Kurt Fletcher

Since 1st December 2022 I was promoted to the role L2 SOC Analyst. My main responsibilities include:

• Training new recruits (L1 and L2 Analysts)
• Being an LA (Lead analyst) for specific clients, regularly checking their security posture.
• Suggesting recommendations to clients such as adding additional monitoring for their EDR, IDS, Firewalls, DCs etc to log to their SIEM platform.
• Generating reports on specific activity.
• Being an escalation point for L1 Analysts.
• Leading regular client meetings either weekly, bi-weekly or monthly to discuss potential upcoming projects, recent offenses that are a potential cause for concern and how we mitigate this, and a general overview of their SIEM platform's health to ensure everything is up to date and the chance of a breach, or false positive, is reduced to a minimum.
• Regularly checking client's IPM (Incidents per Month) and EPS (Events per Second) to ensure they are not going over the limit they are paying for. If they are then it is my job to reduce this in the most efficient way possible, ensuring that we are not removing/reducing critical assets, devices or rules. Or providing evidence as to why they should increase their IPM/EPS with thorough evidence to support this.
• Recommend improvements in security systems and procedures.
• Used critical thinking to break down problems, evaluate solutions and make decisions.
• Meeting with other SIEM SMEs within the team regularly to discuss current issues and ways we can improve quality and security knowledge/awareness across the company.

Although I have not been in this role a year yet, I feel as though I have developed well. A key moment for me is when an L3 Analyst left and there was a SIEM instance that hosted multiple clients that were considered to be "low touch". As this was the case, they were not dedicated a technical resource. However as I was new to the role I decided to investigate their SIEM instance and found that there were holes in their monitoring for numerous clients on this instance. I then took it upon myself to get this instance to a healthy state and repair our relationship with each client. To do this I created a new way to perform system health checks on the multi-tenant SIEM platform, making each one more personal to the client rather than the more generic approach we took previously, alongside keeping constant communication with the clients to assure them that we were available to assist 24/7 in any means necessary.

Through the success of the system health checks I created, we have now adapted this approach permanently across all clients, in which I would like to believe I was the catalyst for.

Responsibilities

• Monitor customer environments for security issues through the ServiceNOW Helpdesk.
• Investigate security breaches and other cybersecurity incidents on customers SIEM instances. (Splunk and QRadar)
• Document and research security breaches and assess the damage they cause.
• Work with customers security team to perform tests and uncover network vulnerabilities.
• Help remediate detected vulnerabilities to maintain a high-security standard.
• Develop company-wide best practices for IT security.
• Research security enhancements and make recommendations to management.
• Educated and trained users on information security policies and procedures.
• Analyzed network traffic and system logs to detect malicious activities.
• Stay up-to-date on information technology trends and security standards.

During my time at Virtual Armour I initially started my role as an apprentice with 0 background knowledge of Cyber Security. Since then I have developed my skills within this role taking time to learn as much as I can in this industry, being around a high pressure working environment. Over the last 4 years I became an integral part to the L1 team constantly trying to improve our standards and service while also staying composed within high pressure situations and giving each customer alert the attention to detail they deserve to not just respond to the alert, but to also look for the cause and possible surrounding IOCs that may have caused the alert to determine the severity of the offense.

Stand out moments within my career as an L1

• Training new members of staff.
• Working the Helpdesk on my own managing both SIEM and networking alerts while also ensuring we do not breach SLA.
• Working unsociable hours to ensure the busiest part of our day is covered.
• Working multiple different shifts such as days, nights and back shifts ensuring we are covered 24/7. While also covering shifts last minute, attempting to be a reliable asset to the team.
• working 13/14 hour shifts if necessary only finishing work when the Helpdesk is in a manageable state.
• Tuning rules on client SIEM instances, looking for patterns and trends that show benign activity to reduce noise for both the customer and the helpdesk.
• Taking up L2 roles when necessary working Customer specific tickets running searches on activity over broader time spans to look for suspicious behaviour from specific users, creating rules to generate offenses, taking part in customer meetings being a technical resource for any queries the customer has that the sales team can't answer.
• Creating SOPs for other engineers to follow when a new alert has generated.