Ask any security analyst why it is so difficult for them to perform consistent, accurate and fast incident scoping and prioritization, and they will give you a very long list of answers. It’s no secret that for human analysts, regardless of their skill level or experience, these mission-critical security tasks can be overwhelming due to the ever-increasing attack surface, avalanche of data to process, and just not enough skilled personnel to do the job.
For those who are not familiar with the difficult job security analysts perform, the following overview of will help to demystify what incident scoping, prioritization and escalation mean, along with what it takes for human analysts to do the job.
The Challenges of Scoping
Scoping is the process that aggregates all related events and systems into a common incident, or situation, based on shared attributes within an attack, such as the same systems, attack stages, or signatures.
Incidents can vary dramatically in both their duration and number of internal assets involved. For example, targeted low and slow attacks can last weeks or longer, involving only a few systems. Other incidents may contain many events and systems over a short period.
Now, consider that an analyst's shift is typically 8 hours long. Within that shift, a pair of analysts may trade-off between spending two hours monitoring the event console and two hours off console working on supplementary duties. This type of duty rotation is essential to try and prevent “console blindness” which can easily happen from monitoring events and staring at a screen for too long.
To scope across these shift changes, analysts must rely on the shift log documentation from previous analysts. In the shift log, the analyst annotates events they find interesting or decide to take action on. The strength of incident scoping relies on the accuracy and exhaustiveness of this documentation. Moreover, given that humans are naturally prone to make mistakes (and documentation is as boring as it gets), shift logs are typically incomplete and inconsistent.
As a result, analysts scope “in time,” and primarily based on their memory. In best case scenarios, they can tie disparate alerts together into a single incident while on shift. This means no more than a 1 to 2 hour (perhaps less) lookback scoping events together. Here’s where the process breaks down, since for most humans, relying on this method of scoping proves to be inaccurate and inefficient.
The Challenges of Prioritization
Prioritization evaluates the context, impact, and systems scoped within the incident and assigns a priority level. Typically, priority levels dictate how quickly a response is required and who needs to be involved or made aware of the threat.
With each escalation decision, security analysts must run through a checklist of a few critical questions, for example:
- How big is this event?
- Is this a single compromised workstation (or are we announcing a major breach on tomorrow morning’s news)?
- Are we handling the incident during the Monday 8 to 5 pm shift or executing a full-blown incident response process at 2 AM on a Saturday night?
- Am I waking up the CISO and the CEO in the middle of the night?
The implications of assigning a high priority to an incident and being wrong can result in wasted time, along with some angry colleagues and management. As a result, analysts have become biased and overly careful, not wanting to escalate too quickly for fear of angering the receiver of the escalation. However, it is apparent that this type of behavior introduces an enormous risk to the organization. Security analysts should not be afraid to use the proper callout procedures designed to protect the organization and enable rapid response.
At the same time, it is a catch 22 for analysts since they are always under pressure to identify something – anything -- that could be a threat to the organization’s security. Consequently, analysts often chase down lower priority, but easier incidents that should be ignored vs. focusing on real (and potentially more challenging to investigate) attacks.
The scoping and prioritization challenges identified above introduce avoidable risk into the organization. It is time to consider automation to relieve human analysts and reassign these repetitive tasks to the power of software and machines.
Our expert system, the Respond Analyst, is software which emulates human decision making and reasoning and is consistent in performing every check, every time, is immune to ‘console blindness’, and possesses the memory to scope over large durations.
The Respond Analyst can immediately accelerate your SOC and solve your scoping and prioritization challenges by:
- Dynamically grouping related events and systems into actionable security incidents
- Building actionable, detailed cases with decision-making transparency
- Prioritizing incidents based on the incident likelihood, number and business importance of systems involved, and the observed attack stage
- Reprioritizing incidents as attacks progress or new information is introduced
- Integrating into existing security operations workflows and case management processes
For more product information on how the Respond Analyst can help you, to schedule a demo, or to view our new “Deploy a New Kind of Analyst” webinar, please contact us at firstname.lastname@example.org or go to our Contact page.
Tim Wenzlau, Product Manager, Respond Software