Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/21/2019
10:30 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Security Analysts Are Only Human

SOC security analysts shoulder the largest cybersecurity burden. Automation is the way to circumvent the unavoidable human factor. Third in a six-part series.

We all make mistakes sometimes, which is why we need to factor in human error as part of the cybersecurity process. This series explores the human element of cybersecurity from six perspectives of fallibility: end users, security leaders, security analysts, IT security administrators, programmers, and attackers. So far, we have addressed end users and security leaders. This week, we cover security analysts.

Security analysts work in dedicated security operations centers (SOCs) as part of a team, which often works in shifts around the clock, to prevent, detect, assess, and respond to cybersecurity threats and incidents. Security analysts are sometimes responsible for fulfilling and assessing regulatory compliance pertaining to security as well. While there are a variety of managed security service providers who handle SOC activities as an outsourced function, organizations — especially enterprises — often develop their own in-house capabilities to handle some, if not all, of the SOC work.

Typically, these security analysts are cybersecurity professionals who are responsible for reviewing/triaging alerts and incident response. They can have expertise in network analysis, forensic analysis, malware analysis, and/or threat intelligence analysis. Their skill set is difficult to find; there is a well-publicized cybersecurity workforce shortage and currently 0% unemployment in the industry, according to Cybersecurity Ventures. Security analysts usually report to cybersecurity managers, who then assimilate and deliver SOC information and insights to be delivered to boards and C-level executives.

Common Mistakes
The average SOC receives 10,000 alerts each day from layers of monitoring and detection products. Some of the alerts are attacks from an ever-growing number of threat actors of varying sophistication, but a significant percentage (in many cases upward of 80%) are false positives. With such an overwhelming barrage of alerts, it is almost inevitable that an analyst will eventually miss or ignore an alert, or fail to identify a high priority alert due to "alert fatigue" or incorrect prioritization. Resource-constrained security analysts who may lack time, understanding, a well-trained eye, or in some cases, motivation, often triage only less than 10% of incoming alerts, prioritizing incidents that have out-of-the-box priority levels or are similar to what they have seen before. In addition, when an incident needs lengthy analysis, the security analyst may not be given the time to conduct a full analysis and consequently reports inaccurate or incomplete information about the attack.

Beyond triage and response mistakes, security analysts may make other errors such as incorrectly configuring security products. When an incident has been missed, or a configuration error has been made, security analysts may not be inclined to reveal the extent of the damage because of the potential for personal repercussions, compounding the problem.

Repercussions
When a security analyst fails to address or prioritize an alert, response can be significantly delayed or neglected entirely and a device or system can be compromised. This naturally could lead to a data breach, disruption of business, data exfiltration, and/or data destruction. Often the incidents are discovered and responded to much later than they would have been otherwise, amplifying the complexity and cost of containment and remediation as the security analysts identify the attack vector and extent of the attack. Moreover, deliberate or accidental misinformation from security analysts could put security leaders in a position where they deliver inaccurate reports, which in turn could be relayed externally with varying implications for important stakeholders.

Minimizing Mistakes
Given the sheer volume of alerts that security analysts see, we must concentrate on reducing the volume burden. This can be achieved by fine-tuning security solutions to reduce false positives, paring down any overlap in monitoring that creates redundancy, and automating as many analyst tasks as possible. Additionally, the number of alerts can be reduced when there is a strong prevention base. This starts with coordinating with the vulnerability management team to ensure that devices, operating systems, and applications are configured and patched properly. Beyond that, we need solutions that effectively triage and calculate priority values, incorporating threat intelligence, and organization-specific data such as the criticality of affected systems. In addition, we have to accept that security analysts need time to thoroughly conduct analysis and that updates they provide as they progress may differ from their final reports.

Change the Paradigm
As the resources on the front line, let us recognize that SOC security analysts shoulder the largest cybersecurity burden — in many cases addressing incident detection and response 24 hours a day, 365 days a year — and many of the analyst positions need refactoring. The job of Tier 1 analysts who are triaging and reviewing alerts is unsustainable in its current form. The role needs to transition to a fully automated process and a movement is already underway to do so. By automating manual "crank-turning" with new technologies, analysts have an opportunity to learn higher-tier skills and apply more critical thinking and advanced analysis to the true incidents that need in-depth investigations. But these higher-tier security analysts also need adequate training as well as the time and space to do their work effectively, without having to fear personal repercussions when they make mistakes, as all humans do.

In addition, we have to hold detection product vendors accountable for the false-positive rates of their standard configurations. While it may be in the vendor's best interest to err on the side of reporting an alert if there is any possibility of it being a true positive, that methodology does a disservice to the end users who end up inundated with useless noise that detracts from finding the signal.   

Join us next time to examine the fourth perspective in our series: IT security administrators.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Roselle Safran is President of Rosint Labs, a cybersecurity consultancy to security teams, leaders, and startups. She is also the Entrepreneur in Residence at Lytical Ventures, a venture capital firm that invests in cybersecurity startups. Previously, Roselle was CEO and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2019 | 11:17:49 AM
Re: Automation is KEY
Tier 1 analysts have the highest turnover and burnout rates. That makes sense. It is a tiring workflow, trying to catch one thing in a mass is frustrating too.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
2/25/2019 | 11:14:38 AM
Automation
Viewing alerts is unsustainable in its current form. The role needs to transition to a fully automated process I think this is the important step in security analysist workflow, they can not possible to go over all those false positives.
MariaColeman
50%
50%
MariaColeman,
User Rank: Apprentice
2/25/2019 | 5:21:53 AM
Re: Automation is KEY
Very correctly and logically said.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
2/22/2019 | 3:45:00 PM
Minimizing Mistakes by Maximizing Actionable Intelligence
As the title denotes, Security Analysts are only human. A human element will always be needed to one degree or another but they are prone to error. For this reason, Security Professionals need to look towards maximizing automatic logic. As stated, receiving 10K alerts per day would be an impossible task to review without automated logic built into the coding of your SOC. We've made great progress but if we can continue to push the limits of our efficiency we can continue to diminish the degree of error that is inherent to our being.
barefoot_marine
100%
0%
barefoot_marine,
User Rank: Apprentice
2/21/2019 | 1:22:07 PM
Automation is KEY
Definitely agree. Implementing solutions that replace Tier 1 assets is critical to effective security growth of an organization. Tier 1 analysts have the highest turnover and burnout rates. We ask them to help secure our infrastructure, but in reality, all they become are button monkeys, clicking yes/no. Barely able to keep up with that, let alone do research to validate the escalation. 

A SOC, coupled with the right internal and external intelligence, plus orchestration can effectively automate Tier 1, finally allowing jr SOC analysts a place to grow into more meaningful workflows.
<<   <   Page 2 / 2
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...