We’ve heard repeatedly from security analysts (like those interviewed in Cyentia’s Voice of the Analyst Survey) that event monitoring is time-consuming, boring, and repetitive, that security analysts feel like ticket monkeys interfacing with IT, and only occasionally do they get to do the fun work of threat hunting.
But did you know that EPPs (Endpoint Protection Platforms, commonly called Next-Gen Antivirus, NGAV or AV) are a foundational data source in security operations but can also be a time sink for security analysts to evaluate and act.
Generally, EPPs generate high-fidelity alerts; the system is likely infected with malware. Given this alert, a security analyst must decide if:
1. the infected system presents a serious threat to the organization and an incident response procedure is
2. the system is in fact infected but the threat is not that serious and can be safely mitigated by creating a
ticket for IT or simply reimaging the machine
3. the alert can be dismissed because it is not a threat and no action is required at this time
And how does a skilled security analyst come to an accurate and appropriate decision?
Context. Context. Context.
A security analyst must understand the importance of the involved systems and accounts. Is this a server or a workstation? Is this the CEO’s laptop? Do the systems have any vulnerabilities?
Not all malware is created equally. A security analyst must understand the type of malware, its function, potential harm, and ability to spread. Analysts gain expertise on the job, through research, or arduous certifications (of which they need to keep maintained).
Good security analysts won’t assume that the action taken by the endpoint agent (aka EPP) will fully remediate the issue, they will look for other indicators and evidence. For example, corroborating and relevant network IPS alerts. Experienced analysts know that when one malware is observed, likely more are lurking.
Of course, the security analyst must qualify if this threat is even relevant to their environment. Conversely, the threat could be part of something ongoing within their organization or an external campaign.
A thorough analysis of the situation and making the appropriate decision takes time.
On top of that, interfacing with IT and generating tickets to remove commodity malware from a workstation may not be meeting the expectations of hungry analysts eager to be hunting for bad guys.
It’s no surprise SOC teams are falling behind their unrelenting event loads and 1 in 4 security analysts express dissatisfaction with the current job.
There is a solution besides wringing hands or hiring more analysts. Turns out, we created a Virtual Security Analyst to expertly analyze malware events and recommend a course of action. And get this, our virtual security analyst is fast, scalable, and 100% (yes, that’s right) 100% consistent in performing dozens of checks while evaluating every event. On top of that, Respond Analyst integrates with most ticketing and case management solutions, elevating your analysts from time-consuming ticket creation processes.
Don’t you just want to learn more why we were named one of Gartner's Cool Vendors?
Please reach out to learn how to augment your team with the Respond Analyst today.
Tim Wenzlau is a Product Manager at Respond Software. He is focused on adding skills to the Respond Analyst--continuously improving the Respond Analyst’s intelligence, visibility, awareness, and user experience. Prior to Respond Software, Tim managed and launched a user behavior product and held various roles in corporate development, strategy, and business operations. Tim holds a degree in Operations Research and Financial Engineering from Princeton University.View all posts by Tim Wenzlau