Relief for the Overworked Cyber Warriors


Relief for the Overworked Cyber Warriors

The cyber warrior community is filled with lots of innovative tools to take on the bad guys. I’m sure they would admit that they have some problems. What’s your problem? I hear a lot from customers that the biggest concern is the cross-comparing threats across different tools.

Double Trouble

In most Security Operations Centers (SOCs), if one tool identifies a potential breach, a cyber warrior must cross reference that possibility against at least two or three other tools’ data to try to identify it. For instance, if a virtual sandbox test of a download identifies some suspicious activity, they must bring up three other security systems to compare the data to. The Intrusion Protection Systems (IPSs) logs; Security Information and Event Management (SIEM) logs; and the End-Point console. After cross-referencing to see what breaches have occurred, the cyber warrior can finally look at conceivable ways to clean up the mess.

Under Pressure

This is time intensive and wrought with potential human error. The problem isn’t poor training, negligence, or lack of desire. It’s sheer volume.

When you have to go through so many instances of alarms and false alarms, it’s hard to be right every time. The bad guy only needs to be right one out of a thousand times, and the cyber warrior has to be right a thousand out of a thousand times. No pressure.

APT Hide and Seek

Many times, a single tool will not raise a flag at all. But together, all four tools would throw up a huge bright red flag. When does a cyber warrior have time to do that when they are already overworked cross-comparing the many threats that aren’t truly problems every day? So, what’s the concoction? You can:

1.  Get more cyber warriors. Easier said than done. Two more problems emerge: cost and reality of available talent. It’s just not feasible.

2.  Integrate, so your tools can share data with more automation. The two possible ways to achieve this are through either a homogenous set of tools or a tool designed to integrate and manage multiple vendors’ activities (this should be a huge priority for CISOs).

3. Use automated forensics and analytics – it’s new, and exciting for sure. Some simply pre-compare alarms from multiple vendors to try to find similar threats and save time on the first steps of that labor intensive SOC duty. Others are more advanced, offering behavioral forensics and analytics, not looking for alarms, but going beyond and identifying threats that might not have otherwise set off alarms. This not only advances the war against outside threats, but can identify inside activities that would have been impossible to catch so quickly before.

Front Line Relief.

If both an integration tool and a behavioral forensics tool are brought into an SOC, the effectiveness of the team should increase exponentially more than it would by bringing in two new individual tools on the cutting edge. That would certainly relieve the pressure and time crunch on those cyber warriors in the trenches.


Jean-Paul Bergeaux is the Chief Technology Officer at SwishData and is all for using IT to outsmart the bad guys.

Share this article:

  • E-mail
  • Facebook
  • Twitter
  • LinkedIn


There are no comments for this article yet.

Submit a comment