't heard a single thing that makes me think anything is going to be getting any better any time in the foreseeable future. Job security my man!!!!

You could totally be right, and if you are, I'd be a very happy man. We've had folks out from MIT talking about now processor architectures eliminating classes of bugs and stuff, pretty much all over my head. Friends in the valley talk about pretty radical changes to OS design to mitigate alot of attacks. I have no idea what could occur to change things, if I did I'd be a billionaire pretty shortly here. I just want to be prepared in the event that there's a sea change in the industry. I remember getting a Tandy 1000 around 25 years ago, and how awesome it was that there was a computer that could talk. 25 years from now, I'll still be a good distance from retirement age, and I don't pretend to be able to envision what the market will be like when the computers of today are as old as that Tandy 1000. I want to be like a shark, and keep moving and developing skills to stay relevant.

Blucodex

Call me ignorant but I can't imagine a world where security is no longer needed. I truly believe anything that can be engineered can be broken.

Thank you for the detailed and informative posts everyone. This is good stuff.

BlackBeret

As an enterprise gateway analyst: Go in, sit down, open SIEM. View alerts, analyze traffic pertaining to alert, close or escalate to IR. IR would then review more in depth and decide to close or open a case, this could involve getting HIPS specifics analysts and forensics guys involved.

As an analyst on a more hunt focused team: Go in, dig through network/traffic/logs using X, Y, and Z tools depending on the team, the customer, the location, etc. etc.

As an analyst in IR: Less hunting, more focused analysis, but basically any open source tool needed and a handful of enterprise tools if needed. Look at traffic, dynamic analysis, figure out what it's doing on the network and where it is. Then look at the binaries, do more analysis, write reports, etc.

ramrunner800

Blucodex wrote: »

I truly believe anything that can be engineered can be broken.

Truth, but there's a reason iOS vulns sell for millions, and Windows 10 Kernel vulns only sell for hundreds of thousands. Some models have a significantly higher barrier to breakage.

TheFORCE

636-555-3226 wrote: »

How the heck do you do all of the following in a week, let alone a day. Well, while doing it well at least?

Many things are automated, what isnt, is in the plans for automation. The key is to use the tools at maximum capacity and configuring them well to remove false positives. Example, DB monitoring, when i joined my company, the DB reports were 200+ pages long, everything was being reported. Spend a few hours with the DBA's and removed all unnecessary events, now my reports are either clean or have maybe 1-2 pages of events. IPS/IDS i get only 1-2 events a day that I need to follow up. So that is easy. Auditors and internal controls they ask the same stuff on a regular basis to make sure the controls works, so what we did we created a small knowlegebase that basically says if Internal controls ask for xyz, we provide them qvc report from x system and k system. This saves a lot of time for us and for the new guys. So I touch all in various percentage during the day, weekly or monthly. Another example, our Awareness training, phishing and info tips to users is all automated and scheduled. Company so far hasnt been cheap in acquiring tools to automate tasks. once configuring correctly, then we monitor and add improvements.

jcundiff

Threat Intel (Sr InfoSec Analyst)

Open source news combing to find out who got hit by whom, how they got in, how they got the data out
Brand Intelligence/protection - scour social media /open web/dark web looking for misuse of our brand/criminals pretending to be us. etc
Take any IOCs we find and send them over the wall to the SOC to load into tools
Produce reports/documentation to send to C suite, IT, CSO, etc
Train,train,train
Work with other security teams to review process exceptions from a security view point

dustervoice

636-555-3226 wrote: »

I haven't heard a single thing that makes me think anything is going to be getting any better any time in the foreseeable future. Job security my man!!!!

How about we bring all stupid users to the gallows ? Anyone that clicks on those stupid links about winning the lottery gets hanged.:D

jcundiff

dustervoice wrote: »

How about we bring all stupid users to the gallows ? Anyone that clicks on those stupid links about winning the lottery gets hanged.:D

hanging is too humane... drawn and quartered

Blucodex

I have a follow up for you experienced Analysts.

If you can, picture yourself back to the first day you started. Assume there will be limited training on how to do the job of an analyst but have all the tools you could desire. What would you tell your old self to get up to speed as fast as possible?

dhay13

lab. read. research. ask questions (either at work or here or anywhere i can)

ITSec14

I literally do almost everything, so I won't compile a big list. Recently, I was told to start writing/updating policies too (boring). I'll admit, it's hard to do most things well given the scope of my responsibilities. I'd really like to focus on vuln. management/pen testing then eventually move up to a senior/management role.

Blucodex

Looks like I'll be joining the club! Just got to to get through the on-boarding process.

Thank you everyone for the info.

TheFORCE

Blucodex wrote: »

Looks like I'll be joining the club! Just got to to get through the on-boarding process.

Thank you everyone for the info.

Congrats man! Well done!

Span

jcundiff wrote: »

Threat Intel (Sr InfoSec Analyst)

Open source news combing to find out who got hit by whom, how they got in, how they got the data out
Brand Intelligence/protection - scour social media /open web/dark web looking for misuse of our brand/criminals pretending to be us. etc
Take any IOCs we find and send them over the wall to the SOC to load into tools
Produce reports/documentation to send to C suite, IT, CSO, etc
Train,train,train
Work with other security teams to review process exceptions from a security view point

Jcundiff - what open source news sites you would recommend you feel is worth while?
Any other sites?

Blucodex

Update: Started 8/7. Loving every minute of it so far. Here are two pretty good links for anyone curious about being a security analyst.

https://www.blackhillsinfosec.com/webcast-5-year-plan-infosec/

https://blog.komand.com/6-lessons-i-learned-from-working-in-a-soc

McxRisley

As many stated, the role responsibilities and duties vary between companies but one thing remains the same, we "Analyze" things. What things do we analyze you ask? ALL OF THE THINGS.

the_Grinch

When I did it my day was as follows: walk in, check dashboards to ensure they are displaying, check nightly check alerts, grab coffee or energy as long as nothing blew up from the night before, meeting, dig into the logs on the hunt for issues, lunch, meeting, develop more stuff to alert on, meeting, home. On days I find things all hands on deck to figure out if it is a real issue, get explanations and determine if management needs to be informed. Overall fairly routine, but a good many days of fighting fires. Since we didn't control the systems there is always a lot of back and forth on why something is an issue though a provider swears it isn't. You better know your stuff because if you cry wolf or miss something no one will ever listen to you again.

TechGromit

Blucodex wrote: »

I am interested in hearing your day to day and how you feel about the role and career path?

Compliance Via paperwork
Verifying I'm using the correct rev of the procedure and Reading
Network management (configuring switches, troubleshooting, replacements, upgrades, etc)
Update Anti-Virus definitions (for non-networked / isolated network computers)
Incident Response-The network I'm responsible is isolated from the internet/business network so the volume is lower, but I support other sites too.
Malware Analysis
Meetings, lots of meetings
Reports
check logs and reports.

Career path, I would like to get into is more responsibility for the corporate network, vulnerably assessments, malware analysis.

jcundiff

Span wrote: »

Jcundiff - what open source news sites you would recommend you feel is worth while?
Any other sites?

sorry dont know how I missed this several months ago... cyberwire is an aggregator that you can sign up for their daiily email ( I actually do a more condensed version specific for our industry that I send out internally daily) Some others I use are

securityweek
cso online
reuters
ars technica
krebs on security
bank infosecurity
infosecurity
bleeping computer
and a host of others