The most successful enterprises that use NextGen have mastered the workflow concept, and fully utilize the Informer as the starting point for most investigations. Understanding these roles associated with this workflow will help you identify how best to fill these workflow positions on your team.
Know Your Roles!
The analyst is the front line consumer of Informer alerts, reports and graphs. The alerts, reports and graphs are the output of automated queries that answer specific use cases and he takes action as prescribed by the team's internal handling process. He clicks through these alerts to take him to sessions within Investigator for validation or further analysis. He provides feedback to Content Authors that alerts and reports are still actionable.
Only the forensics experts should be spending the majority of their time in Investigator looking for the next big zero-day or looking for ways to automate queries that the Analysts need to respond to.
These are information managers that are well versed in internal policies, workflows, and using Informer. Their role is to implement use cases and automate as much of the workflow as possible. They take input from forensics experts and analysts and convert it to actionable alerts and reports. The content authors are also responsible for the use case lifecycle management- when a threat is no longer a threat or needs to be monitored, that use case is closed and the automated content brought to a close.
The critical roles do not represent new hires or an expansion of staff. These functions can and should be fulfilled by existing personnel who spend time working with OldGen tech or SIEMS. Some qualifications for each role follow:
- Analyst: Typical novice staffer who can accurately process alerts and reports based on defined use cases and incident handling guidelines.
- Forensics Experts: These are your packet-heads- people who enjoy picking apart protocols and understanding how networks tick. Should have a good working knowlege of the threat landscape, vulnerabilities and an understanding of the environment's governing policies.
- Content Authors: This is often a graduated forensics expert, or anyone with a good understanding of the NextGen query structure. Some experience with HTML coding helps create the best reports. Should be an expert on the environment's governing policies.