Monzonaut AMA - Dan - Security Operations Analyst 🔒💻

We’re back :tada:

First up in our 2022 AMA series we’ve got @dansec who is a Security Operations Analyst here at Monzo :lock:

I’ve asked Dan for a little bio so we can all get a better understanding on what that job entails and a bit of background on how he got to that position in Monzo

I’m Dan from the SecOps team (security operations). I’m a security operations centre (SOC) analyst and my main role is to detect and respond to security incidents as part of the cyber security incident response team (CSIRT). I work a little bit within the threat intelligence community.Before moving into this role, I worked as a financial crime investigator within our Fincrime team and before that I was a COp starting in November 2020!

I found myself moving towards my current role by getting stuck into an incident one day and helping out. Fast forward to January this year, I got offered a role as a SOC analyst and started officially on the 3rd of January.

Let’s welcome Dan to the Community and ask him some really interesting & weird questions. We’ll be keeping the Topic open until Friday this week :upside_down_face:

7 Likes

I’ll start things off :-

  1. What has been the biggest challenge moving from being a COp to your current position?
  2. Would you rather have baguettes for legs or croissants for feet? :baguette_bread: :croissant:

:thinking:

5 Likes

Great questions!

  1. I found it strange moving from an open availability onto a flexible working contract! When in COps I mostly worked 1pm - 10pm which was on a rota but now I pretty much decide between what hours I would like to work :slightly_smiling_face:

  2. Baguettes for legs :leg:

3 Likes

what does a typical day look like 4 u

2 Likes

Do Monzo have a bug/security bounty program? :eyes:

1 Like

Hey Bee :wave:t2:

Great question :slightly_smiling_face:

The majority of my role is to monitor and respond to security alerts and this is mostly what I do day to day. We gather a lot of different data sources from our different services and a lot of this goes into our security information event management system (SIEM). From the SIEM we then monitor logs checking for anything we may deem to be malicious, it’s then my job to analyse these logs to confirm or deny wether these events are malicious.

As well as the above, I spend some time going through threat intelligence (TI). This is a really cool area which deep dives into threat actors (TA) and exploits and how they could potentially impact the financial services.

I’m also part of the cyber security incident response team (CSIRT) meaning if there is a security incident, I would be one of the analysts responding (mostly in the mitigation part of an incident) :raised_hands:

1 Like

We certainly do! You can check out our HackerOne page here. I promise it’s not Malware :wink:

2 Likes

How many Dan’s are there at Monzo and what is the median height?

Have you ever found something and gone “Oh shit, this can’t be right?” and then been so glad it was you that found it and not a badman?

2 Likes

Hey Dan @dansec

So is the SIEM ran on some form of AI to monitor all these things, spot patterns and alert you? Do you write these automations as well as jump in as a human and make a final judgement call or is this only with odd/unpredicted outcomes.

I love all this data / security stuff - where would you recommend someone starts their journey should they want a career as a Security Operations Analyst

2 Likes

Hey @Ordog this is a great question and one which confuses a lot of folk (SIEM) :worried:

An AI SIEM does sound pretty cool and there are some cool articles on the subject (I’m afraid our SIEM isn’t controlled by AI). The best way to describe a SIEM is looking at it as a central place for reviewing and searching a lot of data. It could be looked at as a private version of Google search but rather than website results, we have relevant log results.

For actually spotting patterns and alerting us, we mostly use Sigma rules. TLDR; Sigma checks the log sources we are pointing towards it from our SIEM and if a pattern matches one of our rules, we get alerted. The even more fun part about Sigma is the fact you don’t need to be an engineer to write these rules, they are often written by analysts!

As much as automation is amazing and automation is something we stride towards, a lot of these alerts need to be manually reviewed by an analyst. We do have automation in place for outright blocking things but for those more could be scenarios, we check these manually. It’s also worth mentioning that even when out right blocking stuff, reviewing the logs is still great for threat intelligence!

A great course to take when starting out is the Security+ course - this covers a lot of the fundamentals within security operations. Something I’d highly recommended if you have the capacity is creating your own home SIEM. There’s a lot of open source SIEMs such as OSSIM or my preferred choice of using elastic.co. There’s a lot of good tutorials online for creating home build SIEMs depending on if your router can give you logs.

3 Likes

For security reasons we’d be unable to confirm the exact Dan status internally or median height :wink:

I’d be lying if I didn’t say every security operations analyst have those oh no moments. It’s more so external news you read impacting other businesses rather than what you see or discover internally. I’ve definitely woke up on a morning, read a Bleeping Computer article and scrambled to make sure we’re not impacted by something. Nobody wants to join a security incident meeting with your CISO while wearing PJs!

7 Likes

Did your education prior to Monzo feed directly into this role or has it been a real life evolution?

If you were in a Monzo Battle Royale, how well do you think you’ll do against the fellow AMA guests? :eyes:

2 Likes

How does monzo ensure soc staffing if your decide your own hours?

1 Like

Plot twist, I’m still doing part time education. Computer networks and cybersecurity :slightly_smiling_face: education does definitely help but in all honesty everything specific to my role I’ve self learnt. Uni does give you good foundational knowledge and without uni I’d not have the programming skills I have but I wouldn’t say not doing education would push you back.

If you were in a Monzo Battle Royale, how well do you think you’ll do against the fellow AMA guests?

I hope I’d win, after all my job is to defend :wink:

4 Likes

Hey! We arrange the team around the operational requirements. Some will work later or rotate, other earlier :slightly_smiling_face:

2 Likes

It’s not a bug bounty if nothing is eligible for a bounty, it’s a responsible disclosure ‘policy’ at best.

Any neat Open Source Security tooling you guys use to keep things safe that you’d recommend? And do you guys contribute back towards the Open Source Community? :smiley_cat:

Today is the last day to pick @dansec’s brains.

Mine for today:

Chocolate kept in the fridge or room temperature? :chocolate_bar:

1 Like