Security Analysts play a vital role in our Security Operations Centre (SOC), acting as a virtual extension of our customers’ in-house teams.
SOC Analysts manage and monitor a range of detection technologies to identify, investigate and respond to threats, 24/7/365.
But what does the role of a SOC Analyst actually involve day-to-day, what are the rewards and challenges of the job, and how do people get into it as a career? To find out more, we spoke with SOC Shift Lead, Anthony Howell.
Can you tell us about your route into your role at Redscan?
I’ve always been really into computers. While browsing YouTube, I found myself watching more and more cyber security videos. In Sixth Form, I had the opportunity to take part in the government initiative, Cyber Discovery, and gained a number of SANS Certifications.
I applied to Redscan for some work experience during the pandemic and they reached out to me with an offer, so I decided to go to work rather than to university. I started out as a Junior SOC Analyst before progressing to my current role as a SOC Shift Lead.
What does your job involve day-to-day?
Our primary duty is to respond to security alerts, and then triage and prioritise threats. As a Junior SOC Analyst, my main activities were monitoring the queue within CyberOps, Redscan’s extended response and detection (XDR) platform, which is where all of our incidents come into and are analysed. If an incident does prove to be malicious, we will raise it to the customer and work with them to respond and mitigate the threat. With Redscan’s services being so broad-ranging, there’s a lot of variation.
Since the acquisition by Kroll, Junior SOC Analysts also support their incident response engagements when monitoring is put in place for the compromised environment. That’s really interesting because it’s more likely for the issue to be serious as it’s what the system is designed to find. It’s a great opportunity for Junior SOC Analysts to see that side of things.
As a SOC Shift Lead, my day starts with doing the handover from the previous shift, making sure that the key information is noted down, ready to be presented in our stand-up call with the whole SOC team. After that, it’s a case of going through the previous day’s alarm volumes, identifying the pain points and assessing what we can do to get rid of unwanted alarms.
If an incident does prove to be malicious, we will raise it to the customer and work with them to respond and mitigate the threat. With Redscan’s services being so broad-ranging, there’s a lot of variation.
What else do you do?
Every month we have custom training goals, based around customer objectives, using platforms such as Immersive Labs. We also create runbooks which are walk-throughs for specific alert-types to help anyone in the SOC who may deal with that particular alert in the future to understand it more quickly.
Alongside monitoring the alerts that come in and assessing whether they are malicious, my role also includes overseeing the work of the Junior Analysts in our team. This includes undertaking ticket reviews in which we choose a ticket from an Analyst at random and give feedback on it to ensure that all the information that is required is in there. If there’s any information missing, I go back to the Analyst and discuss what can be done to improve.
We also use these reviews as an escalation point, so if there’s something a Junior Analyst doesn’t understand or if there’s a very high priority issue which needs to be shared with a customer, it will be my job to engage with the Senior Analysts and agree what actions need to be taken next.
Which other Redscan teams do you work with?
We’re really close with the Threat Intelligence and Engineering teams. With the engineers, it’s all about availability – what’s happening with customers, what’s down and the internal platforms involved. Threat intelligence is very important for keeping us informed about emerging threats.
My role also involves working with the Senior Analysts, either in Incident Response or Threat Hunting. Whenever we identify that an actual attack is taking place, they perform the research and can stop the attack by isolating the network, contacting the client and letting them know what’s going on. The Threat Hunting team write the rules for detection which trigger whenever an event takes place.
What are the most important skills or qualities for your job?
You need a passion for cyber security and to be interested enough to want to understand the granularities of what’s going on, and the drive to identify which steps are required to address specific issues. It’s really important to be able to think outside the box. But you also need to be able to analyse issues in a logical order because there is usually a set process in dealing with a cyber-attack.
Having the ability and drive to undertake research is also valuable to keep up with emerging threats. In the SOC Shift Lead role, having the interpersonal skills to work well with customers is very important.
You need a passion for cyber security and to be interested enough to want to understand the granularities of what’s going on, and the drive to identify which steps are required to address specific issues.
What is the most rewarding aspect of your role?
As a Junior SOC Analyst, I enjoyed the investigations into different alarms: finding the actual reason why something happened and how it took place. It was great to know that we had found a threat very early on in the process, ensuring that they hadn’t been able to deploy a late-stage attack such as ransomware.
As a SOC Shift Lead, the most rewarding aspect of the job for me is going through past tickets and giving feedback to Junior Analysts, helping everyone to improve and keeping the SOC working at its best.
What do you find most challenging about your job?
As a Junior SOC Analyst, I found the most challenging aspect was the fact that some alerts are more difficult than others because they are extremely obscure. In these instances, we had to go into multiple different security platforms and identify which logs are relevant and which are not in order to get a better understanding of what’s going on. Working through multiple systems to pick out what is and isn’t important can be a complex puzzle.
As my current job is a lot more customer-facing, the most challenging aspect is trying to get further insight if a Junior Analyst has missed something or if there is something we haven’t not seen before. We need to analyse it and get as much information as possible so that we know which steps to take next.
How would you like your role to develop in the future?
As a Junior SOC Analyst, my goal was to continue to train up, get my certifications and move up within the company to eventually become a Senior Analyst and help out with those major incidents.
However, I think since my role has changed, my goals have changed slightly too. Now, I’m thinking about one of two great paths: either a Senior Analyst role as I thought about before – or an Incident Response role. Or I may look at becoming a Senior Analyst and then moving into Incident Response after that.
What advice would you give to someone looking to get into this area of cyber security?
Make the most of external resources like Hack The Box and TryHackMe. I would also say that it’s good to have the ideology of a penetration tester. Thinking about how attackers behave shows you what to look out for and what actions to take.
It’s good to have the ideology of a penetration tester. Thinking about how attackers behave shows you what to look out for and what actions to take.
How has working for Redscan improved your knowledge of cyber security?
Redscan has offered me lots of opportunities to complete certifications and follow a defined training path. The company has also provided the chance to experience training environments, like Immersive Labs, that give you scenarios to go into and solve. Seeing active threats in the wild, as part of the day-to-day job, also helps us better understand how things work.
What difference do you think your role makes to customers?
This role isn’t just technical. It’s not just about looking at information on a computer: what we do can protect a company against going out of business or not being able to operate for weeks or months and losing revenue. It’s a nice feeling when customers come back to us and say thank you – or if they ask a question and we can help them. It’s good knowing you’ve made a difference and made it easier for them to identify whatever they need to do.
If you’d like to learn more about working in our SOC, or any other area of the business, please don’t hesitate to get in touch, or browse our latest job opportunities.