Security Analyst vs Engineer: Where to Start
The Armed Forces typically have corporals and privates, who serve necessary but different roles in battle. The corporal has more experience, deploys the tactical work, and is close to the action. Newcomers start off as privates, sometimes they observe rather than act, and they can be a step or two from the action.
A security engineer (corporal), whose salary is typically $5,000 to $15,000 higher, and a security analyst (private) are in similar positions. They both work on corporate defense systems doing the bulk of the work to ensure that data is protected. They differ in responsibilities, their positions on the corporate hierarchy, and how close there are to the front battle lines.
Defending the Perimeter
Like demarcation lines on battlefields, corporations establish various defense perimeters, layers of protection, on top of their computer systems. In the past, they fortified the entry points, the network entrances and exits. In many cases, they created a Demilitarized Zone (DMZ), a buffer zone between where their systems ended and the information coming from the outside into the enterprise network began.
The idea was to check all the newcomers and make sure that they were not bringing any malware into the organization. Most businesses invested a lot of time, money, and manpower into fortifying this area.
Times change, and software evolved. The advent of novel application models brought new ways to attack systems. With the advent of peer-to-peer processing, malware was able to bypass the network perimeter and enter from other vantage points.
With the move to virtualization, peer-to-peer, and cloud computing, outsiders started to enter the company systems in new ways, so corporations needed new tools. The end result is companies have now deployed a wide range of tools that ward off the outsiders.
The Security Operations Center
Like a military operation, enterprise IT security teams have a front line of defense and a central control center, a place where information is consolidated, battle progress is mapped out, and core security plans are laid.
A Security Operations Center (SOC) is the central hub where staff supervise the site, using various security solutions. Here, employees collect data, consolidate it into reports, evaluate performance, make adjustments, and then provide information to others.
The SOC is usually a large room with multiple large screens that illustrate what is happening with the enterprise information systems. They monitor web sites, applications, databases, data centers and servers, networks, desktops and other endpoints. Transactions are logged, interactions monitored, events correlated, and the corporate systems defended.
A second group works on the front line, fighting the battle: building, testing, and deploying security software. The two work in tandem to ensure that the systems remain secure. The security engineer works on the front lines tuning the building secure systems and resolving security problems. A security analyst typically works in the SOC doing threat discovery and examining reports.
What Does a Security Engineer Do?
Engineers essentially build things. They work with the applications and development tools, link all of the various components, and get the company's business application running. Their experience in security products must be deep.
The bulk most of their day is spent working on individual application deployment and troubleshooting issues. Their responsibilities typically includes working with a wide range of solutions and having practical, hands-on experience in many areas:
- Operating systems like Linux and Microsoft Windows
- Cloud services like Amazon Web Services, Microsoft Azure, and Google Cloud Platform
- Programming and scripting languages such as Java, Python, Perl
- Security tools, including Kali Linux, Nessus, Netsparker, openVAS, BurpSuite, and Metaspolit
- Mobile systems like Apple iPhone and Google Android. as well mobile secure design principles, like Open Web Application Security Project (OWASP)
- Compliance is a major concern nowadays, especially as governments become more proactive in ensuring that individuals' personal information is not compromised. Security engineers need familiarity with technology risk management related frameworks, such as RMF, NIST 800-53, ISA/IEC 62443, UL CAP, ISO 27001, GDPR, CSL, CSA, SOC 2.
Security engineers are experts in data protection basics, like securing cloud services, especially Amazon Web Services data security, and network and system infrastructure design principles. They also must know how to conduct penetration testing and reverse engineer software when necessary. They constantly analyze cybersecurity, and search for gaps.
Required Skills for Security Engineers
Some desired engineer skills include operational vulnerability analysis; incident response and analysis; Red Team and/or Pen Testing Experience; real time network analysis; and digital forensics. Companies often look for participation in hackathons, cybersecurity competitions, and security exercises. In addition, popular certifications for security engineers include:
- Cisco Cisco Certified Network Associate (CCNA)
- (ISC)2 Certified Secure Software Lifecycle Professional
- (ISC)2 Certified Information Systems Security Professional (CISSP)
- Cloud Security Alliance (CSA) Certified Cloud Security Professional (CCSP).
- Offensive Security Certified Professional (OSCP)
- International Council of E-Commerce Consultants, also known as EC-Council, Certified Ethical Hacker (CEH)
What Does a Security Analyst Do?
A security analyst basically examines things. Typically, they work in the SOC, examining data, running tests, and compiling information. This job is often an entry-level position, one where the person starts to work their way up the ladder. They focus on trend analysis and threat detection and remediation.
Analysts spend a lot of their time on mundane tasks, like sifting through systems logs. In sum, they spend their days looking at security tools information from and making recommendations.
For instance, an analyst parses vulnerability scanning results, and shows management the most common vulnerabilities in a company's environment, and assists in remediation. Their responsibilities include:
- Continuous monitoring system activities and understanding the threat landscape
- Identify information system weaknesses and deficiencies;
- Prioritize risk mitigation decisions and associated risk mitigation activities;
- Confirm that identified weaknesses and deficiencies in the information system have been addressed
- Analyze and interpret data to unearth vulnerabilities; Formulate prioritized recommendations with attention to client limitations
- Experience with security incident and event management systems like Splunk Enterprise Security (SIEMs)
- Experience with case management systems like ServiceNow
- Knowledge of Windows and Linux OS Administration
- Ability to review and analyze network packet captures (Wireshark)
- Familiarity with scripting languages (Python, etc.)
Required Skills for Security Analysts
A security analyst needs experience with network security methodologies, tactics, and techniques. They must have a thorough understanding of networking protocols (TCP/IP, HTTP, FTP, etc.); networking concepts (Packets, Ports, Routing, DNS, etc.), and security technologies (Firewalls, IDS/IPS, Proxies, EDR/EPP, etc.). Often they need the following certifications:
- CISM Certified Information Security Manager (CISM)
- GIAC Global Information Assurance Certification
Corporations are at war with outsiders who want to penetrate their systems and compromise their data. Winning the battle requires that an army deploy individuals at both the front line and the command center.
Security engineers are at the front and deploy the solutions that ward off intruders. Security analysts are in the back examining the results. Together, the two win the war and protect confidential information.