One of the things that set eSentire apart from other security service providers is our Security Operations Center (SOC) capability. The SOC combines people (SOC Analysts), processes, and technology into an effective and efficient engine that is a driving force behind our detection and response capabilities. But we realize that the very terms "SOC" and "SOC Analyst" mean different things to different people based upon each person's experience and exposure. So, we asked Megan Kearney, a Senior SOC Analyst, to shine a light on a typical day in our Cork, Ireland SOC.
eSentire’s SOCs
eSentire runs two SOCs: one in Waterloo, Canada, and one in Cork, Ireland. Our client base is spread across dozens of countries spanning six continents, so we understand that cybersecurity is not a part-time job. Together, our two SOCs combine into a Global Security Operations Center (GSOC) with the capability to hunt for threats and monitor our client's environments 24x7x365.
The eSentire Cork SOC was opened in 2015 with a team of 10 people. Although a small group, they laid the foundation and started developing the relationships that would support the growth of the SOC in Cork.
Having completed my undergraduate in computer science, it was evident that technology was changing the way people think about security, and it was going to evolve rapidly. I continued my studies and completed a master's degree in cybersecurity. I started my journey with eSentire as a part-time SOC analyst, and now three years later, I am a senior SOC analyst.
Over the last number of years, Ireland has become a cybersecurity hub, and Cork is now known as Ireland's information security capital. The growth of our Cork office has been no different. We are now the largest SOC in the region, and at the time of writing, we have the following teams in place:
- A Director and a Manager of Security Operations
- 3 SOC leads: Two operations Leads and one technical lead
- 20 SOC analysts: Tiers 1,2 and 3
- A customer success team
- A support center team and
The Cork office actively participates in IT@Cork, a member-led organization representing over 220 companies from the South West of Ireland's technology sector. We also participate in Cyber Ireland, a national Cybersecurity Cluster supported by the IDA Ireland. These clusters provide the technology industry in Ireland with a platform to network and connect.
eSentire has also partnered with the local college, Munster Technological University (MTU), to partake in an annual nine-month work placement program. eSentire hires a group of third-year students studying IT within MTU. These students are allowed to take on a SOC analyst role, gaining invaluable, hands-on experience as part of their college degree program.
Combining people, processes, and technology
SOCs vary in configuration and size, but three fundamental elements are required: people, processes and technology. eSentire has built on the foundational understanding that people and their knowledge are the pillars of an effective SOC.
People
A SOC is only as good as it is people.
As a senior SOC analyst, I have a firm understanding of security teams' everyday pressures. Although provided with tools to complete thorough investigations, the role requires attention to detail and a general awareness when monitoring a network for malicious activity.
eSentire looks for passionate, driven people who want to do work that matters. Everyone has a unique path, and eSentire provides the opportunity to grow. There are many lateral and upward advancement opportunities for rewarding positions.
I can say this from experience as I entered the SOC as a part-time analyst while completing my undergraduate course in IT management. Once I graduated, I decided to continue my studies and pursue a master's degree in cybersecurity. This did not hold me back within eSentire. I was presented with growth opportunities during this time. I was motivated by my peers and superiors to apply myself, which was rewarded by career advancement.
Processes
Processes ensure a proven, repeatable, efficient and effective framework in place, both for routine activities and for escalated investigations. This means the SOC analysts can focus cognitive efforts on the creative, intuitive and problem-solving aspects, leveraging the people element sustainably.
The structure of the SOC, and the well-defined processes we use, ensure there is cross-functionality between teams:
- SOC Tier 0 – Technology-driven automated analysis of events/signals
- SOC Tier 1 – Initial Assessment, Response, Triage
- SOC Tier 2 – Deeper Analysis, Investigation, and Response
- SOC Tier 3 – Proactive Hunting, SecOps, Advanced Response
A perfect process is not possible in a field as dynamic as cybersecurity, but it is possible to improve continuously. To do so, we apply an agile lifecycle that helps us evolve our processes based on our own experiences and meaningful performance metrics.
