WEBVTT

00:07.250 --> 00:12.740
As a security analyst, it's important to understand the different aspects of how your operation or

00:12.740 --> 00:14.240
organization functions.

00:14.270 --> 00:19.970
It's your job to make sure that as an analyst that you're taking those under you, whether they're brand

00:19.970 --> 00:25.250
new analysts or coming in fresh from the career, or maybe they're going in from a job change and making

00:25.250 --> 00:30.560
sure that your organization runs smoothly, that goes to the processes that may be standardized to make

00:30.560 --> 00:33.050
the process more efficient.

00:33.170 --> 00:37.940
And efficiency really comes into play with just the technology, but with the people as well.

00:37.970 --> 00:43.040
You need to understand all the makeup of they train the hardware, the equipment, the software, the

00:43.040 --> 00:45.920
people, the data, all that comes into play.

00:45.920 --> 00:51.290
And you as an analyst, especially a senior analyst, need to understand how to make those processes

00:51.290 --> 00:55.130
and policies intertwine with one another to become more efficient.

00:55.160 --> 01:00.980
It's not uncommon, as a security analyst to be way over your head, and I don't mean that from a technological

01:00.980 --> 01:01.760
point of view.

01:01.790 --> 01:06.600
I mean it from a point of view as there's never enough people, and when there's never enough people

01:06.600 --> 01:11.970
to streamline the operation, to be as efficient as possible is definitely something that you want to

01:11.970 --> 01:12.840
work towards.

01:12.870 --> 01:19.290
Now, standardized processes really kind of make this groove within our organization to make sure that

01:19.320 --> 01:24.180
person A is doing the same thing that person B is doing, which is the same thing that person C is doing,

01:24.180 --> 01:29.670
and that we have processes that combine and interchange with one another so that your night shift is

01:29.670 --> 01:34.260
working the same way as your day shift, and that those processes and policies are being followed so

01:34.260 --> 01:39.420
that the person coming in after you can quickly pick up where you left off, and that way you're able

01:39.420 --> 01:44.850
to leave on time without having to stay an hour later because of overtime rules and the policies weren't

01:44.850 --> 01:45.540
being followed.

01:45.570 --> 01:51.360
So it's really important for you to have a standardized process to run smoothly within the organization

01:51.360 --> 01:56.280
and become a well-oiled machine because you're, quite frankly, never going to have enough time for

01:56.280 --> 02:01.500
everything that needs to be done, especially in a SoC environment or in an incident that's going not

02:01.500 --> 02:02.160
your way.

02:02.190 --> 02:04.860
A standardized process needs to be consistent.

02:04.860 --> 02:10.070
That means that it needs to be the same as a week ago, from three months ago to even a year ago.

02:10.160 --> 02:14.030
Now, that doesn't mean that we can't change things or tweak things to make it better.

02:14.030 --> 02:19.910
It just means that it needs to be consistent across the board, whether you're a graveyard shift employee

02:19.910 --> 02:26.270
or a morning employee, or if you're doing one job over another, or moving from an incident over to

02:26.300 --> 02:30.140
a malware analysis, it needs to be consistent across the left field.

02:30.230 --> 02:34.940
If your manager comes into play to fill in a specific role, or if you're going from a server role over

02:34.940 --> 02:38.420
to a malware role, the process needs to be consistent.

02:38.420 --> 02:43.370
And you'll hear me harp on this quite often when we're talking about standardized processes, because

02:43.400 --> 02:46.700
consistency really does provide us an efficient pathway.

02:46.940 --> 02:51.380
I know in my own pathway, we had a process that was not being followed by every employee.

02:51.380 --> 02:56.420
And the way that I did things, while I thought it was more efficient, kind of went against the processes

02:56.420 --> 02:57.500
that we had in place.

02:57.500 --> 03:02.690
Now, as time came into play and I talked to the manager, we were able to tweak that process to more

03:02.690 --> 03:07.220
conform to a more efficient streamline, but it could also play some headaches with everybody else that's

03:07.220 --> 03:11.460
going into play, I want you to imagine that you're working on a malware analysis, and you've been

03:11.460 --> 03:14.010
working a 12 hour shift and you just want to go home.

03:14.010 --> 03:17.040
Maybe you've got kids that you need to pick up from the daycare.

03:17.070 --> 03:18.420
Maybe you've got a hot date.

03:18.420 --> 03:22.980
It doesn't really matter what's going on, but what you really need to go into play is, is the process

03:22.980 --> 03:26.790
consistent so that somebody can pick up where I left off very easily.

