Security Analysts Are Only Human
SOC security analysts shoulder the largest cybersecurity burden. Automation is the way to circumvent the unavoidable human factor. Third in a six-part series.
February 21, 2019
We all make mistakes sometimes, which is why we need to factor in human error as part of the cybersecurity process. This series explores the human element of cybersecurity from six perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. So far, we have addressed end users and security leaders. This week, we cover security analysts.
Security analysts work in dedicated security operations centers (SOCs) as part of a team, which often works in shifts around the clock, to prevent, detect, assess, and respond to cybersecurity threats and incidents. Security analysts are sometimes responsible for fulfilling and assessing regulatory compliance pertaining to security as well. While there are a variety of managed security service providers who handle SOC activities as an outsourced function, organizations — especially enterprises — often develop their own in-house capabilities to handle some, if not all, of the SOC work.
Typically, these security analysts are cybersecurity professionals who are responsible for reviewing/triaging alerts and incident response. They can have expertise in network analysis, forensic analysis, malware analysis, and/or threat intelligence analysis. Their skill set is difficult to find; there is a well-publicized cybersecurity workforce shortage and currently 0% unemployment in the industry, according to Cybersecurity Ventures. Security analysts usually report to cybersecurity managers, who then assimilate and deliver SOC information and insights to be delivered to boards and C-level executives.
Common Mistakes
The average SOC receives 10,000 alerts each day from layers of monitoring and detection products. Some of the alerts are attacks from an ever-growing number of threat actors of varying sophistication, but a significant percentage (in many cases upward of 80%) are false positives. With such an overwhelming barrage of alerts, it is almost inevitable that an analyst will eventually miss or ignore an alert, or fail to identify a high priority alert due to "alert fatigue" or incorrect prioritization. Resource-constrained security analysts who may lack time, understanding, a well-trained eye, or in some cases, motivation, often triage only less than 10% of incoming alerts, prioritizing incidents that have out-of-the-box priority levels or are similar to what they have seen before. In addition, when an incident needs lengthy analysis, the security analyst may not be given the time to conduct a full analysis and consequently reports inaccurate or incomplete information about the attack.
Beyond triage and response mistakes, security analysts may make other errors such as incorrectly configuring security products. When an incident has been missed, or a configuration error has been made, security analysts may not be inclined to reveal the extent of the damage because of the potential for personal repercussions, compounding the problem.
Repercussions
When a security analyst fails to address or prioritize an alert, response can be significantly delayed or neglected entirely and a device or system can be compromised. This naturally could lead to a data breach, disruption of business, data exfiltration, and/or data destruction. Often the incidents are discovered and responded to much later than they would have been otherwise, amplifying the complexity and cost of containment and remediation as the security analysts identify the attack vector and extent of the attack. Moreover, deliberate or accidental misinformation from security analysts could put security leaders in a position where they deliver inaccurate reports, which in turn could be relayed externally with varying implications for important stakeholders.
Minimizing Mistakes
Given the sheer volume of alerts that security analysts see, we must concentrate on reducing the volume burden. This can be achieved by fine-tuning security solutions to reduce false positives, paring down any overlap in monitoring that creates redundancy, and automating as many analyst tasks as possible. Additionally, the number of alerts can be reduced when there is a strong prevention base. This starts with coordinating with the vulnerability management team to ensure that devices, operating systems, and applications are configured and patched properly. Beyond that, we need solutions that effectively triage and calculate priority values, incorporating threat intelligence, and organization-specific data such as the criticality of affected systems. In addition, we have to accept that security analysts need time to thoroughly conduct analysis and that updates they provide as they progress may differ from their final reports.
Change the Paradigm
As the resources on the front line, let us recognize that SOC security analysts shoulder the largest cybersecurity burden — in many cases addressing incident detection and response 24 hours a day, 365 days a year — and many of the analyst positions need refactoring. The job of Tier 1 analysts who are triaging and reviewing alerts is unsustainable in its current form. The role needs to transition to a fully automated process and a movement is already underway to do so. By automating manual "crank-turning" with new technologies, analysts have an opportunity to learn higher-tier skills and apply more critical thinking and advanced analysis to the true incidents that need in-depth investigations. But these higher-tier security analysts also need adequate training as well as the time and space to do their work effectively, without having to fear personal repercussions when they make mistakes, as all humans do.
In addition, we have to hold detection product vendors accountable for the false-positive rates of their standard configurations. While it may be in the vendor's best interest to err on the side of reporting an alert if there is any possibility of it being a true positive, that methodology does a disservice to the end users who end up inundated with useless noise that detracts from finding the signal.
Join us next time to examine the fourth perspective in our series: IT security administrators.
Related Content:
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.
About the Author
You May Also Like