Girls Re-Imagining Tomorrow

Day in the life: Security Analyst

GET /trending

In cyber security, keeping fresh on the latest information is vital to making fast and informed decisions about whether there is action you need to take to improve or maintain your cybersecurity posture. Analysts typically source their own favorite cybersecurity news sources and peruse them before kicking off the day.

Often times, the day starts with perusing the latest news from blogs, news sites, and even Reddit!

CyberSecurity Short List:

GET /investigating

Each day, security analysts sit down to a list of alerts generated by our security tools. I like to think of this as the Sherlock Holmes part of my day.

For each alert, we perform an investigation to understand whether the activity is malicious and if it requires response or escalation. 

In many cases alerts direct our attention to benign activity that is expected in the environment. 

In the event that we detect a True Positive, activity that generated an alert and confirmed or suspected to be malicious, we initiate our incident response procedures. 

These response procedures pull security leaders and experts into the conversation, create spaces to collaborate with folks outside security who may have knowledge or insights to share, and set standards for how we react, remediate, and report the event.


Crocodile Hunter, Steve Irwin, holding a snake by its tail. The snake is curving towards him, and he is stepping back with a surprised look. There is meme-caption on the text. Steve Irwin is labeled "Security Analysts" the snake is labeled "Cyber Threat"

POST /threat_hunting

After responding to the alert queue, analysts may be responsible for a wide variety of security related activities.

Threat hunts involve generating a hypothesis or using existing threat intelligence to identify previously unknown threats in the environment. For example, the Code42 security team meets on a frequent basis to discuss public security incident disclosures and identify how we are or are not vulnerable to a similar situation. 

If we identify that we may be vulnerable, the security operations team (where analysts most often reside) takes away a task to hunt for that kind of activity in our environment. If none is found, we establish a new alert to detect the activity if it ever does happen. 

In an ideal world, if we don't find the activity, we will also generate "mock" activity to trigger the alert and confirm that our detection will work in a real-world scenario.

POST /automating

For every action performed in a system, one or more logs are generated. This means that there is a huge amount of data to monitor and lots of activity that can generate detections/alerts. 

Even with a large security team, humans can easily get overwhelmed with the volume of stuff that happens every day, and on a really spicy day... it can be extra hard to keep up!

Because of this, security analysts are increasingly putting their minds to automating many parts of their job. Here at Code42, we have an automation tool called XSOAR that lets us write step-by-step playbooks to automatically add context to alerts or even close them automatically if everything checks out.

The great thing about SOAR (general name for tools like XSOAR) is that they allow both code and no-code programming to get the job done. No matter how much skill or knowledge a security team has with code, a security orchestration, automation, and response tool can accelerate their ability to respond and enable them to do more than just process tickets all day long!

The issue statistics get me excited because in them I see opportunity. The goal is never to automate away everything, because some security alerts just *need* that special human touch.

Rather, the opportunity that I see here is to understand why those benign tickets were marked that way by a human and whether a computer can be taught to understand and act. If not, what information can computers gather for us to provide humans immediate context to make well-informed decisions without needing to visit every tool in the security stack. 

(This is my favorite part, can you tell? :D )

GET /learning

Whether the training is formal or informal, for a security analyst every day is about learning. We strive to gain expertise, but we maintain a beginner's mindset and enthusiasm for gaining new knowledge. 

The field of security is vast, and there is no person among us who would claim to be an expert in all of it. And if they did, security folks would do one of the things we do best: get suspicious and ask lots of questions. 

Being a security analyst means facing each day open to learning something new about technology, the world, or heck even yourself.

Formal training can be a huge boon that complements informal training, but it can be really expensive.

Informal security training is available everywhere these days. The challenge now is to find training that is both quality and financially accessible. 

I love Black Hills Security out of South Dakota. Their founder, John Strand, is a security professional who lives and breathes by ethical standards of equity and inclusion. Their training service, antisyphon, offers quality training on a pay-what-you-can model to make cyber security training accessible to everyone. 

Whether you go the route of formal or informal training, security is all about choosing a lifetime of learning and growth.

Incident Response Training workflow starting with identify, flowing to detect, and respond. Lists awareness, and awareness courses offered by CISA.
List of SANS GIAC certifications with their start and end dates. Listed are GPYC GIAC Python Coder, GCIH GIAC Certified Incident Handler, GSEC GIAC Security Essentials. Each course shows $10k rendered in orange.
Tile images of cybersecurity courses offered by antisyphon training. Orange text at the top reads "antisyphon training - pay what you can!"

PUT /irl

One of my favorite things about working in security is that every human I have ever met or worked with in this space has vibrant and fascinating interests outside of work. The same curiosity that drives us to get to the bottom of how a security event happened can also drive us to wonder about airplanes and how they work, the human mind and how it works, or heck anything that strikes our fancy!

Outside of Code42, I am a Group Fitness Instructor for kickboxing and strength training at a Twin Cities gym. Physical fitness is extra important when we take on roles that keep us behind desks and in front of computers all day, and with hybrid or fully remote work environments, gyms can provide socialization that I may not otherwise get from my workplace.

Our family is two humans and two rescue pups. One of our rescues is an extremely reactive boi, so we have participated in lots of dog training classes to train us on how to help him face the world with more courage and less borking.

Lately, books have been my obsession. I used to listen to podcasts constantly, but ever since my partner got into reading books, he's had tons of interesting conversation to share. I was inspired by him to get into reading again, and I am absolutely hooked. My favorite topics are the altar of the human (how we work, what makes us happy, what it means to live a good life), history, anti-racism, and fiction. 

Top recommendations of late:

Two women with one arm wrapped around the other. A woman with a burst of curly hair and a blue t-shirt gives peace sign with two fingers on her right hand. A woman in orange with a wide grin shows the peace sign with two fingers on her left hand.
A shetland sheepdog and corgi smile for the camera. The shetland sheepdog has a black and white plaid bowtie and the corgi has a black bandana with rainbow paw prints. They are good bois.