"Thinking about how to leak and not get caught": IB analyst on how to learn to see an incident

Hello, tekkix! We continue to share interviews with our colleagues, whose stories especially captivate us - and we hope they will seem interesting to you too. In honor of the professional holiday, Marta Filipenko is at the microphone: the leading IB analyst of SearchInform, who is engaged in insider search and has been replacing the IB department in several client companies at once for six years.

How to enter the profession from scratch, what is the specificity of internal information security, what does small business protect itself from, and what incidents are the most typical? All about it under the cut.

"I came to information security so as not to be bored"

Tell us how you came to information security?

From quite far away. I always worked in support - for example, at my last job, I was supporting clients in an online school. But it became boring: support is organized the same way almost everywhere, everything is clear in the work, there is no challenge. I wanted to try something new. And then I saw the vacancy at "SearchInform".

Why did you choose analytics?

It's not that I was trying for a completely unfamiliar position. The vacancy seemed to me somewhat similar to technical support. But already at the first interview, the difference became clear: it was not about helping clients understand the software, but directly working with it. Helping to detect, prevent, and investigate security incidents. It sounded completely incomprehensible, but very interesting.

It was that very challenge. The puzzle came together: an interesting product, working with people, and - hello, these are real investigations. Who hasn't dreamed of being Sherlock Holmes? So I immediately decided that I wouldn't be bored here. And I was not mistaken: I have been working for almost six years.

What is internal information security outsourcing

What exactly do you do?

In short, with the help of protection systems, I "catch" internal security incidents in client companies: information leaks, fraud, sabotage, etc.

In general, IB outsourcing is a comprehensive data protection service that the customer uses by subscription. As part of the service, the client kind of rents protective software and a specialist to monitor their IT infrastructure. My task is to ensure that IB rules are followed within this infrastructure, and the customer does not suffer from violations by their own employees.

So you don't fight viruses and repel hacker attacks?

No, and we explain this right away: the service is based on DLP, DCAP systems and an automatic user behavior analysis system. All tools work within the internal perimeter, control information transmission channels, the order of data storage and processing, and protect against information leaks due to internal violators.

In companies, there is often no one to deal with all this, although the same conditional antivirus can be configured by a regular IT specialist. At the same time, it is important for the business to control the risks that are understandable to it. For example, there are tasks to look for signs of collusion, kickbacks, financial fraud. Control the workload of employees. But still, the priority is to protect against data leaks. These are interrelated things: if customer databases or development plans fall into the hands of competitors, the business will suffer. This is especially well understood when during the test (this is a month to get acquainted with the service for free) you show the client live examples of how often their employees try to leak this data.

By the way

In the blog, we figured out how IB outsourcing works in a broad sense, what is the difference between different services on the market and why we went our own way.

What incidents do you encounter most often?

Leaks are in the first place. In a broad sense, any sending of any documents for internal use outside through available channels: recording to flash drives, uploading to public clouds, etc.

This does not mean that every case is malicious intent and the employee will try to resell the data to a competitor or leak the database on the internet. Most often, employees do not understand that they are violating the rules. They take documents with them to work from home, or – very often – try to take "developments" with them when they leave. Essentially, these are just illegitimate actions, but they carry certain risks for the company. We definitely point out these risks.

Are there often critical incidents? Can you give examples?

Malicious violations, unfortunately, are not uncommon.

For example, once I was asked to increase control over a departing employee. This is a standard task. And the person was leaving not very well: promoted – did not cope with new responsibilities, and although the dismissal was by mutual agreement, there was a risk that he would try to take revenge. And so I see that the day before the dismissal, while he still had access, he sends himself an archive with a bunch of internal documentation. Including data on the salaries of department employees. I immediately contacted the customer – on their side, they intervened urgently.

Or another case. The company had a joint project with one of the marketplaces: the customer's clients were trained and as a bonus received a discount certificate for purchases. But as soon as the project was launched, complaints rained down on the customer: people tried to activate the discount in the marketplace's personal account, but it did not work. We agreed with the customer to check the employee who was in charge of this project. We saw that after the training, she honestly generated certificates for each participant, but activated them herself, right from the work PC. And she sent the clients already used "dummies".

What happened next in this story, I don't know. In most cases, we are not told. We reported, like, this one is leaking, this one is stealing, this one is doing "side jobs" during working hours – the customer accepted it, and that's it, they sort it out internally. Therefore, it is difficult to assess the scale of the consequences.

What companies are requesting the service?

Mainly SMBs, less often – companies with over 200 PCs. Sometimes such companies even have their own specialists who handle information security. In this case, an external analyst is brought in for a specific task: they delegate work that they don't have time for, or they learn to work with DLP through a "live example".

Here is a photo

Further – more

You've been in the profession for a long time. How has your work changed over this time?

In 2022, we launched an information security outsourcing franchise: we train analysts at franchisees according to our standards, then we supervise them – consult, help. Since new clients are now taken by partners, I can focus on a few with whom I have been working for a long time.

Previously, there were five or more companies per person, plus a new test per month. But this is a big load, we abandoned this practice and do not recommend it to partners. In this sense, it has become easier. Plus, my work with current clients, routine tasks are now done faster: there is "experience" with incidents, the skill of working with software has improved.

So there is more time for training newcomers and working with partners.

How does partner training take place?

At the start – theory, practice on the stand, exam. Simultaneously, 10-15 people are trained, groups are recruited about once a month. I give lectures, they submit practical assignments to me, I take the exam together with my colleagues. If a person passes certification, they can start working.

Each franchisee analyst is assigned a mentor from the SearchInform information security outsourcing department. For example, I have four partners in my active, plus newcomers. We are in direct contact, they can ask for advice at any time. We are most actively involved with those who conduct their first tests, take their first clients: sometimes we even work together in DLP at the client – of course, with their consent. Also, once a month we all call together, discuss cases, practical questions.

The fundamental issue is that analysts at franchisees strictly follow our standards. We provide them with business process organization plans, all scripts, report templates, even marketing materials. But the main thing is detailed step-by-step instructions on how to work with software, clients, incidents. For example, checklists with recommendations on which security policies, system settings will help automate the work. They list the main types of incidents that occur in one channel or another, tips on how to further investigate them. The checklists were developed based on the practice of SearchInform clients over many years: after all, the software is used in thousands of companies in Russia and around the world, they are in contact with our implementation department and share their experiences.

It is important that partners work in the regions under our brand, we are responsible for the quality of their services. Therefore, we control their work so closely.

What's next? What prospects do you see for yourself and the direction?

I see that the demand for our information security outsourcing is growing more and more actively. Therefore, I expect that the franchise will expand, there will be more partners. Each partner will have more analysts on staff. They will all have to provide support, accordingly, I think that one day all my work will be reduced to their training and supervision. But that doesn't scare me - it's still working with people, investigations, incidents. I won't get bored yet 😊

And finally: what qualities do you think an information security analyst should have?

The first thing I would say: you need to be ready for anything and not be afraid of "tough stuff". You have to see a lot in the work. In my practice, there were no companies where everyone would be well-behaved - and I'm not just talking about violations of information security policies.

It is also useful for an analyst to be diligent, but quick, to navigate quickly. At the same time, you cannot afford to be inattentive. As they say, the devil is in the details: and our job is to notice and "unwind" them in time. It happens that literally one user's action, one "left" email address, one strange request in Google - this is the clue by which the incident is pulled out. This is important.

And one more photo for the road

P.S. Happy Security Specialist Day to all involved!

Comments