Security Experts:

Investigation and Response is a Team Sport

I’ve talked before about how we have the tools and technologies to make the intelligent SOC a reality. It’s a welcomed development given the global cybersecurity skills shortage of three million and growing. Security operations centers (SOCs) are using Security Orchestration, Automation and Response (SOAR) tools to offload time-intensive and manual tasks that bog down Tier 1 analysts. This frees them up to transition to Tier 2 and Tier 3 investigation and response activities. 

So, what tools do security analysts have to conduct these higher-level tasks? There can be a huge leap from running Tier 1 tasks to determining the scope of an attack and the remediation and recovery efforts needed, or proactively finding threats that have evaded defenses and infiltrated the network.

As security analysts dig deeper into escalated alerts, efficiency and effectiveness in investigation and response drops significantly – and the problem is getting worse. According to the Cisco CISO Benchmark Report 2019, the number of legitimate alerts that get remediated decreased from 50.5% in 2018 to 42.8% this year. Further, fewer than half (49%) of the 3,248 respondents report they routinely and systematically investigate security incidents and only 35% say it is easy to determine the scope of a compromise, contain it and remediate.

Part of the challenge stems from the fact that as you scratch beneath the surface you can end up dealing with the unknown. You need access to additional resources to help understand what is happening and take action. It’s a situation every homeowner can relate to. Say for example you notice an area of blistering paint on a wall. No big deal, right? You’ll just scrape it off and repaint. But the problem could be the result of a poor paint job, moisture or extreme heat. It can take a team of experts each with their own tools to find and fix the root cause before you can repaint and ensure the blisters don’t reappear. You may need some combination of a plumber, roofer, structural engineer and mold remediator, working together to make sure the problem is addressed completely. 

Similarly, when Tier 2 and 3 analysts start to dig deeper into an escalated trouble ticket, they need the ability to collaborate and coordinate for effective and efficient investigation and response. They need the right combination of human skills and technologies. Traditionally, this hasn’t been easy because teams and tools are usually unintegrated and operate in silos.

With a platform that can act as a virtual cybersecurity situation room, analysts can have a single location to investigate collaboratively and share the same pool of threat data and evidence. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. This allows them to detect threats faster and even use that knowledge to pivot and accelerate parallel investigations that are separate but related. 

The platform must also be able to store a history of investigations, observations and learnings about adversaries and their tactics, techniques and procedures (TTPs). Serving as organizational memory, the platform facilitates future investigations and hunts. Analysts can search for and compare indicators across the infrastructure and find matches between high-risk indicators and internal log data that suggest possible connections. They can collaborate to explore every corner of the organization to pinpoint adversary TTPs and find the malicious activity for total remediation. As new data and learnings are added to the platform, intelligence is automatically reevaluated and reprioritized to support ongoing threat hunting. 

A single, shared environment also allows SOC managers to coordinate actions more efficiently and effectively. They can see the analysis unfolding which allows them to coordinate tasks between teams and monitor timelines and results. They have visibility and control to ensure analysts are working together to take the right actions at the right time to accelerate response and remediation. 

Freeing-up Tier 1 analysts to work on higher-level tasks is one of the ways SOCs will become more efficient and effective. But we need to make sure SOC analysts have the right tools in place to facilitate investigation and response. Research shows this area is ripe for improvement. An investigations platform that embeds collaboration and coordination into all processes will allow SOC teams to truly soar.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.