Security Experts:

Maximizing Security Analyst Resources: It's All About the Base

I have had the privilege of meeting some great security analysts during my time in the information security profession.  One thing I experienced when I was an analyst, and that I’ve repeatedly noticed across the industry since then, is that even the best analysts need focus.  Analysts that are focused on high fidelity, low noise alerts and the right workflow accompanying them are far more productive than analysts that are not.  What do I mean by this?  Allow me to elaborate.

As we all know, analysts are quite possibly the most precious and scarce resource most of us have within our security organizations.  Therefore, anything we can do to improve their efficiency and how we use their time is a win-win all around.  Whether we’re talking about employee retention, team morale, operational efficiency, ensuring that we continually improve our respective security postures, or otherwise, using our analyst resources wisely plays a critical role in all of these things. 

Although using analysts wisely is a complex topic with a variety of different approaches, it can be boiled down to its essence as follows: It’s all about the base.  To understand what I mean by this, we need to step back and take a look at the workflow of our security organization, or more specifically, the workflow of our security operations and incident response functions within that organization. 

The workflow of most security operations and incident response functions resolves around a queue of events that need to be vetted, qualified, enriched with supporting evidence, and investigated.  The ultimate goal of this process is to allow the analyst evaluating a given event to reach a decision point around the true nature of the event (benign, suspicious, or malicious) and whether or not incident response is necessary.

It is true that this workflow is certainly not perfect, can involve a large amount of manual labor when automation and orchestration are not properly leveraged, needs continual optimization, and can succumb to alert fatigue if not properly calibrated.  Even so, it is the best approach we know for running security operations and incident response.  Quite simply put, you cannot give an analyst a pile of data and a spoon and instruct him or her to dig.  That seldom produces productive outcomes or converges to any sort of a conclusion.

Because workflow revolves around the events in the work queue, those events are directly tied to the efficiency and effectiveness of the security organization.  In essence, the events in the work queue serve as a base for “jumping off” into a work process.  Because of this, I like to call them “jumping off points”.  Because these base points correlate so strongly to the work that an analyst does on a day to day basis, it’s important that they lead and guide the analyst to use his or her time wisely.  Flooding the work queue with false positives sends analysts on wild goose chases that waste valuable cycles.  Not having enough substantive material in the work queue leaves analysts desperately searching for meaningful work to focus on.  Or, to put it another way, as I mentioned above: it’s all about the base. 

So how can an organization ensure that it populates its work queue with the right bases for jumping off points to ensure that it makes the best use of analyst cycles?  While certainly not an exhaustive list, here are a few ideas:

Prepare:  First and foremost, before an organization can provide substantive material to the work queue, it has to understand what constitutes substantive material.  Where does this knowledge come from?  It comes from an understanding and prioritization of what risks and threats are of the greatest concern to the organization.  Of course, this prioritized list shouldn’t be created out of thin air.  It needs to be informed by intelligence on the risk and threats the organization faces, as well as the organization’s own organic knowledge on what assets and information are the most critical and warrant the most safeguarding.

Focus:  The best way to focus precious analyst resources is to focus the content that streams into the work queue.  By taking the prioritized list of risks and threats mentioned above and developing incisive alerting content and precise logic to identify behavior matching those areas of concern, an organization can ensure delivery of actionable, high fidelity content to the work queue.  In other words, taking the time to feed the security operations and incident response process with high quality input greatly increases the likelihood that the output of the process will also be of high quality.  Otherwise, what organizations are left with far too often is a “garbage in, garbage out” situation.

See:  The greatest logic in the world can only identify activity of concern if it has the data upon which to operate.  Visibility across all areas of the network, across the wide variety of endpoints (including newer types of endpoints such as smartphones and tablets), across cloud providers and other third party providers, as well as across various types of system and application logs is extremely important.  All of these vantage points come together to allow us to truly understand what is going on within our respective organizations and if there is something requiring immediate attention and/or response.  Without this depth and breadth of visibility, organizations will not have access to the data necessary to provide quality content to the work queue. 

Iterate:  Maintaining a steady flow of high quality jumping off points is not a one and done operation.  An organization cannot simply set it and forget it.  Rather, continual iteration and re-assessment is necessary.  Risks and threats change and evolve over time.  Alerting content and logic that may have worked well in the past may be less useful in the future.  Skill sets and team members change.  Automation and orchestration may be introduced in certain areas, thereby creating the possibility of creating additional content for the work queue that had not been possible previously.  There are many reasons why the work queue and its base points need continuing attention over time.

While the inner workings of a security organization will always be extremely complex, the effectiveness and efficiency of its security operations and incident response function correlates strongly to the quality of its work queue.  Even the best analysts need high quality, high fidelity base points/jumping off points from which to enter into productive, value-added work.  Making the best use of analyst resources is an endeavor that ultimately improves our respective security postures for a number of different reasons.  But it doesn’t happen magically.  It’s all about the base.

view counter
Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.