Security events, such as vulnerabilities and threats, that are detected globally continue to grow and evolve in scale, impact, diversity, and complexity. Compounded with this is the other side of the coin, the unreported or undetected events waiting in the wings, hovering below the radar in a stealthy state. With all of the security technologies at our disposal, are they sufficient enough to provide effective protection? Well, it is certainly a good start when applied correctly. At a summary level, Cisco’s Security Intelligence Operations (SIO) approach to this challenge was covered in the Network World feature article, “Inside Cisco Security Intelligence Operations.” However, one of the core human elements, which I will introduce, that deserves closer attention is the role of security analyst. In addition, this article provides those of you with career interests some additional insight into working in the IT security field.
Cisco has a team of full-time security analysts, also known as IntelliShield Security Analysts, dedicated to providing a thorough analysis of these security events 24/7. The IntelliShield Security Analyst team performs the research, analysis, integration, and correlation of data and information from across Cisco’s Security Intelligence Operations (SIO) and external sources to produce the automated Cisco Security IntelliShield Alert Manager Service. IntelliShield Security Analysts also contribute to the weekly Cyber Risk Reports, Cisco Security blog, Cisco Security Reports, and represent Cisco in multiple security working groups and organizations.
The following questions and answers were taken directly from the interview that I conducted with the IntelliShield Security Analyst team in order to share a closer look into a day in the life of an IntelliShield Security Analyst.
What range of background does an IntelliShield security analyst role have?
A diversity of technical backgrounds, someone who has a breadth of knowledge across multiple systems is directly applicable. Technically, roles such as systems/network administrators get exposed to a variety of technologies and environments, which tends to benefit them. They may also have direct or indirect exposure and experience with different aspects of IT security practices. Non-technically, written/verbal communications and collaboration experience working with a variety of teams proves to be useful in order to work with the broad customer base that we have.
What do they do to come up to speed?
Mentoring from senior members of the team is the primary activity here. There is also continual collaboration between the newer and senior members of the team involved to hone and improve their skills as they come up to speed. There are also industry-specific knowledge and practices that need to be understood and applied.
What do you like most about your role? (i.e. Why would you want to do this)?
You get to do a lot of different things, day-in, day-out. It is highly dynamic. You are always interested in the new events that arise, how they are discovered and investigated at a level of detail just as a detective would. You also have the opportunity to help look out on behalf of others so that they can respond to security events that they might not have otherwise known about.
Can you share some insights on what your day-to-day core activities involve?
The core functions are centered around the Intelligence cycle: collection (monitoring sources and awareness), processing (researching and prioritizing), analysis (collaborating and validating), reporting, and closing the loop by adjusting the collection to the current activity. The day-to-day activities include handling the constant flow of information, data, and events and adjusting to the changes. Into that cycle, we also utilize information from multiple groups at Cisco such as Cisco’s Product Security Incident Response Team and the IPS Signature Development Team to write alerts based on their requirements.
How does your day usually begin?
The Internet doesn’t sleep. Therefore, the initial activity at the beginning of the day starts with getting back into the flow from the previous day and catching up on all of the events that transpired. A typical activity would include checking our source information and determining what actions we need to take. For example, if we identify that vulnerability alerts need to be written, they are assigned preliminary scoring and we mark those as work items and then start on those work items where applicable.
What is a key aspect (i.e. qualitative or quantitative) of being successful?
Focusing on the quality and timeliness of the security intelligence. However, IntelliShield also compounds this challenge given the volume of threats and vulnerability intelligence that it provides. We deliver at both of these levels. Analysts walk a fine line between being timely and providing that high quality reporting: it has to be timely or it’s too late to be useful, but we want to take enough time to provide the quality that only an experienced, knowledgeable human that is thinking about the event can provide. Achieving that balance of timeliness and quality is always a challenge, but it is also a key to our success.
Are there any other aspects of your job that are especially essential as you work with your team members or others that depend on your work?
Communication and collaboration are integral components. In addition, we keep current with new events which must always be top of mind. These areas feed directly into other security analysis activities that we do.
What else can you recommend to others regarding optimizing their practices based on your experience?
There is a lot of incomplete, inaccurate, invalidated, flat out wrong, and malicious information on the Internet. Consumers of that information have to be much more discerning with that information. Focus on getting that first critical security analysis decision right by determining the credibility of the information and the source, multi-sourcing as a common practice, and determining if you trust the information before you do anything else. Apply a fair degree of skepticism to thoroughly vet information. Consistently and thoroughly document your analysis and make it accessible to your intended audience to use. Stay current on your systems/applications as most exploits that are seen are exploits against those that are outdated or have not been patched.
What do you like to do for fun when you are not a practicing IntelliShield Security Analyst?
This multi-talented team works and plays hard. Their diverse off-time covers a broad range of activities including spending as much time as possible with family, remodeling projects around the house, going for a ride on a Harley-Davidson, rock climbing, catching up on reading, board/video games, and working out.
In future articles, I would like to cover similar perspectives on other major roles in security management, such as the incident manager on Cisco’s Product Security Incident Response Team (PSIRT), Security Intelligence Engineer, as well as that of an IPS signature developer.