Incident Response – How do you deal with analyst fatigue?

Sleepy Analyst

28 Aug Incident Response – How do you deal with analyst fatigue?

As I talk with people I know who are either Security Managers, CISOs or friends, a topic has come up that I haven’t read much about: analyst fatigue.

Fatigue Symptoms

Below, I have brainstormed some indicators on how to recognize analyst fatigue:

  • High false positive rates
  • Slower or less complete triage or containment activities
  • Incomplete incident or alert documentation
  • Calling out sick too much
  • Analysts not as “sharp” as in the past
  • High turnover
  • Little or no cross-training

Incident Response within many organizations is a custom process, requiring knowledge of a company’s infrastructure, control, and culture. Turnover has a high cost, especially with the negative unemployment that we see in Cybersecurity today.

How to prevent analyst fatigue

Some ideas for preventing analyst fatigue include:

  • Empower your analysts not to have to churn through repetitive false positives
  • Embed senior analysts and automators in your line analysts world. Ensure regular day long ride alongs for those who have direct impact on analyst with their direct tasks.
  • Resource your team to allow for rotating project work. Each member should be learning something new working on something that are not alerts regularly.
  • Have a generous, enforced time-off policy. Make sure your team members are getting enough time for some R&R.
  • Keep a healthy reserve of alternate resources – either internal or external- for critical situations
  • Rotate staff periodically. For example, if you have an analyst that looks at content that is disturbing all day every day, don’t have him do this for six months.
  • Crosstrain. When analysts have the ability to work in different functions, it gets them out of the day-to-day, but also builds out a stronger team.
  • Automate. Build scripts to automate triage. Look into a solution like IR-Flow to automate and streamline where possible, freeing up your analysts to do interesting, motivating work instead of the mundane ticketing and documentation associated with day-to-day incident handling.

If you have other ideas – please share them in the comment section.

1Comment
  • Does IR have a Hierarchy of Needs? - Syncurity
    Posted at 17:45h, 30 September Reply

    […] and need the right experience and skillset as well as cross-training. SOC’s are plagued with analyst fatigue. Quality security analysts are your most valuable and important tool. Full reliance on technology […]

Post A Comment

CONTACT US FOR A DEMO