Empowering Analysts: Using Data Science, Training, Tools, and Techniques to Improve Performance
The growing demand for cybersecurity analysts is due to a combination of keeping up with growing threat/attacker capabilities and a globally expanding IT footprint. To close the security skills gap that widened nearly a decade ago, we must find ways to support the analysts who are already working to protect us. In this blog, we will discuss how to strengthen their efforts and make the most of their time by overcoming some of the key challenges they face.
Why do we need more analysts?
The global cybersecurity environment is in jeopardy due to the lack of available skilled manpower. According to a recent US study by Emsi Burning Glass (now his Lightcast), there are 1 million cybersecurity professionals working in the industry, yet he is still short of over 700,000 talent. The situation is equally dire across Europe, with demand for talent rising 22% last year alone and showing no signs of slowing down, according to LinkedIn data.
Academic institutions, government initiatives, and private training programs are creating new candidates as quickly as possible, but it takes five to ten years to create an experienced L3 Security Operations Center (SOC) analyst. It’s clearly a solution for the future. So what do you do in the meantime?
What about artificial intelligence, machine learning, and data science?
Many believe that machine learning (ML) and artificial intelligence (AI) will replace the SOC analyst. But that won’t be the case, at least for the next few decades.
Yes, we have self-driving cars. Yes, self-driving cars navigating roads without crashing are impressive. But they are made possible by advances in computer vision as well as by AI/ML. Using the same tools he uses to determine if a corporate network of 10,000 endpoints is secure is like he has 10,000 cars on the street at the same time, even if it’s not 100%. See where you’re going and what the roads look like.
AI/ML techniques are not a silver bullet to solve the whole problem. These are collections of solutions to very specific parts of the problem, such as inferring facts about security data that may be difficult or impossible for humans to determine. For example, AI/ML can detect predictable patterns for user her logon failures. This highlights automated activities that use low and slow timings to avoid detection. Or you can identify anomalous user behavior and tie it to other anomalous system activity. For example, an administrator suddenly logs on to the system at 3:00 AM from a new location.
Does using AI/ML require additional training?
Data science is a profession that most security analysts do not have the skills or experience to do. AI/ML systems are starting to help stem the flood of alerts, but can pose a problem if analysts don’t understand what these tools are doing.
For example, early AI/ML tools were notorious for presenting results such as “Anomalous behavior detected”, but the context for analysts to determine why the behavior was anomalous was There was not. A lack of insight can leave analysts in a state of environmental blindness, allowing critical threats to go unnoticed.
Training is an advantage for security operations center (SOC) analysts. I want to improve the way they work. It is built into all modern SOCs as a core principle of continuous improvement. Give analysts additional ways to approach problem areas and they will use them to innovate and iterate better ways to create and deliver security value.
Outside the realm of data science, SOC analysts are regularly certified and kept up-to-date. However, with the growing number of SOC training courses and certifications available, analysts are more likely to see tangible benefits, security related to her domain, and demonstrable improvements in analyst performance and competence. Focusing on the courses that connect is essential.
What tools help SOC analysts do more?
Modern SOC tools help analysts be more efficient and productive. These tools leverage all types of security-related data available to enable analysts to perform meaningful analysis. Data is prioritized and presented to analysts so they know what to look for first and can drill down into key areas faster.
Similar to AI/ML, automation within SOC tools has historically been cited as a way to eliminate the need for analysts. While that discussion appears to be over (for now), there have been some significant developments since then.
Specifically, the term Security Orchestration Automation Response (SOAR) has become an important group of automated activities. But SOAR goes far beyond this. It’s a way for SOC analysts to directly automate parts of their job that can be automated. This is done in a structured but collaborative and free manner with colleagues.
For example, SOAR tools can pre-aggregate additional information that analysts want to see when they receive an alert. This saves a lot of time by eliminating the manual step of requesting that data.
The “click tax” is also a major consideration that has received less attention. This is a colloquial measure of the time it takes analysts to interact with and use the tool. For example, load times, complex chains of UI interactions, mouse movement distances, and possible errors in selecting or entering data. Click taxes increase the time it takes analysts to complete tasks and disrupt the flow of analysis.Save money by saving just 30 seconds of click tax per alert full day SOC analyst time. A recent Forrester report title summarizes: Analyst Experience (AX): Security Analysts Finally Break Free from Bad UX.
Conclusion
The cybersecurity staffing crisis will get worse before it gets better. The good news is that we can help today’s security analysts become more efficient and effective. State-of-the-art technology is used correctly, training is available to help analysts get the most out of technology, and tools empower and strengthen his SOC team to do more, better, and better. You get the best results when you can do it fast. When you combine data science, training, tools, and techniques with great analysts, magic happens.
*** This is SilverSky’s Security Bloggers Network syndicated blog by michele-johnston. Read the original post: https://www.silversky.com/blog/augmenting-the-analyst-using-data-science-training-tools-and-techniques-to-enhance-performance/