From this point on, we’re going to focus on the people on the front line against cyberattackers and, in particular, the teams and job roles involved in cybersecurity. You’ll discover that there’s something for everyone: jobs focused on cybersecurity or interacting with the wider ecosystem, technical or organizational roles, and more! Brace yourself because you’re going to meet a lot of people!
To help with this, we’ll be using several frameworks for the cybersecurity profession. You can find these resources in the Key Resources document. These frameworks are very detailed. They list the tasks involved in the various cybersecurity roles, along with the skills and qualities required for each of them. I strongly recommend that you take a look at them if you’re interested in a career in cybersecurity.
Discover the Roles and Functions of the Monitoring and Detection Team
Let’s go back to our attack on the hospital to understand the different roles involved in preventing, detecting and responding to the attack. In our case, once the doctor has reported the problem, it’s the security teams who analyze and manage the alert. In other cases, users are none the wiser to any malicious behavior, so it’s down to the security teams to detect threats. One of their main tasks is to detect security incidents early on, using specific tools and drawing on the diverse skill sets present in the team. Let’s take a look at who’s involved in this task and how they go about it.
Events are happening on the information system every minute—and often every second—of every day: opening a file, deleting a folder, starting an application, and so on. The information system tracks all these events, no matter how trivial.
But this is a mammoth task: there are often thousands, if not millions, of log entries to monitor!
The sheer volume of log entries (from several thousand to millions per day, if not more, depending on the size of the company) makes this task impossible for a person to perform. So, you can rely on a couple of tools to help you! For example, the monitoring and detection team might use a SIEM tool.
SIEM (Security Information and Event Management) is a tool for centralizing and analyzing all the event logs available on the various components of an information system (computers, applications, etc.). Its purpose is to detect any abnormal activity, such as a large number of files being downloaded, attempts to access unauthorized applications, or unusual file-sharing with outside organizations.
But what role do team members play if everything is done by tools?
SOC Team
Well, tools don’t do everything! Members of the monitoring and detection team perform the following tasks:
Define the events that trigger a security alert
Configure tools as required
Regularly update detection rules that trigger alerts, and the associated procedures
Receive, sort and prioritize alerts from the tools installed
Analyze the impact of any detected incidents
Alert a more senior staff member if the impact is significant and/or if resolution requires input from other teams (incident response teams, in particular)
Make recommendations to resolve certain incidents
The Security Operations Center (SOC) is the team responsible for detecting suspicious or malicious activity.
Here’s a reminder of the related roles:
SOC analyst
SOC manager (responsible for managing all SOC activities)
These roles may be either in-house (for very large organizations) or outsourced to external service providers.
Threat Analyst
Is there a way to predict who is going to attack us and when?
That’s exactly the challenge of another role within the monitoring and detection team: the threat analyst. Another term used is “threat intelligence analyst.” This individual or team is responsible for studying trends in threats to the organization.
More specifically, threat analysts perform the following tasks:
Collect and analyze data on attackers (motivations, attack techniques, specific characteristics, etc.) from various sources (dark web, social media, corporate websites, etc.)
Communicate information about potential attackers to the teams responsible for detecting and responding to an incident. This information helps these teams improve how they do their job.
An important part of their work is therefore monitoring, which involves researching and collecting information that can help in assessing and detecting threats.
It’s all well and good having expert teams dedicated to threat detection, but why didn’t they see the hospital ransomware attack coming?
Great question! I’m sure we’ll find out after the investigation, but there could be a few different reasons:
The attacker used a method as yet unknown to the detection teams, so no alerts were triggered.
The computer used was not being monitored as it was not yet covered by the SOC.
A member of the monitoring and detection team may have misinterpreted an alert received as benign, so did not trigger any corrective action.
In the case of the hospital, you saw that the responsiveness of the user who raised the alert was key to acting quickly! As you can see, we all have a role to play in preventing cyberattacks. 💪
Let’s Recap!
In this chapter, you’ve seen that:
monitoring and detection teams are responsible for analyzing IT system logs and for trying to detect attacks using security alert management.
the roles of SOC analyst and SOC manager fall within this monitoring and detection team.
the role of threat analyst involves monitoring attackers and their operating methods to try to prevent attacks.
Now let’s find out how a crisis is managed and investigated!
