One of the most compelling questions asked today by security operations is, “Can we enable our analysts to make security decisions that will have a positive impact on the overall security posture of our organization?” The short answer is, “Yes. But it’s not easy.”
When we [Leidos] talk about analysts being enabled, we mean having support systems and structures in place that empower them to be effective. These “tools” encompass a number of things, including organizational structure, policies and procedures, specific analyst skills, resources available to them, etc. These systems and structures are all equally important and work to support each other, so you can’t just focus on any one area and expect your analysts to be successful.
The Current Enablement Reality
When we look at the support systems and structures of today’s security operations centers (SOCs) there are a few commonalities that come up time and time again.
- Current State People: When it comes to organizational structure, we typically see a 3 tier, 24x7x365 model. In this model, analysts are operating in a very reactive mode spending their time responding to the various alarms and alerts generated by the software deployed. This structure also reinforces a divide between the tiers as escalations result in knowledge continuity gaps, skill stagnation, and even resentment between analyst groups.
- Current State Process: These environments are driven by standard operating procedures—what I like to call a “rinse and repeat” type of model. They’re built to drive tickets and alerts to quick closure. The downside to this type of process is that analysts aren’t incentivized to understand the threat and they miss an opportunity to learn about the threat and use that learning to improve the organization’s overall security posture.
- Current State Technology: From a technology standpoint, we commonly see a “vendor-driven” approach, often with significant overlap between products in some areas and gaps in others. This technical strategy usually limits the effectiveness of the technology to how well the vendor knows and understands the threats, rather than putting that power in the hands of the analysts.
The Future Enablement Model
In contrast to the current model, a future-state enablement model presents some significant opportunities for analysts and their organizations.
- Future State People: Here analysts are driven by a need to understand the threats and the threat landscape. No longer focused on solving a singular problem, but working on the bigger picture that will help drive organizational change.
- Future State Process: To support the change in analysts’ focus, processes are driven by establishing a mindset, frameworks and analysis approaches to understand a threat and apply that understanding defensively. Effective defense is no longer seen as addressing a single point in time or single executable, but rather about understanding a threat by studying an attacker’s actions, discovering how those actions fit together, and using that information to prevent a future attack.
- Future State Technology: Technologies deployed are dynamic and built to leverage threat information. Additionally, technologies are used that free analysts from responding to every alert and alarm and instead allow them to focus on the areas where human analysts are needed most. We want technology to work for the analyst, not the other way around.
Analyst Enablement & Effective Defense
As I mentioned earlier, technology — specifically intelligent technology — is an important piece to enabling your analyst team. Analysts need technology that gives them visibility and access to data needed to understand and respond to threat activity. Having a technology stack that empowers analysts to see and understand the full lifecycle of an attack is critical (if you’re using the Cyber Kill Chain® framework to understand an attack, your technology should show you everything from the earliest stages of reconnaissance through the actions and objectives phase).
A key piece in that intelligent technology stack is an effective Endpoint Detection and Response (EDR) solution. Endpoints are notorious for being corporate blind spots and the weakest link of enterprise security, and today’s threats have become exceptionally adept at bypassing traditional antivirus solutions. An EDR solution that offers analysts greater visibility into endpoint data (in the same way we employ technologies to give us robust network visibility) enables them to identify attacker activity and understand what actions an attacker has taken as well as the scope of an intrusion. While not a silver bullet, EDR can play a crucial role in detecting and mitigating advanced threats by exposing more facets of attacker activity.
Effective Defense Takes More Than Technology
Enabling analysts to be successful requires many support systems and structures all working in tandem. Technology alone will not make your analysts successful. This is a hard reality many SOCs have experienced first-hand: having every point solution available in play, but the only discernible outcome is more alerts and noise instead of more effective and more confident defenders.
Rather, success comes when SOCs adopt a holistic, intelligence-driven approach by empowering human analysts to direct defensive change. That change becomes obvious when an organization’s defensive posture evolves at a more rapid rate than the threat landscape.
Getting C-level support to ensure a high-impact SOC rollout is an important step.
Watch our on-demand broadcast: Prioritizing and Planning to Ensure a High-Impact SOC Rollout