First up in our 2022 AMA series we’ve got @dansec who is a Security Operations Analyst here at Monzo
I’ve asked Dan for a little bio so we can all get a better understanding on what that job entails and a bit of background on how he got to that position in Monzo
I’m Dan from the SecOps team (security operations). I’m a security operations centre (SOC) analyst and my main role is to detect and respond to security incidents as part of the cyber security incident response team (CSIRT). I work a little bit within the threat intelligence community.Before moving into this role, I worked as a financial crime investigator within our Fincrime team and before that I was a COp starting in November 2020!
I found myself moving towards my current role by getting stuck into an incident one day and helping out. Fast forward to January this year, I got offered a role as a SOC analyst and started officially on the 3rd of January.
Let’s welcome Dan to the Community and ask him some really interesting & weird questions. We’ll be keeping the Topic open until Friday this week
I found it strange moving from an open availability onto a flexible working contract! When in COps I mostly worked 1pm - 10pm which was on a rota but now I pretty much decide between what hours I would like to work
The majority of my role is to monitor and respond to security alerts and this is mostly what I do day to day. We gather a lot of different data sources from our different services and a lot of this goes into our security information event management system (SIEM). From the SIEM we then monitor logs checking for anything we may deem to be malicious, it’s then my job to analyse these logs to confirm or deny wether these events are malicious.
As well as the above, I spend some time going through threat intelligence (TI). This is a really cool area which deep dives into threat actors (TA) and exploits and how they could potentially impact the financial services.
I’m also part of the cyber security incident response team (CSIRT) meaning if there is a security incident, I would be one of the analysts responding (mostly in the mitigation part of an incident)
So is the SIEM ran on some form of AI to monitor all these things, spot patterns and alert you? Do you write these automations as well as jump in as a human and make a final judgement call or is this only with odd/unpredicted outcomes.
I love all this data / security stuff - where would you recommend someone starts their journey should they want a career as a Security Operations Analyst
Hey @Ordog this is a great question and one which confuses a lot of folk (SIEM)
An AI SIEM does sound pretty cool and there are some cool articles on the subject (I’m afraid our SIEM isn’t controlled by AI). The best way to describe a SIEM is looking at it as a central place for reviewing and searching a lot of data. It could be looked at as a private version of Google search but rather than website results, we have relevant log results.
For actually spotting patterns and alerting us, we mostly use Sigma rules. TLDR; Sigma checks the log sources we are pointing towards it from our SIEM and if a pattern matches one of our rules, we get alerted. The even more fun part about Sigma is the fact you don’t need to be an engineer to write these rules, they are often written by analysts!
As much as automation is amazing and automation is something we stride towards, a lot of these alerts need to be manually reviewed by an analyst. We do have automation in place for outright blocking things but for those more could be scenarios, we check these manually. It’s also worth mentioning that even when out right blocking stuff, reviewing the logs is still great for threat intelligence!
A great course to take when starting out is the Security+ course - this covers a lot of the fundamentals within security operations. Something I’d highly recommended if you have the capacity is creating your own home SIEM. There’s a lot of open source SIEMs such as OSSIM or my preferred choice of using elastic.co. There’s a lot of good tutorials online for creating home build SIEMs depending on if your router can give you logs.
For security reasons we’d be unable to confirm the exact Dan status internally or median height
I’d be lying if I didn’t say every security operations analyst have those oh no moments. It’s more so external news you read impacting other businesses rather than what you see or discover internally. I’ve definitely woke up on a morning, read a Bleeping Computer article and scrambled to make sure we’re not impacted by something. Nobody wants to join a security incident meeting with your CISO while wearing PJs!
Plot twist, I’m still doing part time education. Computer networks and cybersecurity education does definitely help but in all honesty everything specific to my role I’ve self learnt. Uni does give you good foundational knowledge and without uni I’d not have the programming skills I have but I wouldn’t say not doing education would push you back.
If you were in a Monzo Battle Royale, how well do you think you’ll do against the fellow AMA guests?
Any neat Open Source Security tooling you guys use to keep things safe that you’d recommend? And do you guys contribute back towards the Open Source Community?
I’ve read that the government is urging companies to prepare for cyber attacks as part of the fallout of the war in Ukraine. Have you had to do anything in particular?
