The best cybersecurity analysts should play the part of detective

With an ever-growing threat from cyber attacks, we now live in a world where security operation centers (SOC) are the norm. These typically feature a number of cybersecurity analysts watching screens for alerts, and then following a play book for any alerts that occur. When done well, these operations will usually identify and remediate common attacks very quickly. For example, responding to an alert about a malware attack on a system, they would typically block the system from the network, and send field personnel to clean it up.

These SOC operations are usually reliable and scalable, and they can be trusted to resolve common issues with little intervention. Therein lies the problem, however. Today’s bad actors know the same playbooks, and they know how to use them to avoid detection. Their tactics change frequently, often faster than a playbook can be updated to reflect a new technique. It is impossible to keep up with the bad actors using only this approach.

Now, I am not suggesting that we eliminate the concept of SOC operations. They do serve a useful purpose, in identifying the common issues that still occur. If that is our only approach, however, I believe we are doomed to fail in our efforts to protect our organizations.

I have worked in Information Technology for more years than I care to admit. During my formative years, I did not have access to complex monitoring systems or dashboards we have today. I learned to diagnose issues based on gut feel, and a bunch of detective work. Given that my dad made his living as a private detective, I guess I came by it honestly.

To keep up with the enemy, today’s cybersecurity analysts need to adopt the same approach. They need to be part detective, able to see beyond what the monitors and dashboards are and are telling them. They need to be allowed to follow their gut wherever it takes them. They need to learn to think like the very attackers they are combating.

Recently, the team I manage began seeing alerts for traffic to and from unknown public IP addresses, which seemed to correspond to some unknown internal traffic. Since neither by itself seemed significant, many analysts would tend to disregard it. In the case of my team, however, the analyst was suspicious. He did some research on the public addresses and found them to be associated with a known group of bad actors. He blocked the addresses at the firewall and proceeded to track down the internal traffic.

After a good bit of research, the team determined that the report of the addresses being associated with the hacking group was wrong, but in the process, discovered a VPN configuration issue on some workstations, which caused them to be directed to an advertising site for any failed searches.

The above example had a happy ending, but the detective work could well have resulted in a more significant finding. While we all hope every such investigation will result in a false positive, we must follow each lead, just to make sure.

If you want to ensure that your cybersecurity analysts are ready to be part detective, consider the following:

Hire the right folks

In my experience, some folks have the basic mindset to do the kind of detective work needed to be a good cybersecurity analyst, and others are better suited to other work. Trying to get a team member without the necessary abilities to do the work will just frustrate both employee and manager. Make the best hiring decisions possible to avoid this.

Let them follow their gut

When you have the right people, don’t be afraid to let them follow their guts, when appropriate. While I am certainly a fan of metrics, we should not adopt the mindset that the number of tickets closed or issues resolved is the best measure for folks doing the analyst job. Look, rather, at their actual success at protecting your organization from attack.

Give them the right tools

If you want your analysts to be effective, don’t skimp on the tools. The more data they have at their fingertips, the better the quality of their analysis. At a minimum, have a good Security Incident and Event Management (SIEM) system with every bit of data you can stuff into it. Select and use the threat intelligence feeds that are most appropriate for your industry. Give them good PCs, an isolated environment for testing and detonation, and preferably a completely separate Internet connection than your organization uses for business.

Keep the playbook, but…

Much of the work the analysts do will still be routine, do don’t ditch the playbook. For basic investigations, they should stick with that. Make sure, however, that they feel empowered to move off of the play book when they have a sense that something more is going on.

Recognize and socialize their success

There is nothing like talking about a specific successful incident analysis to encourage your analysts to keep up their efforts. Further, having them walk through the process they followed can be of great benefit in training others on the team.

The bottom line — the adversaries we face in information security every day are as familiar with our play books as we are. As such, we must go beyond the basics, and follow our instincts to get the job done. Fill your team with folks that can do this and keep out of their way.