The Superhuman Security Analyst: Are We Expecting Too Much?

If you have a minute, look at the average job description for an enterprise security analyst on any career website. The responsibilities are borderline superhuman, and the qualifications lengthy and wide-ranging, depending on the industry.

Candidates must hold a myriad of certifications and are expected to be “on call” 24 hours a day. They must demonstrate a deep knowledge of security risks and controls, data processing operations, systems administration, and computer programming. They are expected to be vigilant about all the latest attack vectors and trends, operate and maintain monitoring systems used to detect and report security violations, and lead all investigations of suspicious activity in the organization…and that’s just the beginning.

In addition, there is a distinct shortage of skilled security analysts. ISACA predicts that there will be a global shortage of two million cybersecurity professionals by 2019; 53% of companies indicated that they’ve experienced delays as long as six months to hire qualified candidates. That means analysts are doing the jobs of multiple people for considerable periods of time while their company searches for qualified candidates. 

Consumed by data
The workforce shortage aside, a greater challenge is the flood of security data that an analyst must interpret and decide how to act upon. We have a preconceived notion of a single security alert sounding some sort of alarm, and an analyst who leaps into action and can decide in a few seconds whether this alert is actionable. 

The bulk of a security analyst’s day-to-day work includes analyzing log files and hunting for anomalous activity based on alerts or outputs from various tools. That arsenal of tools is growing by the day: the average enterprise security stack contains solutions from an average of 50 security vendors, including endpoint devices, SIEMs, and behavioral analytics. Nearly all of these solutions are generating security alerts.

In theory, these tools are supposed to help the security analyst make faster and more informed decisions about their security posture. However the analyst can’t simply trust the validity of all the incoming alerts, they must investigate each one. Even with the addition of automation and workflow orchestration, the investigation process is still hugely time-consuming.

Many analysts say their organizations are so inundated, they have no choice but to ignore a significant number of security alerts because they can’t keep up with the volume. Some are even instructed by their CISO to eliminate data streams or turn off certain features of their SIEM platforms to cut down on the number of alerts they receive. That puts enterprises at risk as threats go unnoticed and have time to take root.

Most incident response tools cannot preserve historical data due to the scale of alerts being generated and are unable to identify relationships between new alerts and previous events that the analyst has already researched or mitigated.

One of the critical questions that a security analyst must answer is “What did this threat actor do in my environment?” But instead, they spend most of their time validating alerts by digging through log lines and writing search queries.

The approach to solving this has been to take a complicated process and try to automate aspects of it. For example, if it can take 16 hours for a security analyst to investigate a potentially malicious email, the solution for accelerating this process has been to automate the checklist or steps required for mitigation.

This is helpful, but it’s not actually solving the underlying problem. Instead of storing an analyst’s work in a spreadsheet that is filed away somewhere, data should be dynamically applied to assess the next threat.
Solve the technology problem, not the process problem
What’s needed to help the security analyst gain an advantage? For starters, CISOs need to acknowledge that analysts cannot sustain the current rate of demands and workload. They cannot be expected to repeatedly perform manual forensic tasks and still have time for more in-depth critical thinking. These are two completely different skill sets, and the manual work is preventing the analyst from focusing on what they do best: solve problems.

From a security analyst’s perspective, the best source of intelligence about future attacks is an organization’s own internal data from a similar or related attack. Data from past incidents adds important context to a new threat and fills in the whole picture of what’s really going on. Most of the time, analysts are not able to access this data when they need it. 

To support analysts and make better use of their time, enterprises should look for technologies that retain organization-specific data and perform more of the analysis required to understand context. This can free the analyst from hours of repetitive log line investigations and give them time to do more of the critical thinking, threat analysis and reporting that is outlined in their job description. 

It takes an exceptional kind of person to become a security analyst. The demands of this role will continue to be significant. If enterprises can shift resources from solving cybersecurity processes and be more strategic about addressing the analytic challenges, it can go a long way towards alleviating some of the pressure and unreasonable expectations of the job. Ultimately, data is not the enemy of the security analyst; analysts simply need a more intelligent way to understand and act on data. 

What’s Hot on Infosecurity Magazine?