28 Aug Incident Response – How do you deal with analyst fatigue?
As I talk with people I know who are either Security Managers, CISOs or friends, a topic has come up that I haven’t read much about analyst fatigue.
Below, I have brainstormed some indicators on how to recognize analyst fatigue:
- High false positive rates
- Slower or less complete triage or containment activities
- Incomplete incident or alert documentation
- Calling out sick too much
- Analysts not as “sharp” as in the past
- High turnover
- Little or no cross-training
Incident Response within many organizations is a custom process, requiring knowledge of a company’s infrastructure, control, and culture. Turnover has a high cost, especially with the negative unemployment that we see in Cybersecurity today.
How to prevent analyst fatigue
Some ideas for preventing analyst fatigue include:
- Empower your analysts not to have to churn through repetitive false positives
- Embed senior analysts and automators in your line analysts world. Ensure regular day long ride alongs for those who have a direct impact on analyst with their direct tasks.
- Resource your team to allow for rotating project work. Each member should be learning something new working on something that does not alert regularly.
- Have a generous, enforced time-off policy. Make sure your team members are getting enough time for some R&R.
- Keep a healthy reserve of alternate resources – either internal or external- for critical situations
- Rotate staff periodically. For example, if you have an analyst that looks at content that is disturbing all day every day, don’t have him do this for six months.
- Cross-train. When analysts have the ability to work in different functions, it gets them out of the day-to-day, but also builds out a stronger team.
- Automate. Build scripts to automate triage. Look into a solution like IR Flow to automate and streamline where possible, freeing up your analysts to do interesting, motivating work instead of the mundane ticketing and documentation associated with day-to-day incident handling.
If you have other ideas – please share them in the comment section.