A Day in the Life: Secrets of a Top Splunk Security Analyst

At Splunk, we’re proud to employ some of the top security analysts in the industry. On any given day, they’re investigating security incidents, triaging alerts and identifying threats so our systems and data — as well as those of our customers — remain secure.

But what, exactly, do Splunk security analysts do? And what are some of their biggest challenges? We sat down with Risi Avila, a Staff Security Specialist at Splunk, who shared his experiences and some well-earned wisdom to those following in his footsteps.  

Why did you become a security analyst?
Twenty years ago, I was working in Belize at the country’s only telecom company. We had a team of four who were working as internet technicians, and we ran the internet for the entire country. We had a bunch of dial-ups, no DSL. One of the DNS servers got hacked — someone dumped a bunch of software and malware onto the system, and we didn’t know it until we got a report from someone in the U.S. We had to bring in a consultant who triaged the breach. It turned out that one of the packages wasn’t up-to-date, which allowed the hackers to break into the DNS server.

After that, we decided that we needed to have someone focus on security.  I volunteered. For a year, I was the designated security person, investigating how hackers would break in. It was like playing cops and robbers on the internet and I found that intriguing. But the deeper I got, the more I realized I didn’t know a lot about protocols and how they worked. I had an associate degree in math, but I decided to go back to school for a bachelor’s degree in networking technologies at DePaul University in Chicago. After that,I went to graduate school at DePaul for information security and continued to hone my skills in networking, telecom and cybersecurity operations.

What is a typical day like for you as a Splunk analyst?
Half the day, it’s cyber operations and operational tasks, and making sure systems are up and performing. I also make sure those systems are feeding the SIEM properly and the system is available. The other half of the day, it’s a combination of triaging alerts, dealing with notable events and correlation rules, and ensuring that we addressed the most critical incidents. 

What excites you most about your job?
For me, it’s the constant change and the constant interaction. It’s understanding how the business works from a technical perspective — you have to understand the business to effectively protect it. You also have to be a good generalist. Belize is a much smaller country, and you have to do a lot of things to survive. In security, you can’t just focus on databases or firewalls, you have to know a lot about many different things. Later in your career, you can specialize. But knowing a little about a lot excited me the most.

What are some of your biggest challenges? How do you overcome them?
Cybersecurity is a three-legged stool — people, process, technology. Typically, the biggest problem you have is people — being able to avoid situations where it’s up to people to address things on their own. Automation is definitely helping with that. With Mission Control, there’s a checklist of things you should do if an alert comes in. The process is approved and repeatable — analyst I does the same thing as analyst II. But people are the weakest links in cybersecurity. And the greatest challenge is making sure people follow proper procedure.

What is the most surprising thing about your job?
Cybersecurity has only become more and more important. And now that everyone is working from home, it’s become that much more important for individuals as well as companies. The attack surface is enormous. But often companies miss the basics. In Belize, we have a saying that translates to, “you have to dance in your yard before dancing in someone else’s yard.” It’s recognizing you have to take care of the basics first. If you’re not doing the basics, you’re going to get owned.

Do you have any advice for aspiring security analysts?
Try to understand what you’re doing before you do it. Test, test and test some more. Once you put it into production, make sure that what’s coming into your SIEM and feeding those alerts are high value, high fidelity and actionable. If they’re not actionable, you’re just wasting your time.

Ready to channel your inner analyst? Download "How to Uplevel Your Defenses With Security Analytics" and discover how to:

  • Strengthen your defenses with real-time monitoring, user behavior analytics, security orchestration, automation and response (SOAR).
  • Maintain and evolve SOC rules to better detect and respond to the changing threat landscape.
  • Execute best practices for investigations, and automate effective response actions based on recommended guidance.


Oliver Friedrichs
Posted by

Oliver Friedrichs

With a record in building four successful enterprise security companies over the past two decades, Friedrichs most recently served as the Founder and CEO of Phantom. Prior to Phantom, Friedrichs founded Immunet, acquired by Sourcefire in 2010 and a key component to Cisco's acquisition of Sourcefire in 2013; now thriving as Cisco's Advanced Malware Protection (AMP). Friedrichs co-founded SecurityFocus (Bugtraq) and led DeepSight, the world's first Internet early warning system, acquired by Symantec in 2002. He also co-founded Secure Networks and led Ballista (CyberCop), one of the industry’s first vulnerability management solutions, acquired by McAfee in 1998. Friedrichs architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and recipient of 19 patents.


A Day in the Life: Secrets of a Top Splunk Security Analyst

Show All Tags
Show Less Tags

Join the Discussion