Victoria Sanderson
CYSE 368
Spring 2026
Professor Teresa Duvall
Vital Solutions
Reflection Paper 4
Over the past 2 weeks, work has been slowly calming down, giving me the opportunity to further develop my professional presence in the workplace. While many people assume internships are mostly about technical training, I have come to realize that they also involve building relationships, learning how teams operate, and lastly understanding the different kinds of people you will encounter. During this period, I also focused on work activities beyond communicating with coworkers and making my presence known in hopes of advancing my career, while analyzing intrusion prevention systems (IPS) to find out what users, Ips, and systems could be deemed malicious to our company
To start off, one of the most important things I focused on over the past two weeks was interacting more with my coworkers and making sure people at least knew who I was for future reference. At first, I did not want to do it and would much rather focus on my work skills, but I quickly realized that networking in the workplace can be just as valuable (depending on whom you talk to). I know the job I’m working with right now relies on open communication and collaboration. For example, we have a transparent agenda through our teams: our analysts, engineers, network administrators, and incident responders frequently work together to investigate threats and maintain secure systems. Because of this, it became clear that building relationships with coworkers could help me better understand the organization and also potentially open doors for future opportunities.
I think everyone can understand that when you first start a job, it’s a bit nerve-racking. I can 100% say that when I first started, I was more reserved and mainly focused on completing assigned tasks. However, over the past two weeks, I made a deliberate effort to speak with more members of the team when I found the time. I asked questions about their roles, how long they had been working here, what skills they believed were most valuable in the industry, and, depending on the person, whether they liked what they were doing. These conversations gave me an understanding of others’ wisdom that I could not get from textbooks or training modules. Many of my coworkers shared their own career paths, explaining how they started in entry-level positions and gradually moved into more specialized roles in which they are now.
The second major activity I focused on over the past two weeks was reviewing IPS alerts to determine which IPs were malicious. Intrusion Prevention Systems are critical as their main reason for existing is to monitor network traffic for suspicious patterns that may indicate attacks or unauthorized activity. However, not every alert generated by an IPS represents an actual threat. Many alerts turn out to be false positives, meaning they appear suspicious but are actually legitimate traffic. Because of this, analysts must carefully review alerts and determine whether action is needed.
I used security tools such as Cisco Firepower and Palo Alto platforms to review IPS alerts. These tools provide detailed information about network traffic, including source and destination IP addresses, their ports, protocols, and the initial reason why the alerts were triggered. When reviewing an alert, the first step was to examine the traffic’s context. For example, I would look at where the traffic originated by going on Whois or Virustotal. Then I would look at where the source was targeting, figure out which device it was attacking, and what type of activity was detected. Another thing to be wary of when looking at the source is that we do have monthly scans that can look like malicious traffic. It’s very important to carefully look into each individual IP, because one may be our very own, and we don’t want that blocked.
The third major responsibility I handled during the past two weeks was implementing blocks for malicious IP addresses. Once an IP address was confirmed to be associated with malicious activity, the next step was often to prevent further communication with that source. I do this by sending the block tickets to the networking team that works alongside the security team. As I’m about to place these blocks, it is important to ensure that the IP address is actually malicious before acting. Blocking legitimate traffic could disrupt business operations or prevent users from accessing important services; for example, unauthorized personnel attempted this with Google a few weeks back. Because of this, analysts must verify their findings before implementing blocks. This verification process usually involves reviewing logs and any previous tickets and confirming that the traffic clearly represents malicious behavior using services like VirusTotal.
However, there is one problem with blocking, even if it does get rid of that one IP, one more is soon to follow, that’s by the exact same attacker. That’s because attackers often change IP addresses or use a distributed infrastructure to launch attacks. Because of this, cybersecurity defenses must constantly adapt. Blocking a single IP address might temporarily stop a specific attacker, but monitoring must continue to ensure new threats are detected. Most of our services already have auto-block IPs at the firewall, but these permanent blocks prevent them from appearing at all.
Overall, the past two weeks of my internship have been different. By making an effort to talk with coworkers and build professional relationships, I made a good introduction that will hopefully help me in the future. Then I had a good time analyzing IPS alerts, and I improved my ability to evaluate network activity and distinguish between false positives and genuine threats. Finally, I got to implement blocks for malicious IP addresses, allowing me to actively participate in protecting the organization’s network from potential attacks.