10 Time-Consuming Tasks Security People Hate
Whether it is dealing with false positives, reporting to auditors, or patching software, here's the scut work security people dread.
August 28, 2017
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt99d16cc5704f533e/64f0d835e09efd640c59573b/01-scut.jpeg?width=700&auto=webp&quality=80&disable=upscale)
No matter how much you love your job, there's a reason it is called work. For security professionals there are a lot of necessary duties that are as time-consuming as they are thankless, but nevertheless, are part of the work.
We polled some security experts to get their thoughts on the most dreaded tasks and organized them by the roles most expected to shoulder them.
Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.
Risk reporting and documentation
It might be an inseparable part of the job, but there's still probably no thing CISOs hate most than creating documentation to report risk up the food chain.
"Creating reports that paint a clear picture of risk exposure and remediation success is a challenging, tedious and manual time suck, requiring hundreds of spreadsheet-focused hours to manually gather, analyze, interpret and finally generate a single weekly report," says Ed Bellis, a former CISO and the co-founder and CTO of Kenna Security.
Manual correlation
The chaos of isolated security tools with their own individual dashboards, unconventional data formats, and poor integration wreaks havoc on most SOC analyst's scheduling.
"When using different security vendor products, the process of bringing together the various data sets consumes a significant amount of time. While vendors have tried to standardize on a set of export types, the naming conventions and data format make correlation difficult," says Steve Keller, director of cyber threat management at Citrix. "A transition to APIs to extract data has increased, but these efforts still require an initial time and resource effort to configure the automation to provide the correlation. Attaining funding for data correlation products normally falls behind the functional security products when budgets are restricted."
Dealing with false positives
According to the Cloud Security Alliance, the average enterprise now sees nearly 2.7 billion events cross the wire each month from various security tools.
"A tiny fraction of these are actual threats - less than one in a hundred. But this doesn't diminish their negative impact on enterprise security," says Christopher Ensey, COO of Dunbar Security Solutions. "More than 31% of the CSA study respondents admitted they ignore alerts altogether because they think so many of the alerts are false positives. They don't have the time to manage this volume and make strategic changes that will reduce their exposure."
Cracking passwords
Penetration testing may be one of the creatively demanding jobs in security, but that doesn't mean it's not without its drudge work.
"Pen testing takes a lot of patience because it is not a one-size fits all activity. Sometimes when cracking passwords, you get it right in the first few attempts of using common passwords like 'Password1' or '1234567890,'" says Simon Puleo, security researcher for Micro Focus. "Other times, it can seem impossibly time-consuming setting up John the Ripper and waiting hours for success or for someone to accidentally turn off the machine while processing."
Patching software
Patching software is one of security's most essential and most unsexy duties.
"Nothing you do should be viewed as a waste of time but the monotony is real," says Troy Gill, senior security analyst at AppRiver. "Updating patching and updating some more is a monotonous task but is crucial to staying secure."
Maintaining server infrastructure
Malware analysis and security research often requires a considerable test bench, whether virtual or otherwise. And all of those resources can be a pain to spin up and maintain.
"Since I am constantly creating proof-of-concepts, I always have to maintain server infrastructure, both physical and virtual," says Kyle Wilhoit, senior security researcher at DomainTools. "The maintenance on this infrastructure often includes patching, updating, and upgrading code and distributions - which can often become mundane and repetitive."
Threat modeling and setting requirements
Maturing organizations in application security are increasingly depending on threat modeling to help them prioritize their remediation efforts.
"Many organizations perform traditional manual threat modeling for their most critical applications These kind of threats can be catalogued in a database and reused for many projects within an organization, but the list of threats can be large and demand a significant amount of time to complete the model," says Altanz Valani, research director at Security Compass. "Once threat modeling is done, security requirements must be generated based on the applicable threats. Done manually, this is a very time consuming and boring task."
Querying traffic data
So much of security's drudge work is on a "hurry up and wait" timetable, says Travis Rosiek, chief technology and strategy officer at BluVector. Take a network forensic expert's sifting through the firehose of network traffic data. They need it quickly, but query times through unfiltered PCAP, Netflow, proxy logs, and other traffic information are anything but swift.
"Search times for large enterprises/data sets can take up to 24 hours or even days in some cases," he says.
Working with auditors
When you're trying to fight the day-to-day fires of security incidents, intrusions, and employee blunders, the thought of running through a spreadsheet with an auditor is anything but cheery.
"By definition, audit and compliance is supposed to be less than 20% of the job in security," Simon Puleo, security researcher for Micro Focus. "In reality, it often feels the opposite way, as audit and compliance are reliant on analyzing data from systems that security maintains. Detecting and preventing breaches should be the number one priority, not holding a consultant's hand as they ask questions and sift through reports."
Working with auditors
When you're trying to fight the day-to-day fires of security incidents, intrusions, and employee blunders, the thought of running through a spreadsheet with an auditor is anything but cheery.
"By definition, audit and compliance is supposed to be less than 20% of the job in security," Simon Puleo, security researcher for Micro Focus. "In reality, it often feels the opposite way, as audit and compliance are reliant on analyzing data from systems that security maintains. Detecting and preventing breaches should be the number one priority, not holding a consultant's hand as they ask questions and sift through reports."
No matter how much you love your job, there's a reason it is called work. For security professionals there are a lot of necessary duties that are as time-consuming as they are thankless, but nevertheless, are part of the work.
We polled some security experts to get their thoughts on the most dreaded tasks and organized them by the roles most expected to shoulder them.
Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024