Browser tabs from hell. If you’re a security analyst, you know the pain. Working multiple investigations, tickets, creating reports, reading the latest security news, and just browsing, you often find yourself with dozens of tabs across single or multiple browsers. Does your team have browsers that look like this?
As a “recovering” security analyst, I lived this life with multiple data repositories: Threat Intel, EDR, IAM, EUBA, and other monitoring tabs. Then there’s the ticketing system and a notepad. It’s VIM for me, but that’s a blog post for another day. In this post, let’s explore why security analysts are dealing with this problem, and dig into how the tab method of investigations increases risk to your organization. Finally, I’ll outline four things you can do TODAY to reduce that risk to your organization.
Growing Pains of SIEM, SOAR, XDR, TIP
Why has this become the norm for security teams? Is this a failure of SIEM, SOAR, XDR, or integrations? To me as a recovering analyst, it’s all of the above. Security analysts have so much data they must parse through to make a good determination before documenting it all.
SIEM and data lakes have been around for 20 years now, but the analysts must still often pivot outside of the console or browser to complete their investigations. More tabs. SOAR products are great, but you must first integrate tools and/or data prior to doing any investigations. The problem I see is that analysts are locked in to preprogramming by other team members. What if the analyst has a hunch or knows of past alerts? The analyst’s function is as an investigator to determine the risk. Often analysts are pivoting outside the SOAR to confirm the SOAR findings. A SOAR instance is yet another tab.
Reading through Palo Alto Cortex “State of SOAR Report 2020”, page 13 shows the breakdown of the number of SOAR use cases that teams want to implement within or not within the next 12 months. The data is surprising when comparing the average number of use cases implemented in SOAR. Teams have 51% of their use cases in the planning stages, and on average only 26% of the use cases are configured and running in SOAR. This means that there are plans to invoke SOAR use cases that might be challenging to deploy. Thus, relying on the team members to complete those investigations or actions equals more tabs.
Ask any analyst if they are 100% confident in one vendor’s alert or data. I would think that a good majority of analysts (60%+) want some kind of 3rd party tool or product prior to taking major action against a device, user, or app. XDR is a good concept, but is this confirmation bias, or do you need the “11th man” to confirm any action taken? Again, more open tabs, even with XDR.
Threat Intelligence Platforms (TIPs) are key to any security investigator. However, each has their own unique interfaces and query capabilities. For example, I might have two tabs of Virustotal, AlienVault OTX, Shodan and a myriad of other paid and free services open. Each has unique capabilities and limitations, all leading to the analyst having more tabs to track.
All of these products and integrations are not a failure, albeit growing pains over the last 10+ years. Little thought has been put into how security teams utilize these products as a toolbox for analysts to easily get to the data required to complete their investigations.
Wait, where was I?
Often I was going down an investigative path, something would distract me, only to have to backtrack my investigative steps to get back on track. Having multiple tabs open only makes my investigation slower, which leads to multiple other problems with investigations.
Accessing multiple tabs of data only slows investigations, makes investigations less repeatable, and introduces more risk to the organization. Thinking of the thousands of investigations I’ve completed in the past, I’m sure that I missed a piece of key evidence somewhere that would have persuaded my response in a different direction. The problem I faced was that the data was all over the place, and sometimes it was difficult to get or filter, hence using VIM.
Documentation of an investigation is another open tab or independent text document. Once the investigation is complete, the text document is transferred to a ticketing system. Again, another open tab or application.
What can be done?
Whether you are an analyst, SOC director, or CISO, it’s important for the analyst team to be efficient and have repeatable processes. The analyst also requires the tools and training that allow them to wander through the investigation and document their findings.
Security analysts trying to analyze threats to your organization may or may not know of all the relevant data — especially data that’s stored in SAAS products like EDR and IAM.
Here are a few helpful tips:
- Understand how your analysts are working through investigations. Take a survey of all the tools that the team utilizes and see if there’s overlap in function. Investigation playbooks are a great way to verify specific places are checked for every investigation type.
- Make a map of all the data sources across your environment and document what kinds of data is able to be retrieved. API Data is great for gathering current information about the environment. If the team has to pivot to other 3rd party tools like EDR or SAAS platforms, is there a SIEM or SOAR dashboard with variables that can render the data in a meaningful way?
- SOAR is a great product that gathers data and possibly takes actions in an automated way. However, the implementation is the hard part. Utilizing SOAR allows the team to access relevant data, but this takes a lot of time. Work with the analyst’s team and pinpoint all of the data relevant to each type of investigation. Then, devise a plan to configure all of those steps into the SOAR. Easy right?
Being a security analyst is a difficult, redundant, thankless job that has impact across the entire organization. Enabling analysts to access and investigate data faster without subjecting them to tab hell will help to reduce overall risk. Whether you are working a simple investigation or a major incident, understanding the most proficient way to find the data is necessary to resolve and recover quickly.