TDWI | Training & Research | Business Intelligence, Analytics, Big Data, Data Warehousing

All Data and No Security Orchestration Makes You an Ineffective Security Analyst

A security automation and orchestration platform can solve incident detection and response challenges. Here are the key features to look for.

• By Abhishek Iyer
• February 27, 2018

Cyberattacks are on the rise, and organizations are struggling to find a structured response process once a breach is detected. Recent research suggests that the average time to detect a breach is 99 days and the average cost of a successful breach is $4 million. Although this is an improvement over the 146 days reported in previous research, this is still a cause for concern.

For Further Reading: The Shift to Software-Defined Security Lessons from the Equifax Data Breach Security Analytics: Our Last, Best Hope?

With detection times not falling as quickly as organizations hope or expect, security professionals must turn a discerning eye to current processes, review them dispassionately, and seek ways to quicken detection and shorten response times.

How Cybersecurity Analysts Detect a Breach

Analysts typically use either a reactive or a proactive detection method. Reactive detection sifts through hundreds of security alerts to identify legitimate threats and eliminate false positives. Proactive detection hunts for threats and uses intelligence data to search for possible breaches or vulnerabilities. Both methods have weaknesses that impact the effectiveness of detection attempts.

• Endpoint and network security products generate a large number of alerts. The volume of alerts generated depends on the sensitivity setting of the security product. If the setting is too sensitive, the system can generate so many alerts that analysts are overwhelmed by the volume and are more likely to miss a genuine threat while sifting through false positives. If the setting is not sensitive enough, the system can miss critical alerts. Most security professionals tend to take the safest route and choose the sensitive setting. As a result, more alerts are generated than staff members can analyze manually.


• Junior analysts don't always know how to act on threat intelligence data. Threat intelligence services provide current information on potential attacks that are relevant to the organization's industry. The problem is that junior analysts often do not know what intelligence is actionable, much less the actions they need to take.


• Senior analysts spend far too much time dealing with repetitive, mundane tasks. After an incident is detected, the next step is to analyze the data associated with the incident. Typically, this requires accessing multiple tools to extract and analyze logs and other data, which means that analysts may have to toggle between 20 or more open windows to investigate one incident. Senior analysts are therefore too busy fighting fires to help junior analysts who often do not know what to do.

Solution Features

What you need is an intelligent security operations platform that offers complete visibility and serves as a hub for all security products. A security automation and orchestration platform can solve the challenges associated with incident detection and response. The leading solutions in this category provide:

• Case management: From creating the case to managing the workload, case management can shorten the mean time to response (MTTR). Case management tools can collect, distribute, and analyze data related to an incident, assign an analyst, and issue updates to ensure that no threats slip through the cracks.


• Automation: Playbook automation can be used to handle mundane, repetitive tasks, including enrichment, ticket management, duplicate detection, and more. The automation platform can draw context from threat data, and playbooks can be executed to proactively hunt for existing threats that are based on threat intelligence data.


• Orchestration: A security orchestration tool can harmonize across an organization's security product stack, reducing "dead time" spent in changing screens, collecting data from disparate sources, and performing repetitive, low-level tasks.


• Collaboration: Collaborative, interactive investigations can expedite detection and response. A platform that facilitates real-time conversations between analysts ensures transparency across the board, documents all analyst actions, and engenders synergies among analyst skill sets.


• Machine learning: Machine learning can match incidents with the analysts most adept at handling them, recommend ideal team compositions for complex incidents, and give junior analysts a nudge in the right direction by suggesting a course of action.


• Postmortem activities: After an incident has been addressed, your solution should analyze the threat and the team's response and obtain audit trails that show the time that elapsed between intrusion and detection and between detection and recovery. In addition, it's helpful to determine if an organization was specifically targeted or if it was a random attack, what vulnerabilities were exploited, and what triggered the attack.

The number of cybersecurity incidents is not going to decline, so analysts must be prepared to wage a never-ending war against those who want to invade their systems. Whether the attacker's goal is to steal proprietary information or customers' financial information, extort money through a ransomware attack, or just create mayhem for the company, early detection and remediation through a security operations platform can help minimize the damage.

You Don't Want to Be the One

No one wants to admit that a breach went undiscovered for two years and resulted in the theft of credit card data belonging to millions of customers. No one wants to have to explain to a regulatory agency how millions of medical records were purloined over 18 months. No one wants to explain to the organization's board why analysts responded to thousands of false alarms, handled thousands of alerts that were not critical, but failed to identify a malware attack that infected hundreds of customers' computers. With a robust security orchestration platform, no one will have to.