A Day in the Life of a Security Analyst

[Laughter] no we're good okay so we're going to talk about a day in the life of a security analyst so I'm curious how many people here I want to get an idea of the audience so I want to know how many people are already in cyber security and how many people are either getting into it or just starting out their career so if you're getting into it right now or just starting out your career raise your hand couple good good this is a good one for you if you've been in cyber security for a while raise your hand okay that's everybody I if some if somebody didn't raise their hand either time I was going to be like why you here

this is a strange one for you okay so um in cyber security there's three main job categories that we talk about the first one is blue team which is defensive security the second one is red team which is offensive security and the third one is GRC governance risk and compliance so those are basically the Auditors so um a lot of times at events like this we focus a lot on red team stuff they'll have capture the flag and they'll have um presentations about hacking and all all this kind of red team oriented stuff but when you look at the number of cyber security jobs that are out there the majority are actually blue team roles um I couldn't nail down

the exact number but it's definitely the majority potentially as high as 80% of roles in cyber security are blue team roles so I thought it'd be good to have one session that just focus on what do you do as a blue teamer what's your day-to-day look like what are the tasks that you're doing it's not all you know sitting in a basement with a hoodie hacking the pan gone or whatever right so that's what this presentation is going to be about and I want to give you just a little background about who I am so you know where I'm coming from so my name is Josh boes uh I'm the VP of cyber security and operations at the Larry H

Miller company and I've got a degree in cyber and cissp and a whole bunch of shirts and stuff like that so I'm kind of a nerd um and uh you can see I threw a picture of my daughter up there she's adorable and a lot of times people have pictures of themselves but you can see my face here so I thought that was a better use of the space um so I work for the Larry H Miller company which uh if you're from around here you're probably familiar with it they used to own the Utah Jazz and a bunch of car dealerships they sold those and now they own a whole bunch of different organizations so they have

platforms which is that middle row those yellow ones and then below that are individual organizations and I work at the blue level the top level right so my job is to look at all these other organizations and measure how well they're protecting their infrastructure in terms of cyber security right so we measure and then we also support those organizations so we'll hire blue team like security analysts that are dedicated to those platforms or organizations that help them out right so we have a a small team that helps out with these um and also like I said this is the intent here is for you to get an idea of what it's like to be on a blue

team if you have any questions just holler I would really appreciate some some interaction um so the main thing that we're going to talk about is the day-to-day tasks so we've got responding to alerts Project work being a subject matter expert and studying and I'll go in depth into each one of these things um the first one is responding to alerts so our cybercity analysts spend a lot of their time looking like on this graphic I hate having to turn around like this I'll gesture behind me on the graphic back here you can see some of the systems that we use to protect our infrastructure so we've got like vulnerability management endpoint protection IPS and IDs all those feed

into a ticketing system and then the cyber security analyst will get those alerts and then they have to research them if you've worked on a help desk you know that you'll get a ticket and you'll work on it for five minutes and then move on to the next one it's not like that typically what we do is we have to figure out if it's a legitimate alert we have to confirm it ourselves we have to do some more research around what else it could be impacting so we get that ticket we research it it and see if it's legitimate we'll pass it on so for example like vulnerability management we'll scan our website and we find that

there's a misconfiguration in WordPress or something so we'll confirm it ourselves and then we'll send that work on to the developers and say hey you need to fix this configuration they'll do it and then they'll send us back an email and say we're done and then we have to confirm so that's a lot of the work like probably half of their day is spent responding to alerts researching this stuff all that sort of thing the next is prodject projects so we have several different types of project work and the first is improving technical tools so what anyone know the name for this yellow thing right here in an email email warning tag yeah I don't

actually know so that's the name great I always call it a banner I think that's another name for it but yeah the reason that we have this is so that someone doesn't send an email that's from you know your CIO at your company with one misspelling. comom hey can you wire me the funds blah blah blah right so this will catch that and it will throw that banner up and someone will say you're not really the CEO you're somebody else you're from an external organization so we deployed a new email protection Suite um and we had to figure out how are we going to do this email Banner what's the way that we can do it

that's most effective because if it's too long people are going to ignore it if it's too short they're also going to ignore it like what's the right length so what do you guys think is a good how do you get people's attention without annoying

