One interview from the life of a shift analyst

    Hello, Habr!
    Happy New Year! I wonder how many of you had to work on New Year's Eve? And imagine doctors, police officers, transport workers and other “watch” professions? We also have one relevant story that we will tell you today. So, meet Boris Yampolsky, the head of the shift analysts department at Kaspersky Lab.
    image

    Borya, can you tell in a nutshell how the work of a group of shift analysts differs from ordinary virus analysts? What are the specifics?

    I can! Interchangeable analysts have a difficult task - not to miss something really loud and dangerous in the huge stream of Malvara. Senior analysts from other groups receive already selected files that require careful study. There should always be someone on guard, one shift replaces another - these are the specifics of shift analysts. If the antivirus is a steam locomotive, then these guys are stokers who round-the-clock toss coal into the fire so that the steam locomotive rushes in full steam.

    You talked about the loud malvara - and often you have to catch something like that? Maybe a couple of examples from the last?

    I must nevertheless say that the group of shift analysts is far from the only one that catches loud malvara, we just work 24 hours 7 days a week. In general, we catch something special about once a month. From the last one I would call Duqu (Trojan.Win32.Duqu), the latest version of TDSS (Rootkit.Boot.Sst.b), and today (December 26th - editor's note), for example, Trojan-SMS.AndroidOS.Arspam came. a - a new trojan for Android.

    Your colleagues' work schedule is quite diverse - in general, the name of the group also speaks about this. How do you manage to coordinate the work of so many people with different schedules?

    Coordinating plug-in virus analysts is easier than it sounds. There are day and night shifts. Every morning at 10:00 a day replaces the night and every night at 20:00 the night replaces the day. In general, the system is quite flexible. Even if someone is sick, someone is on vacation, someone needs to go to college today - there are always virus analysts who can quickly respond to a new threat.

    There are a fairly large number of junior viral analysts in your unit. Who takes on the role of a mentor?

    I’ll probably destroy the template by saying that we don’t have any mentors per se. Rather, he has the first 2 months of work - on a trial period. This is usually a senior viral analyst with experience. The main training takes place already in “combat” conditions on a shift. It is important to understand that not only threats are changing, but also our tools that we use to deal with new threats. I know many employees in our anti-virus laboratory and in the research and development department as a whole, who began their career in the company as a group of shift analysts, but few of them will be able to sit down and start working on the shift right now. We do not stand still. Every day we have something new.

    And how do you interact with other departments of the Department?

    If we talk about the department, then the maximum interaction we have with the infrastructure support departments and the update release group. We update the anti-virus databases, after which they are tested and laid out on public servers. That is, operational and well-coordinated work is required, so that between the time of detection and the creation of the update, really little time passes. Well, of course, it is difficult to imagine our work without all the variety of utilities and various services.

    You have some kind of rule that analysts work out only about 2 years per shift. And then what happens to them?

    Not a rule, but rather a tradition! Viral analysts who have worked for more than 2 years are aware of their future path in the company. As a rule, this is a study of some narrow area of ​​industry. Often, viral analysts pass into the group of heuristic detection, the study of complex threats. Some become programmers and create tools for us. Many who once started as junior virus analysts today have grown to become department heads, leading experts, general directors :). That is why I easily accept this tradition, albeit with some sadness in my soul.

    And the last, perhaps, question: What are your requirements for hiring?

    Finally! The candidate receives a lot when they come to us (in addition to the social package and free meals): this is invaluable experience, communication with experts, the opportunity to study the latest threats. Therefore, the requirements are high. The main requirement is to be a fanatic in the good sense of the word. Truly interested in the industry. Do not be afraid of some routine that you will inevitably encounter when analyzing the flow of suspicious samples. Of course, there are basic requirements for technical skills: this is knowledge of Windows and knowledge of Assembler. And finally, the willingness to work at night. Usually this requirement stops girls and family candidates from working with us.

    Thank you very much for the interview! And see you in the new year!

    Also popular now: