Cybersecurity Defenders: Analysis, And DFIR

Three of the most common questions about cybersecurity defenders are:

  • What is a cybersecurity defender?
  • What does a cybersecurity defender do?
  • How to become a cybersecurity defender?

This post will answer these questions about cybersecurity defenders (or you can check out the other 4 cybersecurity roles) and provide an outlook on the job market. The 3 types of defenders are:

  • Analysis
  • Digital Forensics
  • Incident Response

What Is A Cybersecurity Defender?

Cybersecurity Defenders are the watchdogs of cybersecurity. They use cybersecurity tools to protect enterprises. Every organization either has its own blue team in some form or subcontracts it out. The larger the company, the larger its need for a security operations center (SOC).

What Does A Cybersecurity Defender Do?

Defenders are responsible for determining what alerts are real and responding to them. They also perform investigations after incidents to figure out how it happened. Defenders also might actively hunt threats within their organization. They sometimes work with and run exercises with cybersecurity attackers.

Cybersecurity Defenders Working Environment

Defenders can work in a SOC environment, where numerous activities are coordinated by the SOC manager. These can be hidden by layers of physical security. They might also work for 3rd party consultant firms. They respond to incidents or requests of customers. Depending on the company, you may be wearing jeans and a t-shirt, or a suit and tie. Defenders work for every industry, and different systems might have different threats.

Cybersecurity Defender Requirements

Defenders require a very specific character trait that is common in cybersecurity, but especially with them. Defenders might stare at network captures, or databases, code, etc. looking for a needle in a haystack. The best of them have the patience to wait to find the one mistake, the one trace that an attacker left behind. If capturing that digital footprint sounds exciting, then being a defender might be your niche.

Cybersecurity Analyst Skills

At their most basic level, analysts must understand the TCP/IP handshake, and the OSI Model 7 layer approach. The internet is just a network of networks, and being able to trace network traffic is important. More advanced analysts will have scripting skills that allow them to query devices in real-time. They have to understand what alerts mean, and how they affect the big picture. At the most advanced level, analysts will actively hunt real-time threats.

Cybersecurity Digital Forensics Skills

These specialists examine machines after an incident has occurred. They typically work for law-enforcement or insurance companies, and expertise in local to federal laws is important. Digital forensics is a sensitive area, and there are highly specialized tools that help gather evidence without tampering with it. Every specialist must be careful to follow procedures every single time, so being meticulous is very important. They must have expert knowledge of networks and computers. This helps them know where to find evidence, what logs, databases, etc.

Cybersecurity Incident Response Skills

First and foremost, incident responders must be able to handle high-pressure situations. The main purpose of their role is to know what to do when things go wrong. They need to have an understanding of the business they’re working for, and what is critical to it. Incident responders also need to have good documentation skills, to keep track of many things. They assist with Business Continuity Plans, tabletop exercises, and training as well.

Cybersecurity Defender Jobs

There will always be a need for defenders in the world of cybersecurity. With the growth of cyber crime, there is a very strong job market for defenders. Among the roles, Analysts tend to be more on the entry-level side, while digital forensics and incident response is more advanced.

Cybersecurity Analyst Jobs

Analyst positions are plentiful; there are over 3000 with a simple search on Indeed. Many companies treat the analyst position differently. One might list working with accreditation packages on the government side or analyzing software. There isn’t a standard definition. Salaries for analysts range from $68,000 on Linkedin, to $76,000 on glassdoor to a high of $87,000 on Indeed. The top 5 skills listed in these job postings:

  • Risk Management Framework/EMASS/C & A packages
  • Network Traffic (TCP/IP stack, 7 layers, common ports/protocols)
  • Risk Assessment
  • CEH
  • Splunk (being able to use it to view data)

Cybersecurity Digital Forensics Jobs

When searching on Indeed, there were under 2,000 returns for digital forensics. It is an exclusive, specialized skill set of cybersecurity defenders. any jobs will be found within law enforcement which reflects lower salaries due to being government jobs. Salaries range from $48,900 in glassdoor to $90,000 on Linkedin and $107,000 on Indeed. The top 5 skills listed on open jobs are:

  • Advanced understanding of networking
  • Experience with EnCase, ProDiscover, or other COTS software
  • Experience with tcpdump, pcap analysis, wireshark etc.
  • Certifications like: CCE, CFCE, ACE, EnCE
  • Scripting skills: Python, C++, C#, Powershell, Bash

Cybersecurity Incident Response Jobs

Incident responders are a more broad category. One company might use an IR as an engineer, and another might use them as a more advanced analyst. There are a lot more jobs on Indeed, over 21,000, but the role they perform varies widely. Salaries for Incident Response roles range from $88,000 on Indeed, to $90,000 on Linkedin, to $91,000 on Glassdoor. The rope 5 skills listed on open jobs are:

  • System/Networking expertise (Windows, Linux, TCP/IP, ports/protocols etc)
  • Experience with SIEM and EDR technologies
  • Emphasis on soft skills – writing good documentation and interacting with people
  • Understanding needs of the business (for each business) to determine business critical systems
  • CISSP for gov jobs, most others just list a Sec+

Leave a Reply