Meet our Academy Consultants – Charles

How do you feel you’ve transitioned from the Ten10 Academy to your client work?
I feel that I have transitioned well in moving to client work. It was a bit intimidating at first, but as I grew accustomed to the role, the environment, and the team I work with that feeling quickly diminished.

Whenever I had questions about admin or steps needed taking outside of my client work role, I could always speak to Academy Wellbeing who would either answer my question themselves or point me in the right direction to have it answered.

Take us through your placement, where are you currently working?
I have worked with the Information Security Team. I have been responsible for one project (which entailed triaging of security alerts, contacting users, performing security analysis, investigating suspicious files/URLs/emails, and improving security alert rules) as well as other security-related responsibilities.

What parts of the Ten10 Academy training have been most useful in your placement?
I found several parts of my training of great use:

• Professionalism and teamwork skills
• Knowledge of HTML and websites – useful for investigating potentially malicious sites
• Report writing – I often find myself writing small reports on an event or an investigation
• Understanding of IT infrastructure, firewalls, and IP addresses – used very frequently when trying to understand an incident

What is a normal working day or week for you?
A normal working day starts with checking my emails/teams messages for any urgent news or tasks. I then sign myself into all the services/portals I make use of in my role for investigation and triage of security incidents. A security incident could be anything that is detected in the client’s IT architecture that may indicate something suspicious has occurred.

I also usually open several third-party tools I use during security analysis. I make sure to open an empty notepad for any jotting down or copy/pasting of IOC (indicators of compromise – which could be anything suspicious from an investigation). I then investigate incidents, the time each incident takes to resolve, and the specific steps a security analyst needs to take is very fluid. When the investigation is completed, and all processes are completed. I resolve incidents as either malicious, benign, or false positive. If an incident is malicious then additional work needs to be done. This may include preventing further malicious action, restoring things to how they were before the incident, and reporting on what happened and preventing future events of that type.

Afterwards, I may investigate incidents/issues reported by users following the same general process as written above. Or I may take some time to study for my planned certifications. It depends on the workload on any given day. There are semi-frequent meetings and calls I attend throughout the day as well. Some examples of investigations I may need to perform are:

Investigating if a user has received a malicious email: I safely navigate to a suspicious URL attached to the email and discover it is a website impersonating a Microsoft sign-in page to harvest user credentials for future malicious activity. I block the URL from being accessed and the email address that sent the email.

A user account has received a large number of failed sign-in attempts from unusual IP addresses: I investigate their sign-in logs and discover that the IPs involved have been marked as suspicious. I ensure the user account is secure and can block the IPs if needed.

Have your roles and responsibilities changed during your time on placement?
Yes, it has. As I have gained experience with my main incident investigations, I have taken on more additional work. This includes email-based investigations and user-reported issue investigations.

What technology, tools, frameworks, and processes have you gained experience with since starting client work?
Microsoft Azure, Microsoft Sentinel, Microsoft Defender, Mimecast, Virtual Machines, and Sandboxes. Before I started client work I had no experience with any of these.

How has your client supported your development?
They have supported me in a great many ways:

• When I first started, I did a lot of remote shadowing more experienced team members
• I have a monthly 121 with my manager
• The team has had multiple training sessions where I have been involved
• Time has been provided to allow me to study for cyber security certifications (including the CompTIA Security+ and the SC200)
• Even now when I am accepting additional roles and tasks, the time to shadow more experienced team members is provided

What support have you received from Ten10 during your placement?
As mentioned earlier, the members of Academy Wellbeing have consistently provided me with support and advice. I have been provided with training courses on Udemy to support my transition into client work. The certification exams have been paid for. Additional Udemy courses were also provided to help study for the certifications.

Have you been given any extra opportunities through your client work?
I have attended a couple of company events so far and had the opportunity to meet the team and other client employees in person. I have virtually attended several industry events, the latest of which was a Mimecast Summit regarding Ransomware. I have also been told that when in-person industry events take place my client will eagerly support me in providing the time and transportation needed to attend.