Augmenting the Analyst: Using data science, training, tools, and techniques to enhance performance

The increasing demand for cybersecurity analysts is a combination of playing catch-up, keeping up with growing threats/attacker capabilities, and a globally expanding IT footprint. With relief for the growing security skills gap nearly a decade out, we must find ways to support the analysts that are already working to protect us. In this blog, we discuss ways to augment their efforts and maximize their time by overcoming some of the key challenges they face.

Why do we need to augment our analysts?
The global cybersecurity landscape is in crisis due to the lack of available skilled talent. A recent U.S. survey by Emsi Burning Glass (now Lightcast) showed that one million cybersecurity professionals are working in the industry, yet there are more than 700,000 open roles to be filled. The situation is similarly critical throughout Europe according to LinkedIn data, which indicates a 22% increase in demand for talent last year alone with no sign of slowing down.

Educational institutions, government efforts, and private training programs are creating new candidates as quickly as possible, but it takes five to ten years to create an experienced L3 security operations center (SOC) analyst. That’s clearly a solution for the future. So, what do we do in the meantime?

What about artificial intelligence, machine learning, and data science?
Many people believe that machine learning (ML) and artificial intelligence (AI) are going to replace SOC analysts. But that’s not going to happen, at least any time in the next couple of decades.

Yes, we have self-driving cars, and yes, a self-driving car that drives on the road without crashing is impressive. But they are as much enabled by advances in computer vision as they are by AI/ML. Using the same tools to decide if a 10,000-endpoint company network is secure is like keeping 10,000 cars on the road simultaneously when you’re not 100 percent sure where you’re going or what the road looks like.

AI/ML techniques aren’t magic bullets to solve the whole problem. They are a collection of solutions to very specific parts of the problem, such as inferring facts about security data that may be difficult or impossible for a human to determine. For example, AI/ML can detect a predictable pattern to user logon failures which highlights it as an automated activity that’s using low and slow timing to try and evade detection. Or it can identify anomalous user behavior and connect it to other anomalous system activity – such as when an admin suddenly logs onto the system at 3:00am from a new location.

Does the use of AI/ML need any extra training?
Data science is a vocation that most security analysts are not skilled or experienced in. AI/ML systems have started to help stem the tide of alerts, but it can become problematic if analysts are not able to understand what these tools are doing.

Early AI/ML tools, for instance, were famous for presenting a result such as “anomalous behavior detected,” but with no context for the analyst to determine why the behavior was anomalous. The lack of insight had the potential to devolve analysts into a state of environment blindness, allowing critical threats to go unnoticed.

Training provides benefits because security operations center (SOC) analysts want to improve the way they work. It’s baked into every modern SOC as the core principle of continual improvement. If we give analysts additional ways to approach the problem space, they will use them to innovate and iterate better ways of creating and delivering security value.

Outside of the data science domain, SOC analysts regularly acquire and keep certifications up to date. But with an expanding number of SOC training courses and certifications available, it is essential that analysts focus on the courses that provide tangible benefits, are relevant to the security domain, and lead to demonstrable improvements in analyst performance and capability.

What tools can help SOC analysts to do more?
Modern SOC tools can help make an analyst more effective and productive. These tools take advantage of all types of available security-related data to help analysts perform meaningful analytics. Data is prioritized and presented to the analysts, so they know what to look at first, making it quicker to drill into the important areas.

Similar to AI/ML, automation within SOC tools was cited historically as a way to eliminate the need for analysts. While that debate seems to have ended (for now), some important developments did come out of it.

Specifically, the term Security Orchestration Automation Response (SOAR) has become a key grouping for automated activities. SOAR, though, is much more than this. It’s a way to let SOC analysts directly automate the parts of their job which can be automated – in a structured, yet collaborative and freeform way with their peers.

For example, SOAR tools can pre-aggregate additional information that an analyst might want to review upon being fed an alert. This is a tremendous time-saver because it cuts out the manual steps of requesting that data.

“Click Tax” is also a major consideration that doesn’t get much attention. This is a colloquial measurement for the time it takes an analyst to interact with and use tools – such as loading times, complex chains of UI interactions, the distance of mouse movements, and the potential for errors in selecting or entering data. Click Tax increases the time it takes an analyst to complete a task, and gets in the way of the analysis throughflow. Saving just 30 seconds in Click Tax per alert could save an entire day of SOC analyst time. The title of a recent Forrester report sums it up: Analyst Experience (AX): Security Analysts Finally Escape the Shackles of Bad UX.

The crisis of staffing in the cybersecurity field is going to get worse before it gets better. The good news is that we can help current security analysts be more efficient and effective. We see the best results when cutting-edge technology is used correctly, training is available to help analysts make the best use of it, and tooling is focused on enhancing and augmenting SOC teams to do more – better and faster. Combining data science, training, tools, and techniques with great analysts is where the magic happens.