The second meetup of the Cyber Security Essentials training program dwelled into security operations and log analysis. The free training program is organized by Future Female and HelSec, and it is intended for women who are interested in working in cybersecurity or gaining more in-depth technical knowledge. Nixu is hosting the meetups to support diversity in cybersecurity.
I interviewed the instructors of the second meetup, Flavia Koskivaara, and Antti Ollila, who both work at Nixu Cyber Defense Center. Flavia's background is in software development and Antti's in system administration. Now they both have found their passion for security operations, where each day brings new challenges and where your work can make your colleagues' and customers' lives a bit better.
Detecting threats and taking action
Security operations involve monitoring and keeping the security level of an organization at a reasonable level. Security operations are about detecting threats, advising how to improve security, but also about taking action, such as isolating infected machines or doing forensics and investigating what happened.
Many tasks in security operations involve analyzing logs, examining network packet captures, or digging memory dumps. Also, in the hands-on exercises lead by Flavia and Antti, the participants were browsing log data in an infrastructure provided by Splunk for this course. However, there are also many other roles and job titles in a Security Operations Center.
Typically, there are three tiers of analysts who handle detection and further analysis of incidents. Monitoring and analysis require log collection and aggregation and up-to-date rules that detect current threats, so it's the critical job of developers to create and maintain rules. All this requires processing power and storage space, managed by the infrastructure team. And the log collectors and monitoring agents don't install themselves, there's a deployment team to handle that. Besides, there is also a need for people skilled at coordinating teamwork, managing projects, and taking care of communications.
Working with limited visibility
Antti and Flavia explain that one of the problematic things in security operations is the balance between getting enough data and getting too much data. You must decide what alerts or forensic data to read in, but processing and storing it needs resources and can increase costs. Tweaking rules that trigger alerts usually needs to be done almost daily to be able to make sense out of some 200 events per second that one server might generate. However, if you whitelist too much, you can miss a critical anomaly. "The hardest, the most interesting, and also the most frightening thing is the thing we don't detect," says Antti. After all, in 2019, the average time to detect a breach was 206 days, according to IBM's Cost of a Data Breach Report.
A SOC analyst's work is to filter and cultivate data and to spot anomalies. Millions of events pass before their eyes every day. Therefore, Flavia and Antti emphasize that you need humans in a Security Operations Center (SOC) so you can see beyond the anomaly and understand that maybe this login event from Spain can be OK during the winter holiday season.
Challenging but fun
Every customer of a SOC has different environments and exceptions, so there can be a lot to remember – and documentation is crucial. Sometimes you are alone in the night shift when something severe happens. You need to respond and escalate quickly and communicate clearly, sometimes to not-so-technical people.
Despite the challenges, both Flavia and Antti like the fact that every day is different in security operations. Flavia laughs that odd as it may sound, she thinks that finding something horrible is fun: I get this "Yes, I found it!" feeling she explains.
You can also experience global phenomena first-hand as Antti did with the WannaCry ransomware that had multiple victims worldwide. "I was working alone in the shift, and then the incident response phone rang," he explains. Antti also remembers once encountering a human hacker, who had typed commands live in a breached customer system. A network sensor had caught the malicious activity, and the responses to the attacker commands were mirrored into logs. According to Flavia, this is extremely rare, and it's more typical to see bots scanning for weaknesses.
Would you like to be a SOC analyst?
If analyzing incidents sounds appealing, there's a high chance that your skills are in demand. Most attacks are targeted to endpoints, so operating system knowledge, especially Windows, is appreciated, according to Antti and Flavia. A background in computer science, system administration, programming, engineering, cryptography, or solving Capture the Flags is useful, but nothing is a must – you will learn by doing. Communication and customer service skills also matter in this line of work.
If you would like to learn more about security operations, Antti and Flavia both recommend the free Splunk Fundamentals 1 course that teaches you about using dashboards, doing useful searches, getting statistics, and other basic features of Splunk.