A day as an MDR analyst
What is an MDR analyst?
Managed Detection and Response (MDR) entails the outsourcing of cybersecurity to a third party for the purpose of protecting an organization where time and scope would otherwise not allow. An MDR team would step in to manage the security and safety of the organization. This is often done by utilizing a mix of automated, reactive, and proactive responses to threats, including threat intelligence, 24/7 monitoring, and incident response – all carried out by a team of experienced security analysts.
But that’s a lot of words – what does an MDR analyst actually do?
Cool stuff 😊
Day in the life
Every MDR team manages their day-to-day operations differently, but having efficient planning is key when analyzing different types of data from multiple international companies with hundreds or thousands of users and devices.
On a day-to-day basis, we utilize a mix of Extended Detection and Response (XDR) and Security Information and Event Management (SIEM). The mix XDRs holistic, SaaS based vendor-specific security implementations allows for deep and narrow threat response and SIEMs broader scale makes the two work hand-in-hand for a wholistic approach to mitigation, protection and remediation.
Our SIEM solution helps the analyst coming on shift by generating incidents based on log data and detection rules, alerting them if something worth investigation occurs. As part of the daily life, we examine these incidents and examine potentially malicious or suspicious activity to determine if it’s benign, false positive, true positive, and so on.
Finding false negatives is also important, which is done through proactive threat hunting and tweaking the existing analytics rules we’ve developed. For me personally this is a big part of my day-to-day as I work closely with the detection indexes we use, letting me practice my KQL and improve my understanding of database and log management. Once one of mine (or another analyst’s) detection rule triggers, we open and investigate the incident, remediating and blocking the risk as is needed.
If the shift leaves time for it, after customers needs have been tended to, there’s usually time to work on improving our environment via an Agile Continuous Service Improvement. This is more specifically handled through planning cards, which can range from programming tasks, reviewing analytics rules, crafting detection indexes, building logic applications or playbooks – or anything that needs doing, really. This also enables the opportunity to develop within the field of your choosing, be it forensics, red teaming, blue teaming, or some specific XDR or SIEM solution.
Relatedly, the shift often ends or begins with some banter or chatting with coworkers, where people share knowledge and help one another with potential blockers, or we discuss new CVEs and development in different fields o
While the critical incidents hopefully don’t occur just as one has stepped off shift, once the alarm is run, it’s all hands-on deck.
People who aren’t on shift hop on at least to get the updates and details regarding the situation and to hear from incident leads. Sometimes other teams within Onevinn are pulled in to operate within their areas of expertise, such as mobile or application security, act as incident lead, or to keep an open communication with the customer.
After that, we follow a priority schema – assuming it’s a cyber-attack, assets may need to be secured, or attackers need to be removed from the network. We analysts work methodically, asking for help as is needed and contributing to the securing of the customer’s infrastructure. The work itself can be challenging, but with the combined knowledge and experience of our seniors we’re able to learn at a remarkable pace without the stress of imminent failure affecting the quality of the work. In fact, despite the risk of long hours or overtime work, the first time I personally joined in during a big incident in my time as a part timer, the first thing I heard was cheerful conversation. Maintaining focus and positivity throughout the critical incidents is key, and for that, we have one of the best teams I’ve ever seen.
Relatedly, the culture at the office is stellar. I was personally worried about joining such a competitive field with people far above my own perceived skill, but it’s been nothing but welcoming. Sometimes we take time before or after shifts to play video games, do company grilling, and the same positive spirit carries into even the tense situations. Wouldn’t have it any other way 😊