Apparently perfect is all around us. Have you taken your car in for a service appointment lately? It’s a fairly common practice for your service technician to ask for a 5-star or perfect rating when the service is complete. The perfect vacation, the perfect gift, the perfect house, the perfect everything.  And nowadays it’s even infiltrated our love lives! Just download that dating app and all we have to do is swipe right for the perfect mate.  These apps promise us the world and if they can’t deliver, well don’t worry, just keep swiping right until they do.

So, all this perfect got me thinking.  What if we could “swipe right” to find the perfect Security Operations Analyst? How would you define the skills required for one of the most difficult jobs on the frontlines of cybersecurity analysis?

I used to think I knew what the perfect analyst was.  Heck, I was experienced, I knew the SOC world, and I wrote job descriptions for clients to find the candidates (generally with headphones securely attached to my head, singing along to “Never Could Toe the Mark” by Waylon Jennings).  The qualifications were standard: monitor and analyze security alerts, escalate suspicious incidents, monitor security log ingestion, identify malicious traffic from network sensors, review endpoint events, and analyze the correlation rules for improvements.

But do these qualifications really describe the requirements of a front-line security analyst?  After my clients hired the “Perfect Analyst” I’d come back to find these analysts overwhelmed, opening tickets for almost every alert generated, sometimes hundreds or more per day.  Needless to say, they weren’t making friends with the other team members when the tickets assigned were mostly false positives. In this case the security analyst decided the best way to solve the problem was to turn off the correlation rules that fired the most frequently!  Yikes….  there’s a recipe for disaster.  I felt bad for these front-line defenders. The deck was simply stacked against them.

OK, so let’s get real. What does the job really entail?  After all my years in Security Operations, here’s my assessment of the job—it’s not really something a human is meant to do.  Consider the 7 characteristics required of the Perfect Security Analyst:

1.  Self-replicating - when you need more analysts, more power, they replicate to handle the load without you having to worry about fighting off the pending robot apocalypse.

2. Available 24x7 - Works every hour of every shift, never takes a coffee break or a vacation and never sleeps.

3. Highly Superior Autobiographical Memory aka Hyperthymesia - The perfect analyst remembers everything in vivid detail. They remember patterns of events, your critical assets and users. But don’t rely on them to remember where you parked your car before the big game, that’s on you.

4. Unrivaled Security Operations Experience - The perfect analyst will have more hours of Sec Ops experience than seemingly possible but is always willing to learn something new, accept constructive criticism and put it to good use.

5. Deals only in facts - The perfect analyst never makes an assumption or an educated guess. They go where the evidence leads them without interjecting their own opinions or biases.

6. Breaks the rules - Correlation rules that is. The perfect analyst isn’t bound by binary rules, Boolean logic or anomalies from a learned normal pattern. Instead, the perfect analyst uses math and probability to determine the likelihood of malicious activity.

7. Works well with others - The perfect analyst acts as an extension of your team and quickly integrates themselves rapidly into the enterprise and your existing workflow without requiring new content, scripts and playbooks.

If anyone could find a Security Analyst with this kind of resume, they would immediately swipe right. But the reality is, this simply doesn’t exist, it’s only possible with automation.

And I can hear you asking, “But Mike, what do we do with all those front-line security analysts? How does their role change?  How does my SOC model evolve?”

We hear concerns like this in initial conversations with our customers all the time.  We get it, changing the model isn’t always easy—but it is necessary, and it doesn’t have to be scary.

Our customers are making the SOC Analyst job more enjoyable (and even making it a little fun)!  Improving morale on their teams.  By automating with Decision Automation, now their analysts can focus on threat hunting, scripting for other automation projects, take coffee breaks, and even get a little sleep.

Luckily, you don’t need to swipe right to pick the Respond Analyst now!

For more information:

Mike Epplin

Mike is a Sales Engineer at Respond Software. He is focused on helping organizations of all sizes drive efficiencies across their security operations teams. Prior to Respond Software, Mike sold, architected, and deployed SIEM solutions across the globe; and helped to develop a risk-based correlation engine. He has a B.S. in Computer Science, served in the United States Air Force, and has 25+ years experience in communications, networking, and security. He was once a firm believer in the power of correlation but has seen the light and is working to atone for the sins of his past.

View all posts by Mike Epplin