Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Incident Response

Investigation and Response is a Team Sport

I’ve talked before about how we have the tools and technologies to make the intelligent SOC a reality. It’s a welcomed development given the global cybersecurity skills shortage of three million and growing.

I’ve talked before about how we have the tools and technologies to make the intelligent SOC a reality. It’s a welcomed development given the global cybersecurity skills shortage of three million and growing. Security operations centers (SOCs) are using Security Orchestration, Automation and Response (SOAR) tools to offload time-intensive and manual tasks that bog down Tier 1 analysts. This frees them up to transition to Tier 2 and Tier 3 investigation and response activities. 

So, what tools do security analysts have to conduct these higher-level tasks? There can be a huge leap from running Tier 1 tasks to determining the scope of an attack and the remediation and recovery efforts needed, or proactively finding threats that have evaded defenses and infiltrated the network.

As security analysts dig deeper into escalated alerts, efficiency and effectiveness in investigation and response drops significantly – and the problem is getting worse. According to the Cisco CISO Benchmark Report 2019, the number of legitimate alerts that get remediated decreased from 50.5% in 2018 to 42.8% this year. Further, fewer than half (49%) of the 3,248 respondents report they routinely and systematically investigate security incidents and only 35% say it is easy to determine the scope of a compromise, contain it and remediate.

Part of the challenge stems from the fact that as you scratch beneath the surface you can end up dealing with the unknown. You need access to additional resources to help understand what is happening and take action. It’s a situation every homeowner can relate to. Say for example you notice an area of blistering paint on a wall. No big deal, right? You’ll just scrape it off and repaint. But the problem could be the result of a poor paint job, moisture or extreme heat. It can take a team of experts each with their own tools to find and fix the root cause before you can repaint and ensure the blisters don’t reappear. You may need some combination of a plumber, roofer, structural engineer and mold remediator, working together to make sure the problem is addressed completely. 

Similarly, when Tier 2 and 3 analysts start to dig deeper into an escalated trouble ticket, they need the ability to collaborate and coordinate for effective and efficient investigation and response. They need the right combination of human skills and technologies. Traditionally, this hasn’t been easy because teams and tools are usually unintegrated and operate in silos.

With a platform that can act as a virtual cybersecurity situation room, analysts can have a single location to investigate collaboratively and share the same pool of threat data and evidence. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. This allows them to detect threats faster and even use that knowledge to pivot and accelerate parallel investigations that are separate but related. 

The platform must also be able to store a history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs). Serving as organizational memory, the platform facilitates future investigations and hunts. Analysts can search for and compare indicators across the infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. They can collaborate to explore every corner of the organization to pinpoint adversary TTPs and find the malicious activity for total remediation. As new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized to support ongoing threat hunting. 

A single, shared environment also allows SOC managers to coordinate actions more efficiently and effectively. They can see the analysis unfolding which allows them to coordinate tasks between teams and monitor timelines and results. They have visibility and control to ensure analysts are working together to take the right actions at the right time to accelerate response and remediation. 

Advertisement. Scroll to continue reading.

Freeing-up Tier 1 analysts to work on higher-level tasks is one of the ways SOCs will become more efficient and effective. But we need to make sure SOC analysts have the right tools in place to facilitate investigation and response. Research shows this area is ripe for improvement. An investigations platform that embeds collaboration and coordination into all processes will allow SOC teams to truly soar.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Bill Dunnion has joined telecommunications giant Mitel as Chief Information Security Officer.

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.