them shout something out you got something with a banner yeah like what what wording would you use Trey had

some yeah that's rotating is

genius yeah that's true and we have ourti set up you know it's one of those fancy new a a1s so it will only do it when it reaches a certain reputation level right but yeah I really like the idea of rotating and we did the same thing we so we got together as a team one of our team members did a bunch of research into the academic uh what what was available presented to all of us and we decided here's how we're going to do it so improving tools is a big thing that you spend your time on so not just like this email tool but every tool that you use you learn it and

get better and improve the way you use it improving processes so here's another example if we've got improving technical tools this is improving the People based things so this is you can't see it very well on the left hand side we have a table that shows the the sequence of events in an incident so we had a priority One incident where Wi-Fi went down for one entire floor of our main headquarters and this is so this is a fairly short one and it just goes down here's everything that happened here's who reported it blah blah blah so anytime we have a P1 incident like that we do a postmortem and we collect this timeline and then afterwards we meet

with everyone that was involved and we answer these questions and do this analysis to try and figure out how we can make it so that outage never happens again you'll also notice that the last couple questions are about our incident response plan so not only are we trying to improve the technical controls around that specific failure but we want to make sure that next time we sorry next time we're addressing this sort of thing next time we have a P1 we do it a little better than last time so improving technical controls where this is the first Project work improving processes and then improving documentation is the third one so this is an example at besides SLC I talked

about making writing good documentation and I used the example of incident response plan and I talked about our very first incident response plan that we had was delivered to us by a consultant and it was like 16 pages long and in the midst of a P1 no one is going to refer to it and no one's going to memorize it beforehand so it was basically useless for us so we took that 16 pages and we narrowed it down to three pages and then we tried it like that for a while and it definitely worked better but the the helped us still out a hard time because they had a little lot of turnover so we narrowed it

down to a one-page cheat sheet that we just pasted on the walls in the help desk so that they saw anytime there was a priority one thing they knew exactly where to look and it was all their form right so a lot of time on the blue team is spent improving your documentation as well another thing is you work as a subject matter expert both within the IT department and with the business so we've got a bunch of questions and I want you guys to answer them for me so the first one is a question you might get from user is it okay to store passwords in a shared Excel document how would you respond to

this no okay now like we all know no is the obvious answer but how would you respond in a way that doesn't make them feel stupid what would you say to them Al give them an alternative yeah that's a really good one say we don't do that but we do like we pay for a password tool right a password manager great that's a good one all right uh do I really need to restart my computer to install updates yes the answer is yes how are you going to but the user that's coming to you the CEO this has never happened to me our CEO is very tech savvy but let's say a CEO comes to you and says I really don't

want to reset my computer man it's it takes me away from important deal making I got to do what do you say to

them yeah that's a good one why

you yeah that's czy yeah that's fantastic so you can reframe it and tell them what why it's actually good for them if you do it this is where I like to trot out uh statistics sometimes and I'll say you know 60% of attacks or more involve unpatched software so if you just reboot this when you're heading home when you're not thinking about it you're reducing our risk 60% that's pretty big and then go oh okay I don't like Risk nobody likes risk how much would it cost if we got

hacked this is a a question I've been asked a lot ask us users ask

me I don't know there's there's ways to estimate it so one methodology is called Fair um and there's other organizations that do that so this is something like when we're reporting to upper management that's the one question they want how much will it cost us they want to see dollar signs and we need to be able to come back with something that actually makes sense that's not um needlessly alarming but that helps them understand the magnitude of the risk right so when you're when you're the subject matter expert and you're interacting with users it requires a lot more finesse than you might think it requires a lot more of those people skills right I that's one

of the reasons why I love working on a blue team is I really enjoy taking complex subjects and helping people that aren't as versed with them understand them so I really I really like that aspect of it now it is is anyone in here familiar with PCI couple hands how this is a developer asking how important is migrating off TLS 1.1 for card holder data transmission can it wait until next year no you're correct it cannot wait till next year so you have to be on 1.2 or above because 1.1 has all these things right and that's another thing where but in talking to them you might say we never want to say just a blanket

no so we would say it's required by PCI the fines for not being compliant are this much if the business wants to pay those fines then they can do it and they understand the risk and also we might get breached but we want to make sure they understand right isimportant why is oh yeah is that what you would tell them or are you asking me yeah and we can talk about yeah

