GoM

Question 1

Detail your experience with GoM

Answer 1

During my time with the SOC team at Public Safety Canada, my day-to-day responsibilities followed a structured process of gathering, analyzing, and responding to cybersecurity threats.

1. Gathering Information:
   Each day, I started by reviewing security alerts and logs from GrayLog, which aggregated data from firewalls, endpoints, Windows Active Directory, and Linux systems. I also used the Microsoft Azure Security blade to monitor employee sign-in locations and ensure adherence to work-from-home policies. For instance, if an employee was working from an unauthorized location, such as a cabin in another city, it would trigger an alert for further investigation.
2. Processing and Filtering Data:
   Once I gathered the data, I used GrayLog and McAfee NSM to correlate logs and filter out false positives. For example, if I saw multiple failed login attempts from an unusual location in the AD logs, I would correlate them with network traffic data to determine if they were part of a brute-force attack. I also used Python scripts to automate log parsing and search for patterns, such as matching IP addresses to known malicious entities.
3. Analyzing Data and Making Inferences:
   During analysis, I relied on YARA rules to detect and classify potential malware in endpoint logs. Using Linux tools like grep and awk, I filtered through large datasets to identify unusual file modifications or network activity. I frequently queried our SQL/PostgreSQL databases to retrieve historical data for comparison, such as previous incidents involving the same IP address or malware signature. This helped me infer whether an alert was part of a larger attack or an isolated incident.
4. Decision-Making and Response:
   Once I identified a credible threat, I worked with senior SOC analysts to determine the appropriate response. Using McAfee NSM, I helped implement firewall rules to block malicious traffic, and with SCCM, I assisted in deploying critical patches to vulnerable systems. I documented all findings in SharePoint Online for incident reporting and collaborated with other teams using Microsoft Power Suite tools like Power Automate to streamline alerting and reporting processes.

This hands-on experience taught me how to efficiently monitor, detect, and respond to security incidents, while also improving processes through automation and detailed documentation. My work with the Azure Security blade also gave me experience in managing access control and ensuring policy compliance within a cloud environment, even if in a limited scope.