What makes a security analyst successful? Investigative thinking
Article by ThreatQuotient APJC regional director Anthony Stitt.
The new SANS 2021 Report: Top Skills Analysts Need to Master analyses the need for organisations to invest in improving their security operations and identifies the skills analysts must master to support this initiative. Characterising an analyst as an investigator, the SANS report breaks the investigative process down into two primary areas: investigative tasks and investigative thinking.
One of the most important sources of intelligence is human intelligence that comes from critical thinking. As the SANS report points out, empowering humans to engage in critical thinking is vital to efficient detection and response. According to SANS, best practices for critical thinking include:
Asking questions to gather additional context and scope when facing a situation of uncertainty during an investigation
Reasoning backwards by using tools to hypothesise what must have happened to arrive at an alert
Considering multiple plausible pathways instead of thinking linearly to detect and respond to new threats
Remaining curious, flexible and agile within a highly dynamic environment such as a security operations centre (SOC).
This is where collaboration comes in, both passive and active. A security operation platform serves as a central repository that includes internal threat and event data, augmented and enriched with global threat data. This central repository is at the heart of passive collaboration, or information sharing.
When teams can access the central repository for the intelligence they need as part of their workflow, passive collaboration just happens. As they use the repository and update it with observations, learnings and documentation of investigations, they get consistent threat intelligence. The repository can serve as a centralised memory to facilitate future investigations. Everyone can operate from a single source of truth, instantaneously sharing knowledge and using their tools of choice to improve security posture.
Active collaboration involves engaging with another person to accomplish a shared goal through tasking and coordination. However, traditional siloed environments have made this extremely difficult and time-consuming for security professionals to do. Most security operations are rife with chaos as teams act independently and inefficiently with limited visibility. With different people or teams working on independent tasks, key commonalities are missed, so investigations take longer, or key information just falls through the cracks.
Likewise, a cybersecurity situation room fuses threat data, evidence and users to break down these barriers. All team members involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work, and they can benefit from the human intelligence they each bring to the table. Validating data and sharing their collective insights fosters critical thinking.
Furthermore, managers of all the security teams can use security platforms’ investigations to see the analysis unfolding, which allows them to act when and how they need to, coordinating tasks between teams and monitoring timelines and results. Embedding collaboration into the investigation process ensures that teams work together to take the right actions faster.
To accelerate and improve security operations, businesses must empower the human element with tools that enable identifying the right data, sharing information, and actively collaborating efficiently.