Index:
1. Roles
2. Responsibilities
3. Reactions
4. Remediation
5. Gaps
6. Best Practices
Roles: Drawing from my experience, I have progressed from an analyst to senior roles. My past experiences and acquired tool skills have taught me that analysis is an ongoing process. The transition from a physically handled Incident Response procedure to a tool-based one has been a significant shift. Consequently, my previous experiences have proven invaluable in assisting current analysts.
Responsibilities: A few years ago, our dependency on other departments for accurate logs meant relying heavily on SIEM collections. However, beyond activity confirmation, we often had to wait for IT or users to confirm their actions, particularly during our early analysis days.
Reactions: Many critical or non-critical devices were isolated due to uncertainty about what occurred on those devices. The suspicion of a potential hacker dropping a bot on a device prompted such precautions.
Gaps: There was a notable gap in tracking exact attack records between human analysis and device-based analysis. However, recent developments, especially with the implementation of AI or ML playbooks, have significantly improved accuracy in identifying executions. This includes details such as when an incident occurred and what was executed on the host machine, with Host-based Intrusion Detection Systems (HIDS) proving more effective nowadays.
Best Practices: Utilizing AI playbooks can effectively prevent future cyber-attacks, reducing the need for extensive human intervention in handling SOC alerts. Achieving 24/7 operations with a team of just 9 members is feasible, provided the company is willing to invest in effective tools.
##As a metaphorical extension, just as someone in a household should be trained to provide basic medical aid, similarly, one person in a household should be a cybersecurity analyst.
No comments:
Post a Comment