Want to build a career where your skills and expertise will be in exceptionally high demand? Interested in finding a job where you’ll need to apply logic and analytical skill alongside intuition and creativity? Would you like to help others, disrupt the bad guys, maybe even make the world a better place?
Maybe you’d like to become an information security analyst, joining a top-notch team like the one that staffs BTB’s 24x7 security operations center (SOC).
According to the US Bureau of Labor Statistics, the job outlook for security analysts is very positive, with the total number of open positions forecast to grow by 33% per year — much faster than the average occupation. As many as one-fifth of cybersecurity job openings in the US remain unfilled, evidencing the severity of the current skills shortage in this field.
However, a security analyst’s job can be fast-paced, demanding, and stressful. Analysts may work 12-hour shifts (including overnight), responding to incidents ranging from phishing schemes and compromised credentials to malware attacks and ransomware infections — all while fielding client questions — on everything from the likelihood of a cyberattack sponsored by a hostile foreign government to the best way to handle a software vulnerability like Log4j.
Security analysts are highly skilled professionals who play a vital role keeping organizations’ information assets and sensitive data safe. But sometimes they fly under the radar – not everyone knows how important their jobs are. In this blog, we’ll explore what everyday life is like for many security analysts, and why their skills matter so much in today’s challenging cyber threat landscape.
Security Analyst Job Description and Responsibilities
Security analysts help to protect IT systems and data from unauthorized access. But they also ensure that bad actors don’t interrupt operations. If your company has a security monitoring program in place, security analysts will be hard at work at all hours of the day and night, keeping malware from slowing down your IT systems and making sure that criminals aren’t interfering with employee productivity.
The security analysts who take on most operational responsibilities in the SOC spend the bulk of their time on event monitoring and incident investigation. They can be tasked with handling 1,000 or more alerts on any given day. Most of these are false positives, but every alert requires detailed, thorough investigation. Sometimes it can take less than 5 minutes to figure out that an alert is a false positive. Other times, remediating an incident may take an hour or more.
Life in the SOC is full of surprises. No two days are exactly the same. Some days are quiet, with relatively few alerts or client requests. Others are much busier. Security analysts need to stay current on the latest threats and the tactics and techniques that are currently favored by attackers. They’ll also remain aware of what’s in the news since media reports can generate an uptick in phone calls from clients who want to know how they’re being kept safe from the latest high-profile threat.
Daily Routines in the Security Operations Center
Though the threats never stop coming — since cybercriminals are always trying to catch defenders off guard — there are typical patterns of activity in security operations. Early mornings are often quiet, with things picking up once most employees have logged in for the workday. Engineers commonly perform operational activities and routine maintenance like software patching during the day. These things can generate additional alerts. And often there are busy periods right before and after lunch. Then things quiet down at the end of the workday.
Cybercriminals never sleep, though. (Or they’re located in distant time zones, where their daytime hours fall during our overnight ones.) Hence, security analysts see a lot of brute force-style attacks (where attackers use automated systems to try out thousands of username/password combinations, for instance) and both network and application layer scans (in search of exploitable software vulnerabilities) during the night.
Investigating Alerts: Processes and Expertise Are Key
In BTB’s SOC, security analysts are responsible for investigating alerts generated by the rapid advanced detection and response (RADAR) platform as well as responding to client requests. More senior analysts tend to do more client-facing work, including vulnerability investigation or threat research.
Although there’s a standard process for handling alerts, their investigation also requires ingenuity and creativity. The better an analyst understands which processes are normal in a particular client environment or network, the more quickly they can determine what’s truly anomalous and what’s not. Machine learning (ML) and automation help streamline the process, but human intuition is still important. A skilled analyst will know when to consult an extra log source or when a seemingly odd-looking activity is actually normal.
“The best part of the job is doing something that’s helpful for someone else,” says Brandon Moszkowicz, Cybersecurity Analyst at BTB. “It’s such a good feeling when you catch something. And strong processes are important because they save a lot of time. That time savings lets us determine what’s good and what’s bad much more quickly.”
How much time any particular event investigation will take varies depending on the type of alert. It’s always a kind of detective work, where analysts have to figure out exactly what happened, why it happened, and whether the client needs to be informed or provided with remediation recommendations.
“It’s a lot like how I’ve heard Law Enforcement describe police work,” says Matt Wilson, Chief Information Security Adviser at BTB. “Alert fatigue is always a challenge because so many alerts can look the same. 99% of the time they’re false positives — which can seem monotonous. And 1% of the time, it’s hell on wheels.”
Here at BTB Security, we’re very proud of the expertise, professionalism, and skill of our security analyst team. Want to learn more about what goes on behind the scenes in our industry-leading Managed Detection and Response (MDR) service? Book a free, no-obligation consultation with one of our security experts today.