Bringing a new analyst onto your team can be a long and involved process. According to CyberVista founder and CEO Simone Petrella, it takes about a year to replace and train an experienced security analyst.

Why does it take so long? For starters, a security analyst has to acclimate to any new environment. They will need to learn host name conventions, workstation ownership, your network topology and flow, and what alerts are “normal,” among many other things. This training period doesn’t always include the time a new analyst will waste on things that were already investigated by the previous analyst.

Do you have a year to lose? Probably not. But there’s some good news. With Exabeam you can reduce onboarding time for your security analysts. Let’s take a closer look.

Learn normal behaviors

Equipping your analysts to spot anomalies starts with setting a baseline. Exabeam’s analytics engine monitors your systems, learning normal behaviors so that it can immediately detect any unusual activity. This means not only will your alerts be more accurate, but your analysts will have the data they need to conduct an investigation. By providing a “source of truth”, instead of chasing ghosts, they can trace back to the point of origin of abnormal activity and quickly detect issues so that they can take action.

Gain contextual insights

Alerts are often related but are buried in the thousands of alerts that an analyst has to hunt and peck through. Exabeam leverages machine learning to provide context to alerts so analysts have a clear view of user and device behaviors. ML can be used to derive new context about an environment that might not already be known. ML can be used to determine who owns a host in the environment based on authentication patterns, this means your new analyst doesn’t need to rely on a static out-of-date CMDB.  ML can be used to learn if a host in the environment is a workstation vs a server based on the machines behavior. Finally ML can be used to identify personal email addresses allowing analysts to spot possible insider threats exfiltrating data. Machine learning greatly eases the burden of figuring out the meaning of a series of related or unrelated events so analysts can apply their skill and knowledge towards responding to threats.

Speed up onboarding

One way to get around the long onboarding process is to find a way to speed up the pace. Exabeam’s solutions allow even a new analyst without knowledge of specific query languages to conduct a complete investigation in a brand-new environment. Normally, an analyst is dropped into an environment they’ve never seen before then forced to investigate. It looks like this: An alert comes in and the analyst has to try to investigate users and devices without any visibility into past alerts or normal behaviors. The analysts may not know what security technologies are deployed and what log sources are being ingested and if they are normalized properly. Exabeam’s solution means an analyst can perform advanced investigations even when they aren’t yet familiar with the environment. Even if an incident happens on the second day of a new analyst’s tenure, Exabeam empowers that person to immediately get up to speed.

Automate routine processes

The reality is, the fewer the tasks on your daily to-do list, the easier it will be to get a new analyst up to speed. This goes for your other IT team collaborators, as well. In the modern data center, automation will go beyond repeat tasks and focus instead on cognitive duties. With Exabeam, you can automate routine tasks so you can focus your team on areas where they need to make high-level decisions.

Collaborate with business managers

With technology driving so much of what a business does, it’s essential that security operations centers (SOCs) work in partnership with business leaders within the organization. Instead of merely being a cost center on the company’s budget, business leaders will see security as an enabler — a tool that helps them achieve their goals and solve problems. The SOC should function as a way to reduce the risk to the business by identifying security gaps through detection and remediating these through complete response to ensure the same threats are not seen again. In doing this, management will begin to see the return the company gets on its technology investment.

Get ahead of talent issues

One of the biggest issues cybersecurity leaders face is with hiring and retaining analysts. That one-year replacement process sounds daunting, but it’s even worse that after being hired, the average tenure of a Tier 1 analyst is two years. That means you’ve put a full year into getting the right person in place and onboarded, only to find the person doesn’t stick around long enough to get a return on your investment in recruiting and training. A more intensive investment for Tier 1 analysts can help, but automation of repetitive tasks can be the best way to help reduce the negative ROI your team sees from the attrition of its analysts.

Invest in data-driven processes

To automate a process, you need to first have that process in place. It’s important that cybersecurity teams work collaboratively to establish tasks and procedures that can be automated. This means even as automation reduces your reliance on Tier 1 analysts, you’ll need those higher-tier analysts to design investigations in a way that can be most efficient. Then work to validate that the processes you’ve set up work before turning them over to automation.

In the end, a solid cybersecurity organization depends on the people who are managing it. With talent shortages continuing to challenge the industry, teams should find ways to set up a collaborative effort between technology and the analysts who manage your security. This provides an great opportunity to plan career growth for your entry-level analysts.

Automation will improve the repeatability of manual processes and the accuracy of outcomes that will strengthen your security posture. It will also give you the reports you need to demonstrate ROI to the people who manage and balance your company’s budget, making it more likely you’ll see investment moving forward. With Exabeam you can shorten the time it takes to onboard an analyst and get your new hires successful immediately.

To automate a process, you need to first have that process in place. It’s important that organizations work collaboratively by observing and interviewing Tier 1 analysts to understand which tasks and procedures can be automated. This means as automation advances your Tier 1 analysts to Tier 2 responsibilities, you’ll still need those higher-tier analysts to design investigations in a way that can be most efficient. The final step is to validate that the processes you’ve set up work before turning them over to automation.

Vice President, Worldwide Sales Engineering

Andy Skrei is the VP of worldwide sales engineering at Exabeam, a company that provides next-generation security intelligence and management solutions to help organizations protect their most valuable information. He previously worked as a lead security engineer at eBay, developing and deploying technologies for its global SOC.

Follow on Linkedin

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog

Subscribe