A Day in the Life of a SOC Analyst: Part 1
Learn what it is like to work at a Security Operations Center (SOC) Analyst at MindPoint Group
This month we’re touching base with Tarik Badour, one of MindPoint Group’s Security Operations Center (SOC) Analysts. This blog is the first of a three-part blog series highlighting some of MindPoint Group’s SOC Analysts. Stay tuned for part two of our series to learn more about what it is like to work as a SOC Analyst.
Like every morning, I wake up to my alarm clock before the crack of dawn — around 4 a.m. to be exact. I quickly put on my suit and head to catch the train. Since it’s Monday, the commuting crowd is a bit thinner than the rest of the week. I managed to catch the early train, so I arrive at the station around 5:20 a.m., and now I’ve got just enough time to get to the office. It’s 5:30 a.m. now, and I’m standing in front of the building, my badge pressed to the proximity reader. The reader beeps and flashes green as the door unlocks. I go through another round of security once I’m in the building, then head to the elevators to access my floor. As I’m heading to my office, I must stop along the way to put my cell phone and laptop in storage. Since we’re in a highly controlled area, no outside technology is allowed until my shift has ended.
I badge into the secure room that is our Security Operations Center (SOC). As I walk in, the night shift crew looks up. We exchange pleasantries as I put my things down on my desk. I grab my coffee mug from my desk and head back to the kitchen. I’m a believer that caffeine is a must in any job, but especially so when you work in a SOC and need to be alert at all times!
Now it’s just about 6 a.m., and I’m ready to start. I’ve logged in, have my tools and email opened, caffeine slowly processing into my system, bringing me the rest of the way to fully alert. I begin to receive the turnover from the previous shift. Since it was Sunday, there isn’t much to turn over. Some residual latency from maintenance done over the weekend, but even that is about gone now. I look at my triage channel, currently no alerts. Perfect. Time to get going on the reports due this morning. I open the previous day’s report, update the dates, remove all the graphics, and then go to my first data source. My partner walks in, and we grunt in greeting to each other, neither of us 100% awake at the moment. I continue to pull information for my report. It’s 7 a.m. now, and I send the report to leadership for approval before it is pushed out to all of the executives. I go back to the triage channel, which has been sitting unobserved while my partner and I both produced our respective reports. This division of labor allows us to get things accomplished more efficiently, on Wednesday we will switch who does which report for the day, to ensure we both remain competent and confident on all our requirements.
I see one alert. It’s a custom alert we created to tell us if our security appliance stops feeding information. I open the security console and adjust the time frame, no alerts in the console. Perfect, no issue with the tool and the alert is marked off as nothing significant to report (NSTR). A new email just came into the inbox, and it looks like leadership approved my email report. I set a delayed delivery for 7:45 a.m. and hit send. I decide to check the SANS ISC diary for the day to see if it’s updated. I see that it was updated with an interesting entry, but not applicable to our environment. I look at triage, the channel is still empty, so I look at the inbox, and there is a request for a policy exception from one of the customers. I create a ticket in our system to track the request and respond to the requestor informing them that we received the request, are processing it, and providing them with the ticket number. I then start to research the site that the requestor is referencing. I enter the site into a couple of different tools so that I can get a variety of reports on it. So far, there is nothing malicious about the website. I use a sandbox to visit the site without risking the network, and everything looks fine there too. I package all my research up into a quick summarization and email the client leadership with the request and my recommendation.
Now back to triage where my partner is investigating an alert, and there is a second alert waiting for me. I mark it so that my partner knows I’m working this one, ensuring that we don’t duplicate efforts. I go to the security device that generated the alert, see what the signature is looking for, and open up the packet capture (PCAP) and analyze the traffic. Simultaneously, I start running a query in our SIEM software to see what happened and if there is any correlated traffic that the security appliance missed. As the SIEM query completes, it looks like the security appliance blocked the traffic in question, and there is no additional traffic that causes concern. As I’m annotating and closing out the alert, I go to take a sip of my coffee, and the mug is empty. I look up at the clock, and it’s 9 a.m. Time to make another cup of coffee and check-in with the intel team. I haven’t seen anything major in the turnover document, but these guys always have their ears a little closer to the ground. With my mug in hand, I head across the Watch Floor to catch up and see if there are any causes for concern. After our talk, I check back in with my partner to make sure things are still going smoothly. Luckily, everything is going great, but he does need me to respond to the email from one of our customers. It’s a simple policy question, but as the senior analyst between us, I need to field it. The day rolls on following the same general pattern, bouncing back and forth between security alerts, fielding emails, and answering phone calls. I look up, and it’s already 1 p.m. Holy cow, where did the day go?
I start to prepare for the end of the shift. I open our shift turnover document and begin to clear out items that are no longer relevant and adding new items to pass along. While I do this, my partner is annotating all of the tickets that we’ve created and gives a brief synopsis for tonight’s executive report. Soon the next shift comes in, and the entire SOC participates in a stand-up meeting. We go around to each team: floor analyst, engineering, intel, insider threat, then each of the clients, the program manager, and finally, the client floor lead. Each team covers what they did that day, including information relevant to another team and anything that needs disseminating. This stand up limits how much information gets siloed while simultaneously providing a first pass turnover to the next shift. After the stand-up, I add some information to the turnover document and send it to the incoming group. Meanwhile, my partner creates a list of items generated during our shift. Then I link up with the new shift lead to give him context around everything we’ve sent over, and we discuss any high priority items that need his attention. After a successful day of work, I head home to enjoy an evening of relaxation before doing it all again tomorrow!