In their RSAC 2023 partner perspectives session, Siloed to Unified: The Evolution of Security Analyst Experience, IBM’s Sr. Product Manager of Threat Management Andie Schroeder and Program Director of Product Management for SOAR Oren Shevach cover the increased complexity of security analyst roles as the amount of data entering the modern SOC (security operations center) has exploded.
They discussed how a unified analyst workflow can accelerate threat, response, reduce complexity, and improve security effectiveness.
Poor Visibility — The move to cloud and IT modernization has widened the attack surface considerably for 2 out of 3 organizations in the past year, introducing security complexity with visibility gaps (ESG: SOC Modernization and the Role of XDR 2022). This refers to creating blind spots that attackers can take advantage of.
Disconnected Tools — According to Randori’s State of Attack Surface Management 2022 report, 80% of organizations use at least 10 different solutions to manage their security, which can result in redundancies and inefficiencies. Using this many disparate tools can create more opportunities for attackers to live off the land, or use tactics and techniques that individual siloed tools may not pick up or trigger on because they’re not talking to each other.
Keeping Up With Attackers — It’s hard to keep up with attackers if you have noisy, outdated or ineffective detections. Many teams can’t hire enough detection engineers or keep them. IBM reports that 29% of security operations processes need to be re-engineered before they can be automated. Immature processes can slow SecOps down, making it more difficult for them to effectively protect against attackers.
Information Overload — There are too many alerts, noise and data to comb through; with 52% of security environments becoming too difficult to manage over the last two years. A lot of teams feel as though they’re stuck in fire-fighting mode most of the time.
As a result, 51% of organizations reportedly struggle to properly detect and respond to advanced threats (ESG).
IBM listed out ways today’s SecOps doesn’t help analysts be effective at securing their organizations, including the overemphasis on technology, tools and features; rather than focusing on the people that are using the tools and driving security outcomes. Another issue is depending too much on one or two experts on a team that fully understand the complexity of security tools.
Alternatively, IBM offers these guiding principles for successful analyst experiences:
Unify Workflows to Drive Efficiency — Use correlated alerts to help with triage and investigation. An analyst may receive dozens of alerts across multiple tools, including from their EDR, NDR, email security solution and identity provider. Combining these alerts into one threat finding, one incident and one workflow can greatly simplify the process and result in better outcomes.
Infuse Automation to Remove Repetitive Manual Tasks — Automate the investigation process and provide smart insights to inform better decisions and reduce the time to respond. By providing a consolidated visual of the attack with contextual data (connecting different security events, associated users, IPs, hosts, processes, etc.), in addition to automated response recommendations, analysts can stop switching between tools to help expedite their time to resolution.
Leveraging Open Standards — Using one query and one unified language, an analyst can scale their internal threat hunting and easily search from more data sources (such as SIEMs, data lakes, endpoint data, threat tools, IT and app data) to get normalized and enriched data results to help with their investigations. This results in faster discovery and threat analysis.
Blumira helps lean IT and SecOps teams protect their organizations against ransomware and breaches with an open XDR platform. Our all-in-one solution combines SIEM, endpoint visibility and automated response to reduce complexity, provide broad visibility and speed up your time to respond.
Our automated platform detects and immediately contains threats to reduce the burden on IT teams that can’t work around the clock.
Blumira does things differently by providing more value for better security outcomes, including:
Want to see our XDR in action? Get a demo today.