Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10:30 AM
Connect Directly
E-Mail vvv

Security Analysts Are Only Human

SOC security analysts shoulder the largest cybersecurity burden. Automation is the way to circumvent the unavoidable human factor. Third in a six-part series.

We all make mistakes sometimes, which is why we need to factor in human error as part of the cybersecurity process. This series explores the human element of cybersecurity from six perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. So far, we have addressed end users and security leaders. This week, we cover security analysts.

Security analysts work in dedicated security operations centers (SOCs) as part of a team, which often works in shifts around the clock, to prevent, detect, assess, and respond to cybersecurity threats and incidents. Security analysts are sometimes responsible for fulfilling and assessing regulatory compliance pertaining to security as well. While there are a variety of managed security service providers who handle SOC activities as an outsourced function, organizations — especially enterprises — often develop their own in-house capabilities to handle some, if not all, of the SOC work.

Typically, these security analysts are cybersecurity professionals who are responsible for reviewing/triaging alerts and incident response. They can have expertise in network analysis, forensic analysis, malware analysis, and/or threat intelligence analysis. Their skill set is difficult to find; there is a well-publicized cybersecurity workforce shortage and currently 0% unemployment in the industry, according to Cybersecurity Ventures. Security analysts usually report to cybersecurity managers, who then assimilate and deliver SOC information and insights to be delivered to boards and C-level executives.

Common Mistakes
The average SOC receives 10,000 alerts each day from layers of monitoring and detection products. Some of the alerts are attacks from an ever-growing number of threat actors of varying sophistication, but a significant percentage (in many cases upward of 80%) are false positives. With such an overwhelming barrage of alerts, it is almost inevitable that an analyst will eventually miss or ignore an alert, or fail to identify a high priority alert due to "alert fatigue" or incorrect prioritization. Resource-constrained security analysts who may lack time, understanding, a well-trained eye, or in some cases, motivation, often triage only less than 10% of incoming alerts, prioritizing incidents that have out-of-the-box priority levels or are similar to what they have seen before. In addition, when an incident needs lengthy analysis, the security analyst may not be given the time to conduct a full analysis and consequently reports inaccurate or incomplete information about the attack.

Beyond triage and response mistakes, security analysts may make other errors such as incorrectly configuring security products. When an incident has been missed, or a configuration error has been made, security analysts may not be inclined to reveal the extent of the damage because of the potential for personal repercussions, compounding the problem.

When a security analyst fails to address or prioritize an alert, response can be significantly delayed or neglected entirely and a device or system can be compromised. This naturally could lead to a data breach, disruption of business, data exfiltration, and/or data destruction. Often the incidents are discovered and responded to much later than they would have been otherwise, amplifying the complexity and cost of containment and remediation as the security analysts identify the attack vector and extent of the attack. Moreover, deliberate or accidental misinformation from security analysts could put security leaders in a position where they deliver inaccurate reports, which in turn could be relayed externally with varying implications for important stakeholders.

Minimizing Mistakes
Given the sheer volume of alerts that security analysts see, we must concentrate on reducing the volume burden. This can be achieved by fine-tuning security solutions to reduce false positives, paring down any overlap in monitoring that creates redundancy, and automating as many analyst tasks as possible. Additionally, the number of alerts can be reduced when there is a strong prevention base. This starts with coordinating with the vulnerability management team to ensure that devices, operating systems, and applications are configured and patched properly. Beyond that, we need solutions that effectively triage and calculate priority values, incorporating threat intelligence, and organization-specific data such as the criticality of affected systems. In addition, we have to accept that security analysts need time to thoroughly conduct analysis and that updates they provide as they progress may differ from their final reports.

Change the Paradigm
As the resources on the front line, let us recognize that SOC security analysts shoulder the largest cybersecurity burden — in many cases addressing incident detection and response 24 hours a day, 365 days a year — and many of the analyst positions need refactoring. The job of Tier 1 analysts who are triaging and reviewing alerts is unsustainable in its current form. The role needs to transition to a fully automated process and a movement is already underway to do so. By automating manual "crank-turning" with new technologies, analysts have an opportunity to learn higher-tier skills and apply more critical thinking and advanced analysis to the true incidents that need in-depth investigations. But these higher-tier security analysts also need adequate training as well as the time and space to do their work effectively, without having to fear personal repercussions when they make mistakes, as all humans do.

In addition, we have to hold detection product vendors accountable for the false-positive rates of their standard configurations. While it may be in the vendor's best interest to err on the side of reporting an alert if there is any possibility of it being a true positive, that methodology does a disservice to the end users who end up inundated with useless noise that detracts from finding the signal.   

Join us next time to examine the fourth perspective in our series: IT security administrators.

Related Content:



Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Ninja
2/25/2019 | 11:17:49 AM
Re: Automation is KEY
Tier 1 analysts have the highest turnover and burnout rates. That makes sense. It is a tiring workflow, trying to catch one thing in a mass is frustrating too.
User Rank: Ninja
2/25/2019 | 11:14:38 AM
Viewing alerts is unsustainable in its current form. The role needs to transition to a fully automated process I think this is the important step in security analysist workflow, they can not possible to go over all those false positives.
User Rank: Apprentice
2/25/2019 | 5:21:53 AM
Re: Automation is KEY
Very correctly and logically said.
User Rank: Ninja
2/22/2019 | 3:45:00 PM
Minimizing Mistakes by Maximizing Actionable Intelligence
As the title denotes, Security Analysts are only human. A human element will always be needed to one degree or another but they are prone to error. For this reason, Security Professionals need to look towards maximizing automatic logic. As stated, receiving 10K alerts per day would be an impossible task to review without automated logic built into the coding of your SOC. We've made great progress but if we can continue to push the limits of our efficiency we can continue to diminish the degree of error that is inherent to our being.
User Rank: Apprentice
2/21/2019 | 1:22:07 PM
Automation is KEY
Definitely agree. Implementing solutions that replace Tier 1 assets is critical to effective security growth of an organization. Tier 1 analysts have the highest turnover and burnout rates. We ask them to help secure our infrastructure, but in reality, all they become are button monkeys, clicking yes/no. Barely able to keep up with that, let alone do research to validate the escalation. 

A SOC, coupled with the right internal and external intelligence, plus orchestration can effectively automate Tier 1, finally allowing jr SOC analysts a place to grow into more meaningful workflows.
<<   <   Page 2 / 2
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.