What Makes a Security Analyst Successful? Investigative Thinking - Photo by Yosep Surahman on UnsplashThe new SANS 2021 Report: Top Skills Analysts Need to Master analyses the need for organisations to invest in improving their security operations. It identifies the skills analysts must master to support this initiative. The SANS report characterises an analyst as essentially an investigator. It also breaks the investigative process down into two primary areas: Investigative Tasks and Investigative Thinking.

One of the most important sources of intelligence to also bring into the process is human intelligence that comes from critical thinking. After all, what better way is there for organisations to validate data and findings. They can then determine the right action to take within their own environment through their own people.

As the SANS report points out, empowering humans, so they have more time to engage in investigative or critical thinking is vital to effective and efficient detection and response. According to SANS, best practices for critical thinking include:

  • Asking questions to gather additional context and scope when facing a situation of uncertainty during an investigation
  • Reasoning backwards by using tools like MITRE ATT&CK to hypothesise what must have happened to arrive at the alert that is displaying on a security console
  • Considering multiple plausible pathways instead of thinking linearly to detect and respond to new threats
  • Remaining curious, flexible and agile within a highly dynamic environment such as a security operations centre (SOC)

A central repository powers collaboration

This is where collaboration comes in, both passive and active collaboration. A security operation platform like the ThreatQ Platform serves as a central repository. It includes internal threat and event data, augmented and enriched with global threat data. This central repository is at the heart of passive collaboration, or information sharing.

When individual team members and different security teams can access the central repository for the intelligence they need to do their jobs as part of their workflow, passive collaboration just happens. As they use the repository and update it with observations, learnings and documentation of investigations, they get consistent threat intelligence.

The repository can serve as a centralised memory to facilitate future investigations. Everyone can operate from a single source of truth, instantaneously sharing knowledge and using their tools of choice to improve security posture and the investigation process.

Active collaboration involves engaging with another person to accomplish a shared goal through tasking and coordination. It is what typically comes to mind when we think of collaboration. However, traditional, siloed environments have made this extremely difficult and time-consuming for security professionals to do.

The challenge is that most security operations or investigations are rife with chaos. Teams act independently and inefficiently with limited visibility into the tasks other teams or team members are performing. With different people or teams working on independent tasks, key commonalities are missed. Investigations take longer, hit a dead-end, or key information just falls through the cracks.

A cybersecurity situation room breaks down barriers

A cybersecurity situation room fuses threat data, evidence and users to break down barriers. All team members involved in the investigation process can collaborate. Rather than working in parallel, they can automatically see how the work of others impacts and further benefits their own work. They can also share and benefit from the human intelligence they each bring to the table. Validating data and sharing their collective insights and understanding fosters critical thinking that drives successful investigations.

Furthermore, managers of all the security teams can use ThreatQ Investigations to see the analysis unfolding. It allows them to act when and how they need to, coordinate tasks between teams, and monitor timelines and results. Embedding collaboration into the investigation process ensures that teams work together to take the right actions faster.

At ThreatQuotient, we have always believed that to accelerate and improve security operations, we must empower the human element with tools that enable them to identify the right data, share information, and collaborate efficiently and effectively. That is why the ThreatQ Platform and ThreatQ Investigations are exactly what organisations need to help security analysts excel in the role of investigator.  If you are interested, why not download the SANS 2021 Report: Top Skills Analysts Need to Master for more details on the skills required.


ThreatQThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.

LEAVE A REPLY

Please enter your comment!
Please enter your name here