Observations Of A Security Analyst.

Core Competencies!

The core competencies of a security analyst involve understanding how systems work and their fundamental baseline behaviors. The best method for learning these things requires that an aspiring security analyst puts into practice the fundamentals through a homelab or working in the field. A good security analyst has an understanding of the following topics: Active Directory, computer networking, a general knowledge of computer hardware, and an idea of the basic terminology a long with what each term means.

The Business Factor!

It's important to note that our collective goal as a security analyst is to protect the business from bad actors (malicious actors) which often means contextualizing risk. While we don't translate risk into dollars and cents (that's the job of a good CISO, manager, or director), we do try leverage our knowledge into actionable work items. It's important to note businesses have the ability to say no to taking action on a work item or can classify a risk as an acceptable one. I have seen many security professionals try to bully a company into taking radical action on a security risk so, keep in mind our shared goal is to be a risk advisor. Good stewardship of technology risk is often above our pay grade (unless you're C suite or above).

Understanding Risk Identification.

Identifying risks in a business is a very difficult task for most beginners especially when it adds friction for other departments in the organization. The key to doing this properly involves building two documents: an IT asset database with all the devices on the network and some kind of risk register which rates each risk by severity from highest to lowest. These documents must be treated as "living documents" meaning they need to be updated regularly. Advanced risk registers should include the financialized risks to the business such as currency devaluation along with the implications of a ransomware attack on the business's pocket book (a rough estimate). The most important thing you can do as a practitioner is to try and push the leadership structure towards table top exercises in order to game out what happens when a cyber attack occurs with a detailed list of the responsible individuals for getting certain tasks done.

The Issue With Signals.

The core problem for most new folks in information security is being able to look at potential attacks and knowing which ones are the real deal versus the ones that aren't. I'll show you couple examples from this web server as a demonstration a little bit later on in this post. The key here is looking at patterns and knowing some basic system behaviors. If you know for example that Tina (sorry if your name is Tina) in accounting logs into Quickbooks, her email, and Microsoft Teams with minimal casual web browsing behavior (maybe some YouTube cat videos here and there). You can use those behaviors as a general baseline what you're looking for is something odd like Tina suddenly visiting a website called PirateBay or her machine making DNS resolution requests to a .ru domain name. Those types of behaviors would be considered as anomalous meaning they're outside the normal baseline we established previously.

Ask yourself a couple questions as you look through the screenshots below: what are some key differences between the traffic patterns represented and is the behavior outright malicious based on your own knowledge and/or research?