03:26.790 --> 03:28.950
In some places that's not the case.

03:28.950 --> 03:34.110
And it could cause a handover failure, meaning that the person that's coming in after you can't readily

03:34.110 --> 03:38.910
lead your notes, or you have to spend half an hour with them so that they can understand exactly what

03:38.910 --> 03:39.930
you did already.

03:39.960 --> 03:47.730
Having a standardized, consistent process and policy in place really formalizes that handover exchange.

03:47.730 --> 03:53.400
It also makes it to if your manager is looking over what's going on, they can quickly identify and

03:53.400 --> 03:56.910
in detail and report to hire exactly what we've done.

03:56.910 --> 04:03.030
This usually entails note keeping or providing a log of the work that's been done, a detailed analysis

04:03.030 --> 04:08.490
of what's going on and basically going forward with our processes as we as we move forward.

04:08.520 --> 04:13.580
A lot of times, analysts forget to write things down, and this makes it really difficult not only

04:13.580 --> 04:18.320
for your managers, but for your co-workers who may be working after you on the same process.

04:18.410 --> 04:24.020
And so it's very persistent that we have that consistent policy in place, not only for operations but

04:24.020 --> 04:25.280
for incident management.

04:25.310 --> 04:29.480
Consistency really is the key when we talk about a standardized process.

04:29.630 --> 04:35.420
Within this, we usually use different policies or technologies that come into play with our standardized

04:35.420 --> 04:37.910
process, i.e. vulnerability scanning.

04:37.940 --> 04:42.680
When vulnerability scanning, maybe we started at 6 a.m. in the morning, and we go through specific

04:42.710 --> 04:46.820
tools or specific protocols in order to scan our network.

04:46.820 --> 04:51.800
If you're going through and you've got a very large network of over a million different machines, you

04:51.800 --> 04:58.040
can see that scanning needs to be very formulated, very consistent and very articulated in going in

04:58.040 --> 05:04.310
forward meaning I need to scan different sections of my network throughout the course of the week or

05:04.310 --> 05:04.940
the month.

05:04.940 --> 05:10.790
If my company says, hey, every Monday, the first Monday of the month we're going to scan the operations

05:10.790 --> 05:15.900
department, all their are 250,000 machines, and that's going to take a week because they have a lot

05:15.930 --> 05:16.650
of machines.

05:16.650 --> 05:22.260
Then we need to follow that scanning process to the queue, as in we're going to scan that network as

05:22.260 --> 05:23.670
opposed to a different network.

05:23.670 --> 05:28.410
But we also need to scan it specifically for what we're trying to scan it for, whether it's malware

05:28.440 --> 05:30.840
or open ports or different vulnerabilities.

05:30.840 --> 05:37.620
We're looking for specific items, and usually that entails having a set scanning process in place that's

05:37.620 --> 05:38.730
already predetermined.

05:38.730 --> 05:43.170
We don't want to go outside that predetermined because we want to provide consistency.

05:43.170 --> 05:44.880
There's also patch management.

05:44.880 --> 05:50.280
If I have a patch that comes into play, there's usually a policy or procedure that quickly identifies

05:50.310 --> 05:51.780
a consistent way to do that.

05:51.780 --> 05:57.930
Patch management, usually through change management policy that interprets what step A is to step B

05:57.960 --> 06:04.380
to step C, you need to understand those standardized processes as they relate to your specific organization.

06:04.380 --> 06:07.200
There's log management and how we utilize those logs.

06:07.200 --> 06:13.650
But where we store those logs I talked earlier about how we had different logs within my own organization,

06:13.890 --> 06:20.150
and we would grab those logs both in the raw and the filtered, and we would store the raw logs over

06:20.180 --> 06:25.190
offsite so that we had full control over those logs if we needed to go back to them.

06:25.190 --> 06:30.500
But we also had filtered logs, which only provided us the specific details that we needed for our sin.

06:30.530 --> 06:37.460
Now, log management is a key point of consistent, standardized processes of how we use those logs

06:37.460 --> 06:40.610
within our internal functions with across our organization.

06:40.640 --> 06:45.770
There's also threat intelligence feeds and how we can utilize those feeds where we can get those feeds

06:45.770 --> 06:49.730
from and how we can use those feeds within our individual organizations.

06:49.730 --> 06:52.310
That doesn't mean that we can't experiment a little bit.

