Empower your Security Team to Master SANS’ Top Skillsets: Investigative Tasks


We all know the security industry mantra: it’s not a matter of if, but when and how we’ll be attacked. Recent reports of intrusion activity increasing fourfold in the last two years and a raft of alerts warning of a rise in attacks on schools, hospitals and healthcare providers, and critical infrastructure companies during the global pandemic have only reinforced this. As a result, security operations centers (SOCs) have begun to narrow the focus of their mission to become detection and response organizations. 

The new SANS 2021 Report: Top Skills Analysts Need to Master analyzed the need for organizations to invest in improving their security operations and identified the skills analysts need to master to support this transition. Characterizing an analyst as essentially an investigator, the SANS report breaks the investigative process down into two primary areas: Investigative Tasks and Investigative Thinking. Here, we’ll take a deeper dive into investigative tasks and discuss how the ThreatQ Platform can help analysts simplify and automate these tasks.


Investigative tasks involve data collection and transformation. The challenge is that most organizations today deal with data that is noisy and unstructured, decentralized without prioritization, and managed with spreadsheets. To gain a comprehensive understanding of the threats an organization is facing and what to defend against, analysts need the ability to aggregate internal data from across the entire ecosystem – the telemetry, content and data created by each layer in your security architecture, on-premises and in the cloud. In addition to the SIEM, this includes data from modern security tools and technologies, like Endpoint Detection and Response (EDR), Network Detection and Response (NDR) and Cloud Detection and Response (CDR). 


Analysts also need to aggregate external threat data from the multiple sources they subscribe to – commercial, open-source, government, industry, existing security vendors – as well as frameworks like MITRE ATT&CK. The challenge is further complicated by the fact that crises and outbreaks generate a strong uptick in new, disparate sources of threat information. Many of the sources have no ready-made connectors to allow them to plug into existing security infrastructure. Once aggregated, the data must be normalized so that it is in a uniform format for analysis and prioritization.

All this boils down to analysts needing programming and automation skills, and significant time to devote to complex, labor-intensive tasks. 

ThreatQ automates investigative tasks 

Serving as a central repository, the ThreatQ Platform automatically aggregates internal threat and event data, augments and enriches it with external threat data and normalizes it automatically, so that it is in a uniform format for analysis and prioritization. As new types of threat intelligence feeds become available, custom connectors can be written and deployed within hours so you can ingest threat data from new sources quickly into the ThreatQ Platform. 

You now have a single source of truth. However, due to the volume of data, you also have a great bit of noise. To reduce the noise, data can be prioritized according to what is relevant for your organization, instead of relying on the global risk scores some vendors provide. Changing risk scores based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, allows you to filter out what’s noise for you automatically. Instead of wasting time and resources chasing ghosts, you can focus on what really matters to your organization. As new data and learnings are added to the ThreatQ Platform, intelligence is automatically reevaluated and reprioritized.

The SANS report points out, “analysts spend too much time performing investigation tasks and very little time on critical thinking or investigative thinking.” By simplifying and automating many investigative tasks, the ThreatQ Platform frees up security analysts to focus on investigative thinking – applying intuition, memory, learning and experience to be the investigators they need to be. We’ll explore this further in a subsequent blog.

Download the SANS 2021 Report: Top Skills Analysts Need to Master for more details.


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This