The Goal, Scope and Methodology of Command Zero’s Recent Research on Cyber Investigations

Command Zero published its first research report: “Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders” on September 10, 2024.  

The report is based on 352 interviews with cyber leaders including CISOs, security VPs and incident responders. It sheds light on the primary challenges encountered in cyber investigations including those stemming from alerts, insider threats, incident response, and threat hunting activities. Key findings include:  

• 92% of respondents reported a lack of standardized processes for cyber investigations, 

• 88% of security leaders expressed concerns about operational issues related to the lack of skilled staff and high attrition rates, 

• 72% admitted to having blind spots for non-security data sources. 

This blog post is the first post of a blog series covering the key findings, takeaways and recommendations from this report.  

Introduction

Digital transformation has fueled human civilization to greater heights in the last 40 years, improving almost every aspect of our daily lives. So far, we’ve observed notable impacts with waves of digital innovation: networking, the internet, cell phones and cloud computing among many others. Today, we’re likely on the cusp of another remarkable wave with Artificial Intelligence (AI) and automation as powerful agents of change. While we’re likely in the early chapters of a new era, these capabilities are already improving enterprise productivity and efficiency in ways previously unimagined. Just like with every other technology, the adoption of these complex computing trends raises significant cyber security challenges.

In recent years, the adoption of new and not fully understood technologies has changed the cyber game in already complex IT environments. Traditional tools and methods are challenged to keep up with detecting, investigating cases and recovering from cyber incidents. The current era of SaaS applications, multi-cloud, automation and AI clearly pushes all industries to rethink cyber strategies.

The state of security operations and cyber investigations

Regardless of industry or organization size, most security operations efforts follow a similar pattern:  

1. Monitor activity, create alerts for potential cases.  

2. Triage high volume of alerts and identify interesting cases. Escalate for investigation.

3. Investigate high priority cases, determine true positives and total impact.  

4. Respond to the confirmed incident and incorporate learnings for the future.  

As an industry, we’ve heavily invested in prevention and detection, yet cyber investigations along with response technologies remain as under-invested segments. Cyber investigations still require highly manual processes with deep subject matter expertise, direct access to data sources and administrator level technology knowledge on systems in question. The combination of a lack of adequate investment, manual nature of these processes and a lack of skilled analysts makes investigations the most significant bottleneck of security operations. This is also known as the ‘last mile problem’ of security operations.

The ’last mile problem’ of security operations

The ‘last mile problem’ refers to an organization’s ability to conduct critical steps after a case is escalated for investigation. It includes the following fundamental steps:  

1. Identify primary incident triggers,  

2. See impacted systems, isolate,  

3. Remediate the case,  

4. Retrieve detailed historic and informative context about the global situation,  

5. Scope of the breach beyond what is provided by existing security technologies (and their initial alerts).  

Completing all of these steps, documenting the progress and doing so in a timely manner are critical for success. Making this process proactive and repeatable ensures that the organization can remain resilient in the face of new threats.

The goal and key findings of this research

Command Zero focuses on solving the last mile problem through an expert cyber investigations platform that delivers autonomous and user-led capabilities. As a young startup, carving out the right path for Command Zero was key. To better understand the current state of investigations, the Command Zero team conducted 352 interviews with security professionals including CISOs, security VPs, directors, managers, incident handlers and responders, legal counsels, and risk leaders. This report outlines some of the challenges facing cyber investigations teams and the learnings based on these interviews.  

These interviews discovered patterns including challenges stemming from the complexity of conducting investigations in modern hybrid environments, shortcomings of widely adopted security operations tools, the shortage of skilled investigators, and the difficulty with collaboration among responders. This report covers these findings along with Command Zero’s perspective on cyber investigations and suggested improvements.  

Background and Methodology

To better understand cyber investigation challenges, Command Zero conducted extensive interviews with 352 security professionals over 24 months (between June 2022 and June 2024). Each interview consisted of thirty to sixty-minute sessions in person and over Zoom. Interviews revealed important patterns about the state of cyber investigations and incident response.  

Conclusion & What’s Next

As we shared the goal, scope and methodology of the research, we will start digging into the key findings and recommendations on our next blog post in this series.  

If you’d like to read the full report, you can download a copy from the report overview page on our website.