Augmenting the Analyst: Using data science, training, tools and techniques to improve performance

The growing demand for cybersecurity analysts is a combination of playing catch-up, keeping up with growing threat/attacker capabilities and an expanding global IT footprint. With nearly a decade of easing the growing security skills gap, we must find ways to support the analysts who are already working to protect us. In this blog, we discuss ways to increase their efforts and maximize their time by overcoming some of the key challenges they face.

Why do we need to add our analysts?
The global cybersecurity landscape is in crisis due to a lack of skilled talent available. A recent US survey by Emsi Burning Glass (now Lightcast) showed that one million cybersecurity professionals are working in the industry, yet there are more than 700,000 open roles to be filled. The situation is just as critical across Europe, according to LinkedIn data, which shows a 22% increase in demand for talent last year alone, with no sign of slowing down.

Educational institutions, government efforts, and private training programs are churning out new candidates as quickly as possible, but it takes five to ten years to produce an experienced L3 security operations center (SOC) analyst. This is definitely a solution for the future. So what do we do in the meantime?

What about artificial intelligence, machine learning and data science?
Many people believe that machine learning (ML) and artificial intelligence (AI) will replace SOC analysts. But that won’t happen, at least not anytime in the next two decades.

Yes, we have self-driving cars, and yes, a self-driving car that drives down the road without crashing is impressive. But they are enabled by advances in computer vision as much as AI/ML. Using the same tools to decide if a company network with 10,000 endpoints is secure is like keeping 10,000 cars on the road at the same time when you’re not 100 percent. sure where you are going or what the road looks like.

AI/ML techniques are not magic bullets to solve the entire problem. They are a collection of solutions for very specific parts of the problem, such as extracting facts about security data that may be difficult or impossible to determine by humans. For example, AI/ML can detect a predictable pattern to user input failures, which underlines it as an automated activity that uses low and slow time to try and avoid detection. Or it can identify anomalous user behavior and relate it to other anomalous system activity – such as when an administrator suddenly logs in at 3:00 a.m. from a new location.

Does the use of AI/ML need any additional training?
Data science is a profession in which most security analysts are not skilled or experienced. AI/ML systems are starting to help stem the tide of alerts, but it can become problematic if analysts are unable to understand what these tools are doing.

Early AI/ML tools, for example, were famous for presenting a result such as “detected anomalous behavior,” but without any context for the analyst to determine why the behavior was anomalous. Lack of knowledge had the potential to transfer analysts into a state of environmental blindness, allowing critical threats to go unnoticed.

Training provides benefits because security operations center (SOC) analysts. they want to improve the way they work. It is embedded in every modern SOC as the main principle of continuous improvement. If we give analysts additional ways to approach the problem space, they will use them to innovate and iterate on better ways of creating and delivering security value.

Outside of the data science field, SOC analysts regularly obtain and keep certifications up to date. But with an increasing number of SOC training courses and certifications available, it is critical that analysts focus on courses that provide tangible benefits, are relevant to the security field, and lead to tangible improvements in analyst performance and skill.

What tools can help SOC analysts do more?
Modern SOC tools can help make an analyst more effective and productive. These tools take advantage of all types of available security-related data to help analysts perform meaningful analysis. Data is prioritized and presented to analysts so they know what to look at first, making it faster to drill down to important areas.

Similar to AI/ML, automation within SOC tools was historically cited as a way to eliminate the need for analysts. While that debate appears to be over (for now), some important developments emerged from it.

In particular, the term Security Orchestration Automation Response (SOAR) has become a key grouping for automated activities. However, SOAR is much more than that. It’s a way to allow SOC analysts to directly automate the parts of their work that can be automated – in a structured, yet collaborative and free way with their peers.

For example, SOAR tools can pre-collect additional information that an analyst may want to review after an alert is raised. This is a tremendous time saver because it cuts out the manual steps of searching for that data.

Click Tax is also a major consideration that doesn’t get much attention. This is a conversational measure of the time it takes an analyst to interact with and use tools—such as load time, complex chains of user interface interactions, the distance of mouse movements, and the potential for selection or input errors. data. Click Tax increases the time it takes an analyst to complete a task and hinders the flow of the analysis. Saving just 30 seconds in Click Tax per alert can save a whole day of the time KOS analyst. The headline of a recent Forrester report sums it up: Analyst Experience (AX): Security Analysts Finally Break Free from the Shackles of Bad UX.

The cybersecurity staffing crisis will get worse before it gets better. The good news is that we can help current security analysts be more efficient and effective. We see the best results when the latest technology is used correctly, training is available to help analysts use it best, and tools are focused on improving and augmenting SOC teams to do more – better and faster. Combining data science, training, tools and techniques with great analysts is where the magic happens.

*** This is a SilverSky Security Bloggers Network syndicated blog authored by michele-johnston. Read the original post at:

Leave a Comment

Your email address will not be published. Required fields are marked *