Introduction
This blog post is the fifth and final post of a blog series covering the key findings of our first research report “Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders”, published on September 10, 2024. You can read the previous blog posts of this series here:
 In this post, we will share the overall conclusion of the research and our recommendations for security operations leaders. Let's start with the challenges we uncovered:
Top challenges uncovered by the research
Cyber investigations in modern environments are complex and labor-intensive. The research we conducted via detailed interviews with three hundred and fifty-two (352) cybersecurity professionals (Respondents”) revealed the top challenges and interesting insights about security operations. Respondents span fifteen (15) industries, and their insights shed light on primary challenges: issues stemming from alerts, insider threats, incident response, and threat hunting activities. These three challenges emerged:
1. The universal talent gap in cyber hinders the ability to run investigations
The global skills gap in cyber is acute when it comes to security operations teams, impeding their ability to run investigations. 88% of respondents expressed concerns about operational issues related to the lack of skilled staff and high attrition rates.
Cloud environments continue to be an area where security operations teams lack the skills (74% of respondents). Visibility and traceability of an attacker across the stack also proved to be a challenge (72% of respondents). These seeds of doubt stem from limited data collection, cloud investigation expertise, investigation resources and technology specific skills. (More on this finding: Universal talent gap in cybersecurity hinders the ability to run investigations)
2. Current SecOps tools are hard to operate and investigate
EDR/XDR, SIEM and SOAR are the most commonly used technologies for investigations. Security operations teams have few alternatives for collecting logs, generating cases and triaging alerts. Even though these technologies are powerful and the defacto standard, there is room to improve threat hunting and cyber investigations.
Respondents raised concerns about high cost of using SIEM, SOAR and EDR –in terms of license costs and the continuous operational labor required to get value from these systems. Blind spots were reported with SaaS applications (60% of respondents) and non-security data sources (72% of respondents). (More on this finding: Current SecOps tools are hard to operate and investigate)
3. Investigations lack consistency, documentation and auditability
Investigations are still mostly ad hoc manual processes and there’s a lot of room for improvement. A lack of standardized collaboration during cyber investigations (92% of respondents), overly complex regulatory reporting (80% of respondents) and time-consuming reporting requirements (79% of respondents) are the leading challenges.
The dynamic and curious nature of analyses results in scope creep (72% of respondents) and most organizations (69% of respondents) lack a programmatic way to incorporate learnings from past investigations. (More on this finding: Investigations lack consistency, documentation and auditability)
Command Zero’s recommendations for SecOps leaders
Cyber investigations are the most significant bottleneck for security operations today. To deliver better outcomes with current security operations investments, we need to transform complex analyses. We need a solution that keeps analysts in the driver’s seat while reducing the manual toil of the process through automation. We can deliver the best investigation outcomes only if we can provide the subject matter expertise and access for all systems to all investigators. Democratizing these capabilities will increase the confidence of each investigator and build a path for standardized investigation processes.
We can build standard processes for cyber investigations by empowering all tier-2+ analysts (tier-2 and tier-3 analysts, threat hunters and incident responders) to deliver expert outcomes. These processes should include how to collaborate and communicate during analyses. Additionally, processes should outline approaches for reporting, collaboration, communications and scope creep issues.
To overcome these and future challenges, we must transform the way we do cyber investigations. Here are the recommendations to get there:
- Implementing a unified investigations platform is key to overcoming the many security operations challenges outlined in this report. Such a solution should be designed to ensure security teams have the tools and skills required to navigate both legacy infrastructure and cloud platforms. It should also streamline the integration of numerous data sources and align them to the investigation process.
- Cyber investigators who focus primarily on security alerts must extend their focus to gain a comprehensive understanding of a security incident – running across multiple alerts and systems. It is crucial to integrate various data sources beyond traditional security products to detection, investigation and response capabilities. For example, not having visibility into a high value target like a critical business application is a gap.
- Automation is essential to enhancing data collection/analysis from security and non-security tools as well as other data sources. This should improve overall efficiency as well as overcome the gaps in capabilities of tools like SIEM, SOAR and EDR/XDR.
- To avoid burnout and attrition, SecOps teams need the right information and tools. To overcome the skills shortage in cyber, organizations must continue to invest in ongoing training programs. Security leaders should encourage the acquisition of certifications, promote employee well-being through workload management strategies, and foster supportive work environments. These actions can reduce burnout while boosting morale and overall job satisfaction. We also need to reduce the repetitive low-impact work (gathering data, reporting, handing over to the next shift) with automation and tools to improve the quality of life for all analysts.
- Fostering more effective collaboration and communication for investigations is essential. Teams should implement a dedicated tool for cyber investigations which establishes clear communication protocols, implements strong management practices, and streamlines the consistent execution of inquiries and probes. This will minimize inefficiencies and keep the team focused on the main incident.
Conclusion & call to action
This report concludes our blog post series covering the Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders. If you’d like to read the full report, you can download a copy from the report overview page on our website.
Command Zero offers a novel way to address the common challenges above and more with the autonomous & AI-assisted cyber investigations platform. Please visit cmdzero.io to learn more.
