What Makes a Security Analyst Successful? Investigative ThinkingLIZ BUSH
The new SANS 2021 Report: Top Skills Analysts Need to Master analyzes the need for organizations to invest in improving their security operations and identifies the skills analysts must master to support this initiative. Characterizing an analyst as essentially an investigator, the SANS report breaks the investigative process down into two primary areas: Investigative Tasks and Investigative Thinking. In my previous blog, we explored investigative tasks and discussed how the ThreatQ Platform can help analysts simplify and automate these tasks, including data aggregation from internal and external sources, and normalization and prioritization of this data to determine the right threat intelligence to act on. Here, we’ll focus on investigative thinking.
One of the most important sources of intelligence to also bring into the process is human intelligence that comes from critical thinking. After all, what better way is there for organizations to validate data and findings and then determine the right action to take within their own environment than through their own people? As the SANS report points out, empowering humans so they have more time to engage in investigative or critical thinking is vital to effective and efficient detection and response. According to SANS, best practices for critical thinking include:
- Asking questions to gather additional context and scope when facing a situation of uncertainty during an investigation.
- Reasoning backward by using tools like MITRE ATT&CK to hypothesize what must have happened to arrive at the alert that is displaying on a security console.
- Considering multiple plausible pathways instead of thinking linearly to detect and respond to new threats.
- Remaining curious, flexible and agile within a highly dynamic environment such as a security operations center (SOC).
This is where collaboration comes in, both passive and active collaboration. As discussed before, the ThreatQ Platform serves as a central repository that includes internal threat and event data, augmented and enriched with global threat data. This central repository is at the heart of passive collaboration, or information sharing. When individual team members and different security teams can access the central repository for the intelligence they need to do their jobs as part of their workflow, passive collaboration just happens. As they use the repository and update it with observations, learnings and documentation of investigations, they get consistent threat intelligence. The repository can serve as a centralized memory to facilitate future investigations. Everyone can operate from a single source of truth, instantaneously sharing knowledge and using their tools of choice to improve security posture and the investigation process.
Active collaboration involves engaging with another person to accomplish a shared goal through tasking and coordination. It’s what typically comes to mind when we think of collaboration, but traditional, siloed environments have made this extremely difficult and time-consuming for security professionals to do. The challenge is that most security operations or investigations are rife with chaos as teams act independently and inefficiently with limited visibility into the tasks other teams or team members are performing. With different people or teams working on independent tasks, key commonalities are missed so investigations take longer, hit a dead-end or key information just falls through the cracks.
As the industry’s first cybersecurity situation room, ThreatQ Investigations fuses together threat data, evidence and users to break down these barriers. All team members involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work, and they can share and benefit from the human intelligence they each bring to the table. Validating data and sharing their collective insights and understanding, fosters critical thinking that drives successful investigations.
Furthermore, managers of all the security teams can use ThreatQ Investigations to see the analysis unfolding, which allows them to act when and how they need to, coordinating tasks between teams and monitoring timelines and results. Embedding collaboration into the investigation process ensures that teams work together to take the right actions faster.
At ThreatQuotient, we have always believed that to accelerate and improve security operations we must empower the human element with tools that enable them to identify the right data, share information and actively collaborate efficiently and effectively. That’s why the ThreatQ Platform and ThreatQ Investigations are exactly what organizations need to help security analysts excel in the role of investigator.
Download the SANS 2021 Report: Top Skills Analysts Need to Master for more details.