The infamous question: “So, what do you do for a living?”. The dreaded reply after my answer: “What’s a security analyst do exactly?”. After attempting to answer this basic question on numerous occasions it became apparent that the answer is more suble than one would think. What do security analysts do?The easy answer to Joe Average is akin to “I keep the hackers out”. This gives the fun answer that creates mental images of outwitting spys and subverting corporate espianage.
Another boiled down answer is “I keep the operational tools running to keep security in place”. That’s closer to the truth. The hard part with operations is inadvertently forgetting the means is for the ends. Or, more accurately the end goal is to create more security, not maintain the tools that keep the security.
How does one keep a high maintenance level of tools as well as keeping the end goal of security intact? Proxy, IDS, IPS, Firewall, AntiVirus, the buzzword list is infinite. The chances of these tools integrating together is slim as well. Just keeping patches current in a big environment is a task in itself, it is extremely easy to go from day to day on maintaining these tools and not utilizing them.
Each security shop is different, but to those that both maintain and use their toolset must examine their priorities. It is too easy to administer the tools instead of using the tools to enhance security. At the end of the day the mindset of the group is the key.
Back to the original question: “What do you do for a living?”. I put forth the new answer is not “catching bad guys” or “implementing tools to catch bad guys”. At the end of the day the job is to lower the risk of the company to threats that may exist. That can’t even be comprehended until you know what the initial risks are. Tools are not the key, much to the chagrin of the security vendors. The key is data. It’s the data that is key, shows you your current defensive stance, the threat’s stance, and the longterm trends of how the risk has been mitigated for the company.
What are the odds that company X has Antivirus deployed? What are the odds that company X generates infection reports only after a malware outbreak has occured? Amazing trends can be found through daily infection reports if they are looked at. The same goes for all tools based in the typical analyst’s toolkit. A lot of emphasis has always been placed on IDS monitoring and yet even that can be subpar in most cases.
The vendors don’t make it easy on analysts. They may let you export data into excel or create PDFs. They may accept feeds from other vendors tools as well. But at the end of the day a truly customized data solution is needed. The lowest common denominator will let this customized data take form. In some cases this is text, in most cases it is SQL queries. The vendors do understand the data they collect is what gives their tools power, and they typically will use industry standard tools such as SQL to store this data. Querying that data and combining it with other feeds, with generating daily reports, baselining it, is where a true picture of the network security posture can be formed. Acting on that data is when true security is accomplished. After all, a security analyst should be analyzing data at the end of the day.