Intrusion Analysis 101

 If you’re new to NetSec, you’ll quickly find out network security is one of many silos in information security, and network security itself has many different roles.  One of these roles is the intrusion analyst.

What exactly is an intrusion analyst? Duties can differ according to the size of the team you join, what type of platforms and tools are employed, but at the lowest common denominator, an intrusion analyst monitors security systems and investigates the alerts they produce.

This may encompass a SIEM, IPS, EDR, firewall logs and others.

SIEM: Security Information and  Event Management

IPS: Intrusion Prevention System

EDR: Endpoint Detection and Response

Once an alert is received, triage begins. Many alerts can quickly be identified as false positives, generated from known benign processes. These are candidates for the continual process of tuning the SIEM and/or IPS. Without this process, the sheer number of FPs can begin to overwhelm  the analyst. Automation has come a long way in doing triage for the analyst, and machine learning is helpful, but no system can replace the need for human inspection of many of the alerts. 

Experience, tribal knowledge, awareness of changes in the network, applications used, integrations with vendors and business partners and again, experience, are skills ML or AI is not yet able to duplicate, if ever.

Is the intrusion analyst an incident responder? This again depends on the size of the team. Optimally, the intrusion analyst, after triaging an alert, would hand it off to an incident responder if action were necessary. This could anything from removing malware or re-imaging a machine to blocking IPs or applying isolation, either from the EDR solution or by network port shunning.

The reality is at most small and mid sized companies, the intrusion analyst will double as the/a incident responder, which is unfortunate. Not only does this require twice the amount of training and continual education, but it also means while the intrusion analyst is responding to an incident, he/she is not triaging alerts. 

*** This is a Security Bloggers Network syndicated blog from JeffSoh on NetSec authored by JeffSoh. Read the original post at: