Even before arriving at the office, the morning commute usually consists of reading the latest news, blogs and write-ups of newly discovered threats. Each of these potentially provides insight into new techniques that need to be defended against.
Once sat and logged in, the first task is to review and triage the potential threats that have been generated overnight for those clients who have not opted into a 24x7 service. Aided by machine learning tools, the usual noise and false positives that are commonly seen with traditional tools are gone and the cyber security analyst is presented with meaningful output.
Depending on the outcome of the triage process it will either be dismissed as benign or an incident report prepared and escalated to the affected party. Following acknowledgement of receiving the sent report by a client, the analyst will work in liaison with their team to diagnose the infection and ensure successful containment.
Moving forward the cyber security analyst will continue to monitor newly generated threats and go through the correct escalation process if needed. If a threat needs to be escalated, they are required to aid in a further investigation in order to determine how the threat was delivered on the network; not only this, but it also gives an opportunity for an analyst to advise the client on remediation.
Analysts will work and edit rulesets and prioritise devices in order to quickly identify further anomalous activity. Doing so helps an analyst keeps an eye on affected devices and ensure there is no indication of further activity. The cyber security analyst is involved in the whole process from start to finish.
Whilst generated alerts are a passive method of analysis, another aspect of a cyber security analyst’s day is proactive threat hunting - the active pursuit of anomalies on servers, endpoints and network traffic that may be a sign of compromise.
Understanding a client’s unique set of risks and requirements ensures that an analyst can prioritise where to focus their threat-hunting abilities. This combination of prioritised risk, threat intelligence and a good understanding of adversaries' Tactics, Techniques and Procedures (TTP) means an analyst can splice datasets and reveal insights with the least possible effort.
As the day moves on, downtime allows for the cyber security analyst to take a step back from client systems and spend time experimenting, analysing malware samples and testing new tools that can be integrated into their workflow to further improve day-to-day activities.
If you are interested in learning more about our cyber security analysts operating our managed security service, please reach out to our team of experts at info@cyberseer.net