FeatureA new SANS report analyses the need for organisations to invest in improving their security operations and identifies the skills analysts must master to support this initiative. Characterising an analyst as essentially an investigator, the SANS report breaks the investigative process down into two primary areas:
- Investigative Tasks
- Investigative Thinking
One of the most important sources of intelligence to also bring into the process is human intelligence that comes from critical thinking. After all, what better way is there for organisations to validate data and findings and then determine the right action to take within their own environment than through their own people
As the SANS report points out, empowering humans so they have more time to engage in investigative or critical thinking is vital to effective and efficient detection and response.
According to SANS, best practices for critical thinking include:
- Asking questions to gather additional context and scope when facing a situation of uncertainty during an investigation.
- Reasoning backward by using tools like MITRE ATT&CK to hypothesise what must have happened to arrive at the alert that is displaying on a security console.
- Considering multiple plausible pathways instead of thinking linearly to detect and respond to new threats.
- Remaining curious, flexible, and agile within a highly dynamic environment such as a security operations centre.
This is where collaboration comes in, both passive and active collaboration. A security operation platform serves as a central repository that includes internal threat and event data, augmented, and enriched with global threat data. This central repository is at the heart of passive collaboration, or information sharing.
Active collaboration involves engaging with another person to accomplish a shared goal through tasking and coordination
When individual team members and different security teams can access the central repository for the intelligence, they need to do their jobs as part of their workflow, passive collaboration just happens. As they use the repository and update it with observations, learnings, and documentation of investigations, they get consistent threat intelligence.
The repository can serve as a centralised memory to facilitate future investigations. Everyone can operate from a single source of truth, instantaneously sharing knowledge and using their tools of choice to improve security posture and the investigation process.
Most security operations or investigations are rife with chaos as teams act independently
Active collaboration involves engaging with another person to accomplish a shared goal through tasking and coordination. It is what typically comes to mind when we think of collaboration, but traditional, siloed environments have made this extremely difficult and time-consuming for security professionals to do.
The challenge is that most security operations or investigations are rife with chaos as teams act independently and inefficiently with limited visibility into the tasks other teams or team members are performing. With different people or teams working on independent tasks, key commonalities are missed so investigations take longer, hit a dead-end, or key information just falls through the cracks.
With different people working on independent tasks, key commonalities are missed so investigations take longer
Likewise, a cybersecurity situation room, fuses together threat data, evidence, and users to break down these barriers. All team members involved in the investigation process can collaborate.
Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work, and they can share and benefit from the human intelligence they each bring to the table. Validating data and sharing their collective insights and understanding fosters critical thinking that drives successful investigations.
A cybersecurity situation room, fuses together threat data, evidence, and users, helping all team members involved in the investigation process to collaborate.
