Redscan’s 24/7/365 CREST-accredited cyber Security Operations Centre (SOC) is central to the delivery of our security services to clients.
We asked Samy Denno, the Head of our SOC, to give us an insight into managing a busy security operation and tell us what it takes to start out as an analyst.
Can you explain briefly what a SOC is and its value to organisations?
A Security Operations Centre (SOC) is responsible for overseeing and enhancing an organisation’s cyber security. SOCs typically operate 24/7 and primarily focus on threat detection, analysis and response.
At Redscan, a key part of the job for our SOC team is understanding what threat activity to look for and helping to protect our clients by identifying and responding to suspicious behaviours as early as possible.
What types of threats do you see while monitoring Redscan’s client-base?
Threats are becoming more and more sophisticated in terms of the TTPs (Tactics, Techniques and Procedures) employed. Attackers are now adopting even more innovative ways to bypass detection through obfuscation, encryption and other mechanisms. Ransomware is a huge issue right now and Edge networking vulnerabilities are being targeted by ransomware gangs en masse.
In recent times, we’ve seen a significant up-tick in attacks which occur due to cloud misconfigurations and insufficient endpoint protection. Organisations that leave their systems open to the internet risk losing personal and financial information as well as intellectual property.
The cloud has made working remotely easier and more flexible, but companies must ensure they have sufficient controls and protections in place to prevent problems and quickly detect and respond to attacks.
Phishing campaigns are also more widespread and sophisticated than ever. It used to be fairly easy for people to identify a phishing email because of spelling errors and poor grammar, but now we’re seeing better scripted emails and business email compromise attempts which look much more authentic.
By monitoring a broad range of clients, we’re able to apply what we learn in one customer environment against all the other environments we monitor. If we notice a specific type of malicious activity in one customer’s network, we can ensure that rules are in place to detect and contain the same activity across others.
What are the biggest challenges facing Redscan’s SOC?
The goalposts are constantly moving because the tactics and techniques used by cybercriminals are always changing. That’s why we work hand in hand with our red team, our threat intelligence team and our Redscan Labs division to understand the latest methodologies used by attackers such as Advanced Persistent Threat groups and ransomware gangs.
A large customer-base means that we can be dealing with hundreds of security alarms on a daily basis. To ensure that we don’t waste time investigating false positives, we keep our processes finely tuned to improve detection accuracy as well continually developing the automation capabilities of our CyberOps platform to reduce the volume of repetitive tasks. This allows us to focus on activities such as threat hunting and delivering the types of outcomes which really matter to our clients.
“The goalposts are constantly moving because the tactics and techniques used by cybercriminals are always changing.”
How do you keep Redscan’s SOC working effectively?
We put people first. SOCs can be very busy so it’s important that we make sure our analysts have a good work-life balance. We build in healthy working patterns to promote this and support good mental health.
We also invest significantly in training. Training is not a one-off activity. It’s continuous. We have training certification roadmaps but, through our partnership with Immersive Labs, we also use gamification and lab exercises to enhance education and encourage employees to challenge each other.
We’re always looking at how to improve. In my view, each small step you take towards improvement has a cumulative effect. That’s why every employee in our SOC has a voice and why we’re committed to helping our analysts reach their potential. Regardless of advances in security technology, people remain essential.
“We put people first. SOCs can be very busy so it’s important that we make sure our analysts have a good work-life balance.”
What do you enjoy most about working at Redscan?
I really appreciate that our SOC is a team environment where we work closely together and have a sense of camaraderie. I also value the fact that many people in Redscan’s management team have experience of diverse aspects of security. Decision-making is a lot easier because we have a shared understanding of cyber security and are passionate about protecting our clients.
What skills and qualities do you look for when recruiting security analysts?
We look for analysts who combine a passion for security with a detective’s mindset. I’ve always loved detective novels and I really enjoy the investigative work that working in a SOC entails. When interviewing, it’s always good to hear from candidates who write cyber security blogs, take part in Capture the Flag activities or even have their own personal home lab.
To work in a SOC, it’s important to have passion for what you do. I really believe in the saying “If you’re doing what you love, you never work a single day in your life”. This is not really the sort of job where an individual can clock in and clock out because it does have hefty requirements, but they are requirements which aren’t difficult to meet if you love what you’re doing.
“To work in a SOC, it’s important to have passion for what you do.”
Describe your career path
Because my first degree is in Computer Engineering, I initially pursued a career as a telecommunications engineer but found it wasn’t my calling. So, I did a bit of soul searching and realised that cyber security is my real passion. However, that created a chicken and egg situation – I needed cyber security experience to get a cyber security job but I needed a cyber security job to get cyber security experience!
I decided to study for a Masters degree in Information Security and Privacy. After this, I worked in FTSE-listed companies in travel and telecommunications and industries such as Government and Managed Security Service Providers, progressing through the ranks to SOC management. In April 2020, I decided to take up my role as Head of SOC here at Redscan.
Because I have walked the same path as our SOC analysts, I understand the challenges they experience so I can quickly identify their strengths and weaknesses and help them adapt, train and improve.
My message to anyone who thinks that working in our SOC sounds like a fit for them is to get in touch! We’re always on the look-out for talented people to join our team. You can find our current vacancies listed on the careers section of our website.