• United States




The best cybersecurity analysts should play the part of detective

Apr 03, 20185 mins
Data and Information SecurityInvestigation and ForensicsSecurity

Today’s cybersecurity analysts need to be part detective, following their gut wherever it takes them and thinking like the very attackers.

detective with magnifying glass
Credit: Thinkstock

With an ever-growing threat from cyber attacks, we now live in a world where security operation centers (SOC) are the norm. These typically feature a number of cybersecurity analysts watching screens for alerts, and then following a play book for any alerts that occur. When done well, these operations will usually identify and remediate common attacks very quickly. For example, responding to an alert about a malware attack on a system, they would typically block the system from the network, and send field personnel to clean it up.

These SOC operations are usually reliable and scalable, and they can be trusted to resolve common issues with little intervention. Therein lies the problem, however. Today’s bad actors know the same playbooks, and they know how to use them to avoid detection. Their tactics change frequently, often faster than a playbook can be updated to reflect a new technique. It is impossible to keep up with the bad actors using only this approach.

Now, I am not suggesting that we eliminate the concept of SOC operations. They do serve a useful purpose, in identifying the common issues that still occur. If that is our only approach, however, I believe we are doomed to fail in our efforts to protect our organizations.

I have worked in Information Technology for more years than I care to admit. During my formative years, I did not have access to complex monitoring systems or dashboards we have today. I learned to diagnose issues based on gut feel, and a bunch of detective work. Given that my dad made his living as a private detective, I guess I came by it honestly.

To keep up with the enemy, today’s cybersecurity analysts need to adopt the same approach. They need to be part detective, able to see beyond what the monitors and dashboards are and are telling them. They need to be allowed to follow their gut wherever it takes them. They need to learn to think like the very attackers they are combating.

Recently, the team I manage began seeing alerts for traffic to and from unknown public IP addresses, which seemed to correspond to some unknown internal traffic. Since neither by itself seemed significant, many analysts would tend to disregard it. In the case of my team, however, the analyst was suspicious. He did some research on the public addresses and found them to be associated with a known group of bad actors. He blocked the addresses at the firewall and proceeded to track down the internal traffic.

After a good bit of research, the team determined that the report of the addresses being associated with the hacking group was wrong, but in the process, discovered a VPN configuration issue on some workstations, which caused them to be directed to an advertising site for any failed searches.

The above example had a happy ending, but the detective work could well have resulted in a more significant finding. While we all hope every such investigation will result in a false positive, we must follow each lead, just to make sure.

If you want to ensure that your cybersecurity analysts are ready to be part detective, consider the following:

Hire the right folks

In my experience, some folks have the basic mindset to do the kind of detective work needed to be a good cybersecurity analyst, and others are better suited to other work. Trying to get a team member without the necessary abilities to do the work will just frustrate both employee and manager. Make the best hiring decisions possible to avoid this.

Let them follow their gut

When you have the right people, don’t be afraid to let them follow their guts, when appropriate. While I am certainly a fan of metrics, we should not adopt the mindset that the number of tickets closed or issues resolved is the best measure for folks doing the analyst job. Look, rather, at their actual success at protecting your organization from attack.

Give them the right tools

If you want your analysts to be effective, don’t skimp on the tools. The more data they have at their fingertips, the better the quality of their analysis. At a minimum, have a good Security Incident and Event Management (SIEM) system with every bit of data you can stuff into it. Select and use the threat intelligence feeds that are most appropriate for your industry. Give them good PCs, an isolated environment for testing and detonation, and preferably a completely separate Internet connection than your organization uses for business.

Keep the playbook, but…

Much of the work the analysts do will still be routine, do don’t ditch the playbook. For basic investigations, they should stick with that. Make sure, however, that they feel empowered to move off of the play book when they have a sense that something more is going on.

Recognize and socialize their success

There is nothing like talking about a specific successful incident analysis to encourage your analysts to keep up their efforts. Further, having them walk through the process they followed can be of great benefit in training others on the team.

The bottom line — the adversaries we face in information security every day are as familiar with our play books as we are. As such, we must go beyond the basics, and follow our instincts to get the job done. Fill your team with folks that can do this and keep out of their way.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author