Entry level security roles? Typical day of a Security Analyst?

Juicy Jon · July 2015

Hey everyone! So my current position is network support. Not a help desk. It is my first IT job. I always have had a passion for IT and self learning. Anyways, deeper in my passion of IT has always been security. August 1st I start my first term at WGU for my BSIT -Security with just my A+, Sec+, some college classes and work experience under my belt. Once I obtain this I will be look for my first sys admin role (if I don't have that before I graduate) or my first security role.

I was wondering if someone could kind of break them down for me as a lot of job titles vary but tend to be the same thing. Also what should some entry level security titles be that I should look for once I graduate.

Maybe someone could also explain the typical day in their security field along with their title?

Any knowledge helps!

Please no bashing or trolling. It will not hurt me or deter me from my goal.

This is a great forum/site.

Have a good day,

Juicy Jon

TechGuru80 · July 2015

Roles that start with "Junior", Analyst, Auditor, Governance, there are some jr engineer roles, and some jr penetration tester roles. Also if Information Assurance is mentioned...just another term. There are so many options....decide if you want to be in compliance, engineering, or penetration testing as a first step. You are not locked into that choice but it will help you narrow your options.

Compliance side will focus on documentation, verifying configurations, keeping up-to-date on changes in regulations. Engineering is more of a practitioner role....applying configurations, writing scripts/programs, troubleshooting, researching.

Mike-Mike · July 2015

ask me in month

BlackBeret · July 2015

I've worked as an network security analyst/incident analyst in two different organizations. Each was very different so I'll do what I can to give a little about them. The biggest thing to remember is, job titles do NOT matter, job duties will vary from company to company with the same title. The company itself will be who determines what you do.

VERY large enterprise network, in house security team. Our operations were 24/7 so it was shift work for everyone. 8 hour shifts, 5 days a week, no overtime. It was a very well established program. I would show up, log in to a Windows workstation, open ArcSight, and start working alerts. This involved researching the IP addresses involved, using other appliances to pull down traffic captures, reading through those captures in Wireshark, compare them to our signature files, etc.

It was a very simple job that became boring very quickly. It was a should involve a lot of detailed technical knowledge, but they hired a lot of people that didn't really know what they were doing and would sit there closing events without working them. Our management "oversight" was only concerned with the numbers of events closed/left open, not the quality of work. The good thing about having all the employees that would just sit there closing events was that I could sort through and find the ones that looked like they were really good and work those myself. Our signature teams philosophy was also that of "cast a wide net and let the analysts sort it out", which meant that we had something around 99% false positive rate. Thanks to using a defense in depth approach the majority of the actual incidents were mitigated by other devices. I got bored and tired of working with people that didn't have a clue and left.

Org 2 - Security as a service provider. The operations tempo is slower, without going into company details everyone is Mon-Fri day shift. We operate 98% on Linux systems. Manually pulling different NIDS/NIPS/HIDS/HIPS logs, and thoroughly reviewing them. It's much more in-depth and requires a lot more technical skill. When not actively monitoring a customers network we're usually working on processes in house. Everyone essentially wears two hats. Some are also aspiring programmers, some are network guys, some are focused on forensics, IR, etc.

There are teams for all of this and more with the provider, but everyone on the analyst team has some dual training so that we can handle things within our team. It's a much better environment with much better people. I can basically chose where I want to go and what I want to do. Since the same organization offers every security service I can imagine, I can stay here for years and just request a transfer to other sections if I find myself stagnating. Due to the nature of this work, the processes aren't well defined or in place, every customers infrastructure is different, everyone has to know a little about a LOT, and a LOT about some things in order to operate. This can lead to headaches, but I like to look at them as learning opportunities.

si20 · July 2015

I'm currently a security analyst for a very large IT company. My advice? RUN as far as you can. Never, ever get into being a "security analyst". I've worked for two companies as a security analyst and i'll give you some quick thoughts about both:

Job 1:

Shift work. 4x 12 hour day shifts, 4 days off, 4x 12hr night shifts....then 4 days off (technically 3) then repeat 4x 12 hour day shifts. I put on loads of weight due to eating at ridiculous times. The work wasn't very technical (although it should have been). The guys I worked with were absolutely clueless. I'd work with people who held 3rd class....yes...3rd class degrees. No offence to them, but they were only there for the pay-cheque at the end of the month. They knew extremely limited security - so much so, we had one guy who clicked on a phishing email - despite claiming he was well regarded at his University for security.

Management had absolutely no clue about security - all they knew was ITIL. See my post about ITIL: http://www.techexams.net/forums/itil-certifications/112148-another-itil-hater.html The "shift leaders" were jokers. They'd spend all their shift bossing people around OR watching youtube. So what would I do day-to-day? I'd come in for my 12 hour shift, open up ArcSight and some other tools and look through active-channels (live channels with security events coming in). As mentioned above, 99.9% of these would be false positives. It was a joke. Say someone got their password wrong 3 times, we'd be alerted. In the end, you had 19-21 year old analysts just closing everything. People got sacked. It was an absolutely horrible environment for everyone involved (aside from the managers, they got very high pay for extremely little work). Managers who didn't know about security were only concerned with numbers. A brute force attack has occured?? Well delete it!! get it off the system or the numbers will look high. I'm embarassed to have worked there.

