If a person is attacking you, they try to hide and you really have to investigate it thoroughly to find out what’s going on.
03 August 2017
Author: Security Talent

If a person is attacking you, they try to hide and you really have to investigate it thoroughly to find out what’s going on.

Bas works as a Security Analyst in the Security Operations Center (SOC) at DearBytes. We were curious to find out what kind of challenges and incidents a Security Analyst has to deal with and what life is like at DearBytes.
Bas van den Bosch
Security Analyst

currently: System and Network Engineering at Amsterdam University of Applied Sciences


Security Analyst, what does that mean?


DearBytes installs sensors in the networks of our clients that help us track and monitor network traffic. All events that these sensors generate as well as events from other sources, for example anti-virus, are collected in a SIEM (Security Incident & Event monitor). If our sensors detect an unusual situation we are notified because it triggers an alarm. Once we receive the notification we investigate what happened, decide if it’s serious and contact our client if needed. We explain what happened and what the consequences are, or can be for their business.


The alarms I mentioned have to be developed too. To find out what should trigger an alarm we have in depth conversations with our clients to find out exactly what their ‘crown jewels’ are and what kind of activity on their network in considered to be normal or not. Once we have determined what is normal and what’s not, it’s our job to find a way to recognise and detect the abnormal signals and design an alarm for it so that our analysts can be notified upon detection.


Where existing tooling, be it commercial or open source, doesn’t fit our needs we develop our own tooling or modify existing ones. We use this tooling to automate as much of the analysis processes as possible. This leaves the analysists to do the interesting stuff.


Furthermore we do threat intelligence. We follow trends and keep an eye out for new threats that surface and investigate them. That can be new methods of attacking, new software attackers use, vulnerabilities in the software our clients use and new viruses and malware that is being used. For example when a big breakout like WanaCry happens we do research on the impact. Give advice on what to do and check if clients are infected. Of course with ransomware finding out if you’re infected is easy, but some malware is harder to detect. In the case of WanaCry though giving advice was easy because Microsoft already published what updates to install to prevent attacks.


dearbytes 4


What kind of projects are you involved with?


The projects are very diverse. We have clients from various industries, banks, government, healthcare. Really the whole spectrum, even SME companies. In the beginning DearBytes was mostly focused on the healthcare sector but in our SOC that focus is completely gone. Nowadays it’s really diverse.


The incidents we deal with come from alarms from the security monitoring or from our threat intelligence. A third option is that we look at anomalies in the SIEM. When we have an incident it’s a matter of deciding upon what the impact of the incident is, or can be, and mitigate it. If it is a serious problem we notify the client. If we do research on incidents or risks based on the SIEM data it’s basically more a mater of investigating. Looking at what sort of data are available, like log files of network traffic. If we find anomalies we fix it draft up a report for our client giving advice on how to deal with the incident and what the impact can be. If they can’t do it on their own they can ask our colleagues from managed services for help. The SOC team does not fix the problems on that level. The core task we have is doing research so that we can deliver accurate reports.


Why did you pursue this career?


For the challenge that comes with it. I used to be a system administrator before I worked for DearBytes, but I got attracted to security because I saw it more as a challenge. You’re looking for people that try to hide from you. As a system administrator when a programme doesn’t work like it should you just have to fix it. It doesn’t hide or anything. With security if a person is attacking you they try to hide and you really have to investigate it thoroughly to find out what’s going on.


After high school I went on to work as a stage builder. After a while I thought this wasn’t something I could do until my retirement. Via my brother in law I got a job in IT and from there kind of ascended to where I am now.


dearbytes 2


Can you name a milestone in your career?


I think that would be March 2015. That’s when DearBytes founded this SOC. Some of the guys who started in the very beginning are still here. We’re still building and improving our product and deliver a more mature service to our clients almost every day. That’s something I’m proud of being a part of. Being involved from the beginning and seeing and helping our product grow and improve over the years. When we started in the early beginnings the office was almost empty. It was just a desk in an empty office space. But right now we’re actually running out of space. We’re looking to expand since we’re growing to big for the space we have now. It’s nice to see that development and growth and be a part of it.


How will your industry or job in particular change over the next few years? How do you keep up?


It’s a fast paced environment. There are a lot of innovations that follow each other in a rapid pace. So it’s important to stay up to date on developments and trends. That’s the most important thing you need to do to stay up to date. What direction the industry will move in is hard to predict. Attacks are increasingly being automated and a growing number of companies and organisations fall victim to… well, cybercrime. I hate to use that word, cybercrime, but I don’t really have an alternative. But as the number of attacks increases and subsequently the number of victims. So does the importance of threat monitoring. It’s not really a question of ‘if’ but rather ‘when’ you will be attacked. So monitoring is important if a company wants to be able to respond adequately when they get screwed. Even if you keep al your software up to date and follow best practices there is always a way to get in. That’s what the NSA leaks have showed us. It’s just waiting on what the next big headline will be.


Currently I’m enrolled in an education. Furthermore it’s important to follow the news and be aware of what is going on. I read a lot of papers on subjects related to my work, scientific ones but also on forums and twitter. Basically all places where you can find news. Less on obscure forums, but blogs from individuals and companies are really valuable.


dearbytes 6


Do you have any tips for up-and-coming talent?

A lot of people expect you need a really diverse set of technical skills and expertise. But in my experience having an open and curious attitude is just as, if not more, important. The kind of people that want to know all the gory details, and get their information from different sources. The kind of individual that really dives into something to find out and understand how something works. It’s my experience that this attitude really helps and that people that do have a technical background are not necessarily better because they don’t ask questions. In our SOC we have someone who doesn’t have any background in IT. But because he asks a lot of questions and has a natural curiosity he always is able to provide our clients with good advice.

If a person is attacking you, they try to hide and you really have to investigate it thoroughly to find out what’s going on.