One thing is for certain, when it comes to defining a day in the life of a security analyst, unpredictability is the only factor one can expect. The job of an analyst requires an all-round awareness that accounts for what has been, current situation and what could occur, thus the first order of business for a security analyst starting his or her day is a hand-over of activity and information from their colleagues who worked the previous shift. This is particularly relevant if an analyst is working in a 24/7 security operations centre.
That start of the day briefing will set the security analyst up for the day ahead as they familiarise themselves with any ongoing incidents or anything that is provoking suspicion and needs monitoring. For these situations it is then often a waiting game to see if anything further materialises. For those security analysts working across large networks through which a heavy volume of data passes through, there are likely to be a great number of things to watch. It is therefore important to have the experience to know where to focus attention.
Undoubtedly, the hand-over of information from the previous analyst is invaluable in this circumstance as well as tools of the trade used by security analysts that enable them to hone in on specific parts of the network to prioritise their focus towards. Veering between reactive and proactive modes of attack when it comes to intercepting potential security events and incidents, there are certain things an analyst will be on the lookout for.
Compromised host systems requesting malware updates or applications requiring command and control type responses are one indicator that a network attack is in progress and such an event will then prompt the analyst to generate a case or incident file and begin tracking the assets believed to be under attack. Part of the job of a security analyst will also be to monitor lateral movement to evaluate whether an attacker is attempting to exploit the primary compromised applications or systems as merely a Launchpad to burrow deeper into the network. If this is the case that could warrant a nod to the systems or network engineering team to close the systems down to avoid further breach.
Security analyst jobs will also see proponents focus some of their time on preserving any forensic-type evidence for use by the SOC team to further investigate the breach or serve as material in a criminal investigation.
During quieter moments in their day, a security analyst will likely go into proactive mode in order to catch cyber-attacks and security breaches before they escalate, but the reality will see them needing to be reactive much of the time. Experienced senior analysts will also be able to read between the lines when it comes to sophisticated attackers, and will engage in in-depth analysis to go deeply into history and memory to overcome a stealthy attacker’s constantly changing domains and IP addresses in order to root out evidence of abnormal behaviour. Certain tools allow for powerful forensic search capabilities which do more than analyse log data and rather get down to the root of the network to see who the instigators of the attack were and which protocols they were employing.
A good security analyst is continually thinking about what is implicit to the information available to them, as well as exhausting it before moving on to see what else they can find. Having a multi-faceted skill set is also key to making a good security analyst as the work they do on a daily basis requires the ability to approach problems from multiple angles which cannot be done if an individual only possesses expertise in one area.