yeah yeah yeah yeah exactly thank you okay how often should we require that users change their passwords what do you guys

think daily you're going to be really popular with the users

yeah yeah that's a good question

yeah

yeah yeah Trey raise your

hand

yeah

yeah and that's a good point that the frequency you should rotate it depends a lot on the the sensitivity of what you're protecting right yeah yeah definitely I I and that's a great Point okay so that perfectly Segways into the last subject right which is studying um cyber security is something that changes on a daily basis right and even something as simple as how often should you change your password you will get one set of answers from one government organization or standard and another from a different one and the best practices are constantly changing and evolving right so if you got your degree in cyber or you got your cissp 10 years ago or whatever and then you're like

great I'm done I never have to touch the books again then you're going to be using outdated information and the IT department like the It operations team will come to you and say hey what should we set this policy for for password rotation and you'll confidently say 90 days and it's advice that's 10 years out of date right so studying is a really important part of any cybercity person's job but espe on The Blue Team where you're a subject matter expert where you need to provide that information to other people right where you may be the one source in that whole organization that's focused on cyber security so like for our team we encourage them to do an

hour of study every day some people don't like that and they want to do a half hour once a week or a half day once a week which is fine too um and then we provide training materials and reimburse for certifications so studying continuously studying is so important um so when we look at what a person on the blue team actually does I broke it down so we've got you know maybe up to half their time is responding to alerts sometimes less sometimes more um and then the rest is broken down between studying being a subject matter expert and Advising other teams and working on Project work and we talked about improving technical tools processes as

well as documentation so that's the other thing that's great about working on a blue team is there's this wide VAR iy of stuff that you do on a day-to-day basis right and some of it is really intense research um that's highly Technical and then others is just talking to somebody or training an end user right like teaching them how to make a good password so I really like the variety that you get as a member of a blue team what questions do you guys have about working on a blue team in cyber security

whatever TS so we do tabletops every quarter at least but if we have an incident where we use our incident response plan and we do a postmortem we also do those so yeah every single incident and I feel like those are I don't know if we if we do those a bunch throughout the year we'll still do at least every six months a tabletop what

else uh you mean like other people I work with or people the general public honestly I feel like the Mystique of cyber security is beneficial because everyone goes Ah that's very complicated yes we should listen you know so it's not that big a problem I feel like but I'm also like our organization is really supportive and I really appreciate it other organizations can be a bit more dismissive what else

yeah

yeah not as often as I'd like for sure and definitely like my role leans more towards the GRC where where I'm supervising the Audits and then reporting on them to the board or whatever right so yeah not a lot I do occasionally what I really like is that I serve as a second set of eyes on most of the stuff that our team's doing so we'll say okay we're looking for a new MDM solution and they'll write a report and do all the research and then we get to review it together and actually make decisions I really like that part anything else no okay great I think we're right about on time to well we're a little

early if someone's looking

c yeah uh this is a great softball question I appreciate it really te me up there okay this is going to be different so you you tell me if you think something different but like for our organization all we care about is that you are actively studying to become a junior analyst so if you have like your Security Plus or network plus and you're working on you know SSA Plus or you're studying for your bachelor's degree those are the type of people that we hire and then like and it's worked really good over the past year we've had three of our team members get their Bachelors we've had like 14 certifications so like we just hire for

people that are passionate about it and that are learning and that's way more important than any specific like credential but if you want a credential Security Plus network plus CSA pentest whatever would you say different

differently

yeah yeah yeah I definitely agree and yeah Security Plus just gives you that yep their interest and they're willing to work on their own that's that's really important any other questions

yeah I don't know I think I'm a weirdo so I really like I'm happy with my job and I'm not super looking towards the next step obviously I think the traditional career thing would be like a ciso role or whatever or ciso or ciso yeah yeah yeah that's true although I think the risk gets overblown a little bit because we've got this like we see a few cesos that get like held personally liable and that's like three of 10,000 so we we had a good discussion about this and I'm part of a ciso group and they were talking about how as long as you're not negligent you're pretty well protected so which is you know

great for me anything else okay I really appreciate you guys questions if you want to feel free to ask me like reach out afterwards or add me on LinkedIn or whatever I'm always happy to talk about it thank you