Hey folks -
I am looking to operationalize and mature our security group. We have some engineers that are fantastic, but a bit unfocused.
Looking for feedback on the ideal day for a Sec Engineer. This means a day where you have all the data you need and the ability to do your job to the optimal level. Some specifics:
What do you have access to, and what is just provided?
What roadblocks that normally exist are no longer present?
How are you growing and developing daily, and longer-term?
I don't think there is such a thing as "an ideal day". The first time you think you got one of those, a zero day hits you hard. You think it was an ideal day and you've just been owned. I've gotten to the point where I try to make things safer today than they were yesterday. I try to learn something in the process or help someone else learn something. Since there is no way to secure a network 100%. I also trying to do packet captures and look for odd stuff. Every now and then I will throw in odd stuff to see if anyone finds it. It helps to keep them focused and it becomes a bit of a challenge. When someone finds enough of the "odd traffic" I'll give them a day off. Then they are telling me what they need to do the job better, they are trying to learn the software better and so on. I'm not sure if that answers your question but I hope it helps.
Information Technology is continually evolving, vulnerabilities are being discovered, & threats are emerging --- so the 'ideal day' for a security engineer would be a holiday.
Let's look at the answers to your questions in terms of what's expected, rather than typically encountered: -
1) What's involved?
The security of the organization’s entire IT infrastructure, scoping ALL of its components and users.
2) What do you have access to, and what is just provided?
Monitoring systems drawing real-time information from the IT infrastructure --- with the information properly analyzed and automated response mechanisms for alerts produced --- adequate visibility of operations, and a range of sources for vulnerability alerts.
3) What roadblocks that normally exist are no longer present?
A lack of support from senior management and / or a lack of resources (people, processes & technology) to secure the organization.
4) How are you growing and developing daily, and longer-term?
Learning about, encountering and responding to new systems, threats & vulnerabilities.
Since the desired circumstances may not be present, the only time a security engineer might be able to avoid having to deal with any inadequacies would be while on a holiday.
Let's try to focus your question a bit, shall we?
One way or another most of us have some type of tool set to do our jobs. With that note those tools may not be ideal for what we would like but tools can be very expensive to out right free. No excuses for blaming our lack of any tool to perform our tasks at hand.
A successful day starts with a full night's sleep, no phone calls the night before or first thing in the morning BEFORE I get to work. Second, no one waiting at the door for my arrival. This is not untypical. I have folks who start work before I get out of bed by practice, if not work ethic.
I agree with the other posts concerning making things better than the day before but no amount of preparation and diligence will stop every bad actor, every day. We fight the good fight or wallow in delusion. The choice is up to you.
Some very good answers above, so I'm enjoying this thread. I would just add that I think an ideal day might have these two elements:
-- A day where we can work on a more proactive basis. Not buried by governance sort of tasks or babysitting scans - but doing more work that justifies the word 'analyst' in a job title. A day that ends feeling like we maybe moved the needle even a little bit on the overall security maturity or posture of the place.
-- A day where we make good headway on establishing or improving an important process - one that hopefully makes us more efficient and/or effective tomorrow.
Thanks for the post. Good information here, for sure.
You mention the idea of making a difference and moving the needle a little bit each day. For you, is there a specific area where you would say is the most fulfilling part of your day as a Security Engineer/Analyst?
What do you define as babysitting?
Are there reports you want to see, versus noise you could do without?
Fair point. I get the reality of the daily threats for sure.
As for the start of the day - good sleep and no late night calls are a definite consensus.
When you start your day, what do you immediately want to have at your finger tips? What type of Threat Intelligence should be provided to you to make your day the most effective once you sit down?
How much of your day would you say should be directly "fighting the good fight" versus personal/professional development and hitting the growth edge of your skills?
Thanks for the details in your response.
What I understand from your note is that a key component is the intelligence at your fingertips, and fully ready for use.
What does that ideal intelligence stack contain? Do you have a favorite set of applications or tools (i.e. Splunk, Guardacore, etc.)?
I have a number of things that would fit into the 'most fulfilling part of the day' category - a few top of the head would be: being involved in hardening reviews and seeing hardening changes made as a result of those (so a little less chasing down same vulnerabilities caused by same installed apps/services); talking or working with application/system owners who get it, or are beginning to get it, in terms of thinking about security a little more - I had an application owner say to me today that rather than updating an app version he might just see about removing it "to make the attack surface smaller" - it's awesome hearing that phrase from an app owner; evaluating and recommending cool new tools, especially when it's just getting more out of free or built-in tools (eg Sysmon, Windows Event Log Forwarding); and learning. There's always so much to learn - about our own environment, and about ICS in general
Babysitting - I was mainly thinking about just the volume of scans that need to be run, and sometimes kinda being a slave to getting them done and then having less time to really think on the results or the bigger picture.
Honestly, overall I enjoy my work, our work, tons. I go to work most every day pretty happy with what I need to get done, and enjoy reading, watching videos etc on work-related topics out of hours too. Having said that, shockingly I still manage to have a life as well - spend time with family, get out with the dog, play some sports etc.
To answer your 1st question, Jslaughter, the ideal stack consists of at least 2 categories of information ---
A SIEM / monitoring solution will give you the latter, but to effectively use this, you must correlate it with the former --- to perceive existing threats & foresee potential ones.
I'm not in a position to answer your 2nd question, as my current role (Information Security Officer) has me dealing with security policies, enforcement, compliance and risk management, with little exposure to the use of solutions, for which we have dedicated roles.