Finding a Security Unicorn

A recent post on securityintelligence.com is unlikely to surprise anyone who’s been paying attention to the cybersecurity job market. According to a new Cybersecurity Ventures report, the unemployment rate for cybersecurity jobs is currently zero. On average, there are two open jobs available for every candidate, with over 1 million open IT security positions.

Companies are making it worse by trying to hire security unicorns: analysts with skillsets so broad that no person has them all. On one hand, it’s hard to blame these firms. Attacks are not only growing in frequency and impact, but they are also more complex and difficult to detect. To find and address today’s attacks, security professionals must understand so many techniques and technologies that it’s no wonder these people don’t exist. On the other, setting the bar where it can’t be cleared doesn’t help solve the problem.

The post suggests several ways to address this hiring problem, including more education and hiring more women in IT. However, neither will help much in the short term. An interesting short term suggestion is to improve the productivity of existing IT professionals through automation. For many companies, this is the only short term solution. We recently spoke with one firm that has a security team of five: four college interns and one “old hand” expert. The four interns spend their time sending alerts to the expert for evaluation. How long will this work and how will the company scale up? The only solution is to improve the ability of the four front-line analysts to handle more complex incidents more effectively.

The field of security analytics has been overly focused on detection, i.e. using various techniques to find anomalies. But as anyone who’s watched CSI or Law and Order knows, the show doesn’t end when the smoking gun is found. The gun is usually found in the first few minutes, and the hard part is investigating and building the case. Investigating and responding to the incident is the hard part! CISOs who are considering UEBA or similar security analytics solutions should put at least as much weight on how these products can amplify their people’s abilities as on how well they detect potential threats.

Consider what a SOC analyst does with a new incident. She doesn’t yet know who is involved, what they have done, whether it’s good or bad, which machines they’ve touched, what they did after, etc. She has to pull DNS logs to determine which user actually had a specific IP address at a specific point in time. She has to determine whether the person using account bsalazar on a Windows server is the same person using account sysadmin on a remote unix server. She has to determine if two devices were used by the same person, etc. Doing so involves sleuthing that is both time consuming and difficult. The analyst accesses multiple systems of record, each with its own commands. She may need to run multiple complex queries in the log management system. A new analyst or an IT worker that has been reassigned to work in the SOC is unlikely to have these skills, training them will take months and they may well quit as soon as they have the skills.

This is the problem that security analytics needs to help solve. UEBA that doesn’t amplify your analysts’ abilities isn’t worth your time.

At Exabeam, we believe that we are the only UEBA vendor focused as much on improving SOC productivity as on detecting new threats. Our patented session data model enables this by automating the data integration work in an incident investigation. If you’d like to learn more about it, download this whitepaper or drop us a line ([email protected]).