06:52.310 --> 06:56.360
If we have a little bit of permission from our manager, or we want to take it in a different direction,

06:56.360 --> 07:01.250
but it does mean that we have a process in place that needs to be followed on a consistent basis as

07:01.250 --> 07:06.050
we go through those threat intelligence feeds, usually goes through a specific department, and then

07:06.050 --> 07:11.120
we can go through and identify specific threats that may be associated with the information that we're

07:11.120 --> 07:16.490
gathering and how we utilize that information and the feed process to get permission to move forward

07:16.490 --> 07:17.240
on something.

07:17.310 --> 07:18.390
provides its own process.

07:18.420 --> 07:24.120
Again, there's also user behavior and analytics, which means how are our users using specific machines?

07:24.120 --> 07:30.990
And can we do a trend analysis to identify specific vulnerabilities or associated behavior with those

07:30.990 --> 07:32.370
users moving forward?

07:32.400 --> 07:38.310
All of these have a standardized process or policy that we need to be aware of within our own organization.

07:38.340 --> 07:44.220
Often when it talks about standardized processes and consistency, the number one thing that comes into

07:44.250 --> 07:46.260
my mind is team coordination.

07:46.260 --> 07:48.690
What kind of communication are we dealing with?

07:48.720 --> 07:54.150
Communication is key with any organization, but especially true within a chaotic environment such as

07:54.150 --> 07:55.860
a security operations center.

07:55.860 --> 08:00.540
When you're consistently undermanned and it's highly technical and there's a lot of handovers going

08:00.540 --> 08:00.960
on.

08:00.990 --> 08:05.430
You have to have communication both in the written form as well as the verbal form.

08:05.430 --> 08:10.470
I can tell you there are many times where we had an issue within my own operations center, and we would

08:10.470 --> 08:14.700
go through and we work through an issue, and I was on 14 hours, no sleep.

08:14.700 --> 08:15.750
I'm really dead tired.

08:15.750 --> 08:20.540
I still have a two hour drive home, and I need to communicate to the technician that's coming in after

08:20.540 --> 08:26.000
me, to what I'm doing, what I've done already, and what has worked versus what hasn't worked.

08:26.030 --> 08:28.670
Now you may think to yourself, oh my gosh, 14 hours.

08:28.670 --> 08:30.410
That's not unheard of.

08:30.410 --> 08:32.030
And some really bad scenarios.

08:32.030 --> 08:37.700
And so by communicating to the new person, both written so they have a specific log of everything that

08:37.700 --> 08:43.490
I've done including ports, protocols, test procedures, scans that I've conducted, tests that I've

08:43.490 --> 08:48.020
done, all of that written down, that new technician can come into play and go, okay, they already

08:48.020 --> 08:53.030
did this, did they did this, did this, but not just what I've done the results of those as well.

08:53.060 --> 08:58.430
And then I would verbally hand off to them as I was driving home, i.e. a two hour drive home.

08:58.460 --> 09:03.530
A lot of times allowed me to talk on the phone with them and can provide and provide that handover to

09:03.560 --> 09:07.100
where they can say, hey, I'm looking over your logs and I see something.

09:07.100 --> 09:07.820
Did you see this?

09:07.820 --> 09:08.840
I'm not seeing it.

09:08.840 --> 09:13.880
And so communication to where they could come into role and not have to start from scratch really is

09:13.880 --> 09:14.330
key.

09:14.360 --> 09:19.640
If you've got an incident where you've got a major attack ongoing, you really need to have that communication

09:19.640 --> 09:24.540
with that new shift coming in to really relay everything that was happening not only before the incident

09:24.540 --> 09:26.910
occurs, but while the incident is occurring.

09:26.910 --> 09:32.220
There's also role and responsibilities need to be clearly defined and manager that's clearly defined.

09:32.250 --> 09:38.010
His role as overseeing a security operations center may have a subsidiary role of being able to actually

09:38.010 --> 09:40.350
dive in from a technical standpoint when needed.

09:40.380 --> 09:45.240
However, there may be clear delineation that goes, hey, you're working specifically on servers.

09:45.240 --> 09:46.170
That's your job.

09:46.170 --> 09:51.270
If we have an issue with a client, you're not really relied on or responsible for those clients.

09:51.270 --> 09:55.170
I need you to stay on your side of the tracks, and that's perfectly okay.

09:55.170 --> 09:58.260
But we may pull them over under specific circumstances.

09:58.260 --> 10:03.960
What is the policy or the procedure or the responsibilities as defined by their work role and by management

10:03.960 --> 10:04.530
team?

10:04.530 --> 10:06.150
There's also collaboration.

10:06.150 --> 10:11.640
As we all know, servers that have an issue sometimes trickle down to a client, which may trickle over

10:11.640 --> 10:13.080
to other network equipment.

