Over the next three months, the Splunk Security team will be looking at the emerging role and hero of the Security Operations Center (SOC): the security analyst. This role has drastically changed over the past 10 years, and we will observe how a changing threat landscape and advancing technology have redefined what it means to be a security analyst.
We’re publishing our first post to coincide with Data Privacy Day, an annual, international effort aimed at creating awareness about the importance of privacy and protecting personal information. In this post, I speak with Splunk Security Analyst and Researcher, Kathy Wang, to discuss life as a security analyst in the early 2000’s.
Take me back 10 years. How did you get your start as a Security Analyst and how has your career evolved over time?
I started out as a Security Analyst at a commercial startup, working shifts and monitoring customer networks. Shifts in the SOC are challenging. Every three months, analysts would rotate 10-hour shifts, beginning at 5:00 am, 1:00 p.m. and 11:00 pm to ensure effectiveness. You could forget about eating a meal anywhere away from your desk. And while the work schedule was challenging, I learned a lot, and was able to parlay that knowledge into creating a training program for new analysts. After eight months on the shift team, I progressed to more advanced levels of analyst work in several major U.S. Federal Government environments, and then to technical leadership positions of several SOC environments, specifically in Chief Scientist and CISO roles.
What were the key responsibilities of your job on a day-to-day basis?
In the early 2000’s, I was primarily responsible for working the incident response process and developing training materials to get newly-hired analysts spun up. This graduated to researching and developing and deploying tools that helped bridge the gap in malware detection in the SOC environment.
What were the top challenges you would frequently come across in your role as a Security Analyst?
Continuity of operations was a challenge in the early days of my analyst experience – how do we work to bridge/automate incident investigation tickets being passed from one shift to another? How do we access all of the data needed for incident response in a timely manner? Filtering out noise (false-positives) from various devices reporting threats was also a huge challenge. There were never enough analysts to look at all of the data and threats. In the SOC environment, we were always trying to further automate the IR workflow process as well as find ways to proactively respond to threats. Automation in particular was a challenge because of the myriad technologies we were leveraging across our security stack. Based on this, we often just manually made changes to our security posture during the IR process.
Did the “Security Operations Center” really exist in the mid-2000’s? How did the SOC evolve during the next few years
Heck, yes! In the early-mid 2000s, people were terrified of getting compromised (and landing on the front page of a major news outlet). The focus was to prevent all attacks. Gradually, throughout the mid-2000s, and definitely by the late 2000s, the industry realized that breaches are going to happen. Rather than focusing on preventing 100% of the breaches, the mentality changed to “let’s focus on detecting attacks sooner so we can take better action.”
Is there anything you see in current SOC’s that would have blown you away in the mid 2000’s?
Security intelligence sharing within specific industry sectors today would have looked super-impressive back in the mid-2000s. I’m fortunate to have the perspective of having been on both sides of that intel sharing coin, and it is clear to me, given that practically every single Fortune 500/1000 company has already been breached, our networks cannot be defended by working in a vacuum. The degree of automation the most cutting-edge SOCs have been able to develop today is another huge advancement over the mid – 2000’s “monitoring mode.”
Learn more about Data Privacy Day and how to protect your online privacy, and stay tuned for our next installment of our “Day in the Life of A Security Analyst” series.
SVP, Security Markets
About Haiyan Song
Haiyan Song has been with Splunk since 2014 and currently serves as our Senior Vice President, Security Markets. From 2012 to 2014, Ms. Song served as Vice President and General Manager of HP ArcSight, a security and compliance management company previously acquired by Hewlett-Packard Company. From 2005 to 2012, Ms. Song served as Vice President of Engineering at ArcSight. Ms. Song previously served as Vice President of Engineering at SenSage, an event data warehousing company, from 2004 to 2005. Ms. Song started her career at IBM/Informix, a database software company. Ms. Song holds a M.S. from Florida Atlantic University and studied Computer Science in Tsinghua University in China.
About Kathy Wang
Kathy Wang is an internationally-recognized malware expert, who has researched, developed, evaluated, and operationalized various solutions for detecting and preventing client-side attacks used by advanced persistent threats (APT)). Prior to Splunk, Kathy has worked with ManTech International and The MITRE Corporation. She has co-authored a book, Beautiful Security, and holds a BS and MS in Electrical Engineering from The University of Michigan, Ann Arbor.