That SOC Guy I Got Fired
When I was a cyber security consultant for a previous job, I had to travel to Connecticut to work for a few days helping a large Insurance company adopt and operationalize our product. In most circumstances, I try to gather all the stakeholders together and have them work with me for several hours brainstorming on use cases- Things they want the product to do, things the NEED the product to do and even fantasy use cases- things they wished any product could do that would be unique to their own work processes or specific business needs. Our product was extremely versatile- it captured all of the network traffic- so while cyber security use cases were standard, many of the business use cases needed to be custom built to suit the needs.
One black soc operator with a surly attitude said that his whole entire job- the one he spent 8 hours a day doing- consisted of looking through logfiles for the use of the superuser accounts. He didn’t exactly grep the files- and much of his time was spent actually downloading the megs and megs of logs to search it seemingly by hand. It took me 30 seconds to write a query rule to pull this out of the network traffic. I made a nice alert system to tell the guy no only when the accounts were actively being used, but which servers, which IP addresses, which protocols, etc. He had explained that he owed a daily report to his supervisor, so I created a nicely formatted summary report and had it automatically send itself off every afternoon at 5 PM, as well as send alerts by SMS and emails for single instances.
I showed him what I did for him, and instead of a great big thanks, I caught a dangerous stare from the man. I explained to him that he no longer has to sit in a SOC 8 hours a day downloading logs and searching through them. Now he could focus his tasks and even his career on more important and rewarding tasks. He shrugged me off and mumbled something under his breath.
I later showed the reporting and alerting structure to the SOC manager and he was very grateful. He told me he could now let the employee go to cut back on his headcount.
That wasn’t the only person I got fired that day. I was able to create a report that tracked any contact between an employee and the Insurance company’s competitors to look for people leaking information to the competitors. The first time I ran the report I caught a top sales lady sending her resume to a competing Insurance Agency along with her rolodex of her major accounts and contacts. And because she had logged into her Facebook page that day, I was able to append her Facebook profile pic to her data theft report. This report was passed to HR and before I left that day, I heard the woman had been escorted out of the building by security.
I felt pretty good about getting the sales lady fired. She was violating corporate policy and borderline committing crimes. But the black SOC worker? I have never really been able to sort out my feelings about that one. He was doing the gruntest of grunt work and I had freed him from that task. On the other hand, it turned out that he was not needed or wanted by anyone else in the organization, which made me kinda wonder what he was doing in the SOC in the first place. Maybe he should have had a better personality.