10:13.080 --> 10:18.270
And so having collaboration, not just only within your cyber team, but also with the IT team, is

10:18.270 --> 10:22.050
very paramount to how our teams function across the organization.

10:22.050 --> 10:27.900
Nothing sucks more than having a non-collaborative environment where your IT team and your cyber team

10:27.900 --> 10:32.550
are constantly finding one another, it makes things last way longer than what they actually should.

10:32.580 --> 10:38.490
It's your job as an analyst to not only perpetuate a good culture and a good environment to work with

10:38.490 --> 10:43.830
those other teams, but understand where they're coming from and facilitate a very positive environment

10:43.830 --> 10:46.410
that produces high collaboration.

10:46.440 --> 10:52.110
This not only allows our cyber team to pull from good IT people that may want to transition into cyber,

10:52.110 --> 10:57.810
which is often lacking, but also provides backup in some circumstances where the IT team can really

10:57.810 --> 11:02.010
help us out on different aspects of a cyber incident occurring.

11:02.220 --> 11:06.690
How many times would you actually like to work on a client when you've got a major networking issue?

11:06.810 --> 11:12.300
It's not uncommon to have 5 or 6 employees in your cyber department, but have 50 or 60 in your IT department.

11:12.300 --> 11:17.010
And if the IT department can handle a client issue while we concentrate on the network issue, that's

11:17.010 --> 11:17.880
a major win.

11:17.910 --> 11:22.170
But if you don't have good collaboration, all of a sudden the IT team is going, we're too busy, we

11:22.170 --> 11:27.540
can't help you And that's just going to put more hours on you and lead to those long days and long nights

11:27.540 --> 11:29.820
of wishing you had hair like me.

11:30.150 --> 11:32.370
There's also the training aspect of it, right?

11:32.370 --> 11:35.910
We want to cross train and cross collaborate with those other environments.

11:35.910 --> 11:40.320
You'd be surprised how many times it comes into play, and they've got great training because they have

11:40.320 --> 11:45.990
a higher budget, or they've got training coming into play specific to a specific equipment that they

11:45.990 --> 11:48.330
may allow the cyber team to join in on.

11:48.330 --> 11:53.880
At the same time, we may have training that we only have 5 or 6 people in our cyber team, that maybe

11:53.880 --> 11:55.620
some IT people want to jump into.

11:55.650 --> 11:59.160
And so we have that cross collaboration, cross training platform going on.

11:59.190 --> 12:03.300
Team coordination and collaboration is really big when it comes to cyber security.

12:03.330 --> 12:05.400
You truly cannot do this job alone.

12:05.430 --> 12:11.460
The days of the hoodies and the basement where you've got that one giant guy that's just an expert in

12:11.460 --> 12:13.470
his field that you see on the movie screens.

12:13.470 --> 12:15.990
It's just not a thing in cybersecurity.

12:16.020 --> 12:20.700
We really are a team, and you need to get it through your mind that not only do we want to need a team

12:20.700 --> 12:25.800
environment, we want a cross team environment where we can collaborate and coordinate with other departments

12:25.800 --> 12:27.270
to make our job easier.

12:27.300 --> 12:30.320
Throughout this episode, we talked about team coordination.

12:30.320 --> 12:33.260
We talked about the process of standardization.

12:33.380 --> 12:38.240
We talked about consistency and through processes and policies as well as operations, we.

12:38.270 --> 12:43.040
Talked about communication and why communication is fundamental not only within your own department.

12:43.070 --> 12:45.590
But within collaboration with other departments.

12:45.650 --> 12:47.390
Uh, throughout this episode, we really need to.

12:47.420 --> 12:52.610
Understand that as a security analyst, we're not looking at the foundational level that you may.

12:52.640 --> 12:58.100
See, within Security+, we're looking at it as a mid-career level where you're moving forward.

12:58.130 --> 13:04.370
And you're really perpetuating a good culture and environment and facilitating and enforcing those processes,

13:04.370 --> 13:10.250
policies and procedures and being an expert in your field, when Sisa is really talking about in this

13:10.250 --> 13:17.030
field is you are the expert for cyber security analysts, and you are really providing that expertise

13:17.030 --> 13:21.440
not only from a technical perspective, but from a human perspective as well.

13:21.440 --> 13:26.930
You need to go through the process within Sisa of understanding both the people position.

13:26.930 --> 13:28.700
But the technical position as well.

13:28.700 --> 13:31.520
If you do that, you should be successful on this exam.