in the picture:
A day in the life of a SOC analyst
Francis Couderé has always had a healthy interest in cybersecurity, and joined Nynox where he started work as a Penetration Tester following his studies. This was a fascinating job that gave him the chance to find out how hackers and attackers operate. Then, when Nynox set up a Security Operations Center (SOC) a few years later, Francis saw his opportunity to take on a defensive role as a SOC analyst. He discusses his current role within the SOC team in more detail below.
Everyone working in a SOC has their own specializations that match their specific skills, such as incident response experts, programmers and analysts. SOC analysts are partly responsible for an organization’s IT infrastructure. This means, for example, that I make sure we detect any potential breaches and close any holes in your security before anything can go wrong. It’s important to work closely with the customer’s IT team for this to make sure we get the protection right. Properly understanding their IT environment ensures we can monitor and detect everything better.
No security without detection
Detection is one of the main components of cybersecurity. We know from experience that attackers spend a week in an organization’s systems on average before they strike. During this time, they are studying your environment, stealing data and deploying their ransomware. Good detection ensures you can trace them on time and prevent any confidential data leaks or stop your environment from becoming encrypted. It also gives you an insight into how attackers have got into your system, and what they’ve seen.
One disadvantage of the extensive detection system is that your SOC team can become overwhelmed with all the data that you need to process, which is perhaps one of the biggest challenges that SOC analysts face. Security Information and Event Management (SIEM) offers a solution for processing all this data quickly and helping organizations to detect threats, analyse data, and respond with an alarm before any damage is done. The rules that this SIEM runs on are written by our own team and can easily be modified when a new type of internet fraud emerges.
And it’s precisely because internet fraud evolves and changes so quickly that we believe it’s essential to make sure we keep our knowledge up to date. We do this by following additional training and keeping a close eye on the media, where we have often encountered certain new groupings being discussed. This allows us to investigate how they work so we can adapt our detection rules by writing new procedures for our SIEM, which means we can quickly detect and block attacks in any subsequent incident.
In an urgent incident, the CSIRT expert from our SOC team contacts a predetermined list of company stakeholders, quickly followed up by an analysis of the threat. The stakeholders are given daily updates until the incident is resolved, and then receive an extensive report with our findings.
Our customers also receive a monthly report, which we look at together in a meeting, even when there aren’t any serious incidents. The report includes a summary of any incidents that month, and can range from someone logging in from abroad to a full-blown attack. We also share various recommendations so that our customers know how to maximize their protection against external threats. Customers can also make their own suggestions or raise any other issues, which often stem from something they have read or heard themselves, in our monthly meetings.
Sometimes our customers contact us specifically after reading about a cyber incident in the media, when they suddenly realise they might be susceptible to cybercrime and start to worry about their security. It’s great that we can provide them with the right tools to address their concerns and allay their fears. Customers who can breathe easily again because their cybersecurity is on point gives me the satisfaction I want from my job.
Have you been hacked or just want to stay ahead of all these cyber criminals?