Changing Hats: From Enterprise Security to Threat Intelligence as a Service

In the cybersecurity space, the role of an analyst varies widely. Two job listings for different companies with the exact same title, such as “security analyst,” might have completely different job functions or levels of responsibility. Some organizations have small security teams with analysts managing a broad scope of information security functions with help from third-party security vendors, while others are structured to have more specialized analysts focused on deep-diving into one facet of cybersecurity, such as vulnerability management or threat intelligence.

The contrast I want to focus on, and one I have personally experienced, revolves around the question, “Who are you protecting?” As a technical threat analyst at Recorded Future, I am focused on providing threat research for customers from a vast set of industries and geographies. Contrarily, my previous role as a security analyst at a financial services company revolved around protecting one company within the financial services industry. Reflecting on my two years on an internal security team and one year in threat intelligence as a service, I will reflect on the advantages and challenges each role brings, as well as why they can be stronger together.

Wearing Many Hats (Defending an Enterprise)

My first job after graduating with a degree in computer science was as a security analyst within an investment management company’s IT department. My responsibilities touched on a few different aspects of information security, but my frame of reference hinged on threats relevant to the financial services industry and the nuances of that company. I supported compliance controls by monitoring for suspicious activity on critical databases and responded to audit requests. I maintained metrics around the organization’s risk exposure and provided security awareness training for new employees. And if any of our systems alerted on a possible intrusion on our network, I dropped all of this to investigate the incident. I’m sure this sounds familiar to many security analysts with smaller, less specialized teams.

This many-sided role allowed me to see how all of the moving parts of an organization’s cybersecurity program fit together. I became familiar with many security technologies and learned how to communicate about security to different audiences. However, it also limited the time I had left to invest in research and threat intelligence. For me, in our relatively young security program, this did not go much further than finding indicators of compromise (IOCs) to integrate into our automated intrusion detection systems. It was a work in progress and a small part of my day-to-day, but it was also a good starting point, just as my other responsibilities were the starting point for my transition to a threat intelligence-focused role.

Wear the Hat That Fits (Threat Intelligence as a Service)

While threat intelligence was not a big part of my first job, my technical background and incident response experience were well-suited to the technical threat analyst role in Insikt Group, Recorded Future’s threat research component. The investigative nature of my past role is particularly applicable, as my main focus now is surfacing actionable threat leads, such as new malware variants or campaigns, and efficiently communicating my findings to our customers. I utilize our software and data heavily to perform and summarize research I probably wouldn’t have had time to do in my previous role.

While my job functions have become more focused on research and reporting, the scope of relevant information has increased tenfold. Our customers are spread across many industries and countries, so it is necessary to operate with a more worldly view and learn about the attack vectors that impact different types of organizations.

Hat in Hand

While there are many qualities that distinguish the above roles from each other, I believe that these distinctions also leave room for the analysts in these roles and their organizations to help each other. I use my experience as a security analyst at an investment management firm to analyze threats that may impact organizations in the financial services industry, and feedback from organizations in this industry and in others helps me understand their pain points and how I can enable them to better defend themselves.

In turn, as an analyst for a threat intelligence service provider, I can do deep-dive research and analysis on emerging threats and then present that analysis in a way that is easy for our customers to consume, whether it is a detailed blog post or a brief analyst note, so they can make the best decision for their organizations’ security going forward.

Diana Granger

Diana Granger is a technical threat analyst with the Insikt Group at Recorded Future.