New to an environment? Learn data flow.
Veteran to an environment? See if you can draw out the data flow from memory.
Most important thing to know as an Analyst is how data flows in your environment. Ask senior analysts or department leadership for existing documents with diagrams displaying how data/traffic ingresses and egresses to/from and within the network.
If there is no documentation, create it yourself. This helps you learn the environment, provides knowledge share with the SOC team, and shows added value to the customer.
- Log into your SIEM (Splunk, Sentinel, etc.) and list all indices/schemas and data sources to understand what devices and type of data is being logged in the SIEM. This indicates the network and security solutions in place.
- Next, write down what resources are usually accessed in the environment and then brainstorm how a user would access that data. For example, if it’s a Confluence portal with sensitive documentation data, does the user authenticate via an external facing portal first? Or is it only internally accessible?
- Look at the device flow that is required for a user to authenticate, then access the data, and then to egress the data.
- Chart these scenarios into a Visio or PowerPoint slide to show the firewalls, proxies, AD servers, web servers, and databases used in the scenario.
Data flow analysis allows the Analyst to see the forest from the trees and how navigation through the forest is possible. Crucial for effective incident response analysis.