I learned next to nothing and when I began looking for jobs - the only companies interested in me were those offering security analyst roles. In a word....I was stuck.

Job 2:

So I moved into a new security analyst role because really, I had no choice. I got a 9-5 and found out that i'd be trying to reduce false positives. Excellent!!! I thought.... How wrong I was. I spend my entire day in a spreadsheet. I am just looking at how many attacks there has been and giving information to clients. It's 100% non-technical. I'm considering a 50% pay-cut purely to get into a different area of IT (see here: http://www.techexams.net/forums/jobs-degrees/112159-dropping-salary-better-job.html ). In a nutshell, if you value your career, stay away from these posts or you'll end up regretting it. It will mess up your career. Once you get into Security Analyst roles, you've sold your soul to the devil. It's extremely hard to get out of it.

soccarplayer29 · July 2015

Surprisingly to me that's a lot of negatives. I'll give my thoughts. First, as previously mentioned on this forum job titles mean very little as every organization codes things differently--pay attention to the job duties instead.

As mentioned above some security analyst positions can be log analysis, but I've also seen them be IT policy GRC, risk assessments, patch management, compliance, etc. So I can't really comment on a typical day of a "security analyst" because it's going to differ for each position based on the duties.

Based on your education and certs I think you're in a good place. Your next logical role could be a system administrator, security access administrator (provisioning, access renewal type stuff), IT auditor, etc. Those positions should start using some of your security skills to accompany your education and grow you professionally and then you can decide if/where you want to specialize.

Juicy Jon · July 2015

Thanks for all the help guys. It does kind of worry me though for sure. What is a good entry level position then for this? As I definitely do not want to get stuck looking at logs and closing them out.

si20 · July 2015

Juicy Jon wrote: »

Thanks for all the help guys. It does kind of worry me though for sure. What is a good entry level position then for this? As I definitely do not want to get stuck looking at logs and closing them out.

You may want a junior pen-testing role, or even a junior security consultant role. There are lots of good jobs out there but I think the security analyst or junior security analyst roles are to be avoided. I've seen so many people fresh out of University do a security analyst role and within 6 months they want to quit IT and get into something completely different e.g politics.

Juicy Jon · July 2015

Politics?!? That seems like a even bigger nightmare. Haha.

UnixGuy · July 2015

@si20: I'm in a security analyst position and it's nothing like what you described. Sure I'm not doing anything extremely sophisticated but I'm learning a lot about different products. I'm trying to get any opportunity to do more with every tool/appliance we have. It can't be that bad, use it as a stepping stone to move to security consulting. Some security analyst position offer trainings to staff, this can be pricceless.

tahjzhuan · July 2015

Job description of a SOC position just emailed to me by a recruiter. I'm considering it even though it pays less than what I'm currently doing. Would be helpful if I was able to learn something from it.

Provide reasonable monitoring 24x7x365 to support monitoring requirements of the client’s environment.
Provide analysis of identified incidents, notify the appropriate parties to remediate, and manage the lifecycle of the incident, as reasonably required.
All resources provided under this contract will have or will be trained to achieve the following qualifications (in addition to any qualifications and requirements described in the Agreement or elsewhere in this contract, as applicable to the Services being provided herein):
Training and certification on the Client ArcSight tools (achieved no later than nine (9) months from such resource's start date on the Project)
Security+ certification (achieved no later than nine (9) months from such resource's start date on the Project) or an equivalent certification that is mutually agreed to by the parties
Minimum of two (2) years of experience in Information Technology or equivalent four (4) year degree
Ability to understand basic Windows, Unix and TCP/IP routing and navigation and troubleshooting of the OS. Demonstrated understanding of the file system, permissions, services, and administrative applications.
Ability to understand basic firewall concepts. Ability to recognize rules and understand operation.
Ability to understand basic host IDS/IPS concepts
Ability to understand basic database concepts
Basic understanding of Antivirus technology
Ability to understand encryption concepts
Ability to understand scripting tools or programming languages
Basic understanding of common network services like HTTP(s), SMTP, DNS, FTP, ping, traceroute, etc., and basic Boolean logic operations
Strong analytical skills
Strong technical writing skills
Strong verbal communication skills

ramrunner800 · July 2015

Security is a big field, with lots of different roles. SOC is not like Incident response, which is not like firewall admin, which is not like governance, which is not like pentesting, etc. SANS has a roadmap that does an okay job of breaking down what the different fields are. I've worked in a SOC and Incident Response. The things folks from the policy/governance/audit side say about the security field are pretty alien to me, because our roles are not anything alike. It's important that you think about what you want to do in security when you look for positions. If you know what the role you will be filling is it is much easier for others to let you know what a typical day doing that might be like. Also, consider the type of organization offering the position. In smaller orgs you will likely have an amorphous role, and become a jack of all trades. Large organizations with established security teams will probably have well defined roles. Good luck in your hunt!

Entry level security roles? Typical day of a Security Analyst?

Comments