.png)
Hey there, I’m a SOC analyst on the incident response team at a small financial institution. My job? Keeping the bad guys out and making sure our systems stay secure. It’s a pretty dynamic role where no two days are the same, but I’m going to walk you through what a typical day looks like for me.
8:00 AM – Coffee and Catch-Up
I start my day like most people: with a strong cup of coffee. While it’s brewing, I log into our systems and start catching up on any alerts that popped up overnight. I work solo on the security team, so I’m responsible for everything from monitoring alerts to investigating and closing them out.
8:30 AM – Morning Sweep
First thing I do is a quick sweep of our SIEM (Security Information and Event Management) system. I’m looking for any high-priority alerts that need immediate attention. Our SIEM pulls in logs from everywhere – firewalls, NDR (Network Detection and Response), Microsoft Defender, you name it.
Today, I notice a few suspicious login attempts flagged by Microsoft Defender. Multiple failed logins from an IP address in Eastern Europe trying to access one of our admin accounts. Time to dig deeper.
9:00 AM – Investigating Suspicious Logins
I pivot to the logs in our SIEM to get more context. Using some custom queries, I pull up all the events tied to this IP address. Sure enough, there are dozens of failed attempts followed by a successful login attempt. My heart rate kicks up a notch – this could be bad.
I cross-reference these events with our NDR logs. The successful login didn’t trigger any data exfiltration alerts, which is a good sign, but it still doesn’t sit right with me.
10:00 AM – Action and Documentation
I decide to lock the account temporarily and notify the user and our IT department. Better safe than sorry. After locking the account, I start documenting the incident. This involves detailing what I found, the actions taken, and any next steps.
Documentation might sound tedious, but it’s crucial. It not only helps in case of future incidents but also keeps everything transparent and traceable.
11:00 AM – Email Phishing Analysis
Next up, I turn my attention to the stack of reported phishing emails. Our employees are pretty good at forwarding suspicious emails to our team, and it’s my job to analyze them.
I start by opening one that looks particularly fishy – a supposed email from our CEO asking for a wire transfer. Classic phishing. I examine the email headers and confirm it’s a spoofed address. I then feed this information into our email security system to block future emails from this sender and similar phishing attempts.
12:30 PM – Lunchtime
I grab a quick bite to eat. Sometimes I’ll eat at my desk if things are hectic, but today I manage to take a proper break.
1:00 PM – Afternoon Monitoring and Anomalies
Back to it. I return to my SIEM dashboard and start scanning for anomalies. Our NDR has flagged some unusual outbound traffic from one of our finance servers. This could be nothing, but it could also be data exfiltration.
I dive into the logs again. The traffic is headed to an unfamiliar IP address. After a bit of digging, I realize it’s a false positive – just a new update server for one of our financial applications that hadn’t been whitelisted yet. Crisis averted.
2:30 PM – Writing Queries and Creating Rules
Part of my job involves writing queries to create new threat analytic rules and reports. Today, I’m working on a new rule to detect unusual login patterns. Using a combination of failed login attempts followed by successful logins from different geolocations, I create a rule that will trigger an alert if it happens again.
This involves a lot of testing and tweaking. I run some simulations to ensure it doesn’t generate too many false positives. After a couple of hours of fine-tuning, I’m happy with the results.
4:30 PM – Reporting and Wrapping Up
Towards the end of the day, I compile a report of all the incidents and alerts I’ve handled. This goes to our management and serves as a record of my activities. It includes details of the suspicious logins, phishing emails, and the new rule I implemented.
5:00 PM – End of Day
Before logging off, I do one last check of the systems to make sure nothing critical has come up. It looks like things are quiet, so I close out for the day.
Conclusion
And that’s a typical day in my life as a SOC analyst at a financial institution. It’s a job that keeps you on your toes with a mix of monitoring, investigating, and problem-solving. Every day is a bit different, but that’s what makes it exciting. Plus, knowing I’m helping protect our organization’s data and integrity is pretty rewarding.
Comments