Technology
eSentire has invested heavily in developing, acquiring and incorporating technology into the SOC, whether to process and analyze the enormous volumes of signals coming in or to provide valuable feedback that identifies opportunities for improvement. This technology has enabled a disruption-free transition to remote working during the pandemic.
Safeguarding our clients
The life of a SOC analyst can vary from day to day. In many cases, the core duties will remain relatively similar across SOC tier levels, but the intensity of work may differ. I love how this job exposes me to a variety of information in many situations, and I learn something new every day.
Monitoring
I complete live monitoring duties across several products, investigating and responding to triggered events within client environments. esNETWORK is a network detection and response service, and this service allows me as a SOC analyst to identify and respond to exploit or intrusion attempts from an attacker. An investigation is carried out on real-time network packets to protect against brute force attacks, service exploit attempts, malicious connections and executables, port scans, DDoS attacks and web application attacks.
Our esENDPOINT service allows me to investigate suspicious activity on a client's endpoint and identify abnormalities that may indicate system malware, zero-day attacks or potential lateral movement within a clients' network.
I also monitor our esLOG platform, which ingests and stores hundreds of logs and allows me to map threats to affected resources.
Combining these products allows me to generate a holistic view of an investigation, which is vital to understanding and disrupting an attack chain.
Engaging with clients
Customer engagement involves acknowledging and acting on client requests promptly. A client request can be classified by severity, and some are time-sensitive and escalated. Customer-initiated investigations can include client requests or inquiries on alerts we have sent requesting further information on traffic we observed within a packet capture, investigations on unusual activities within their environments, investigations on phishing emails they received or intrusion-type scenarios.
These types of tickets can lead to deep-dive investigations. In such scenarios, the SOC will also interact with other teams such as the Threat Response Unit (TRU), technical solutions, professional services and customer success throughout their daily tasks, dependent on the investigation type.
Other activities
My time may also be spent getting involved with company-wide projects for new products or new systems that are being implemented. I may also be training with other analysts, which can include being the trainer for incoming analysts or being the trainee to progress on to monitoring more products within our environments.
Continuous adaptation
To say the year 2020 was eventful would be an enormous understatement, and we were met with significant challenges and hurdles to overcome. 2020 certainly did not go to plan and has not been a typical year for eSentire as we steered through the unknown of a global pandemic.
We have been pushed to grow during a time of increased uncertainty, increased cyberattacks and increased threats. Many of us have come to put up with the pandemic and found ways to live alongside it. Working from home permanently was a significant adaptation when Ireland imposed tighter restrictions on travel for essential reasons.
Working from home was not entirely new for us at eSentire. As a company, we were able to transition to work-from-home exclusively and continue business as usual. Although on a personal level, the change may have been initially difficult for some, we adjusted to this new way of work.
Working from home saw the evolution of meetings, and it has changed how we communicate. Throughout the last number of months, eSentire has continuously enforced the motto: “Although apart, we're more connected than ever.”
The analysts within the SOC adapted to working remotely without a significant drop in productivity or quality, ensuring that we were defending our clients during this worldwide disaster.
Preventing analyst burnout
With the sheer volume and growing sophistication of cybersecurity threats, running a SOC capability is not without its challenges.
SOC analysts continuously work on the front line to overcome the battle against cybercrime. It's a demanding role, and burnout is a common problem in SOCs, which is damaging to people and compromises the efficacy of the SOC itself.
Fortunately, with new challenges come new opportunities, and eSentire has embraced automation and machine intelligence technologies to make it possible for SOC analysts to work faster and smarter without imposing new demands. This approach leverages the best of what people and technology bring to the challenge of proactively defending against attack vectors and rapidly responding when needed.
I can genuinely say that protecting client environments and responding to cyberattacks can be extremely rewarding.
