Read on Twitter
"Do analysts have access to all the data they need to perform investigations thoroughly?"
With all the talk of tabletop exercises this week, don't forget to ask this question and don't ignore the issue when the answer is no.
With all the talk of tabletop exercises this week, don't forget to ask this question and don't ignore the issue when the answer is no.
The top issues I see in SOCs that limit analyst access to data they need, in order:
1. Poor use of budget (usually perceived as not enough budget)
2. Gatekeeping by senior team members with strong personalities
3. Actual lack of budget
4. Lack of knowledge about what to collect
1. Poor use of budget (usually perceived as not enough budget)
2. Gatekeeping by senior team members with strong personalities
3. Actual lack of budget
4. Lack of knowledge about what to collect
Of course, it's often a combination of those things rather than just one.
A key point is that folks often *know* they aren't collecting the data they need for analysts. But, they make excuses for it or ignore the problem.
A key point is that folks often *know* they aren't collecting the data they need for analysts. But, they make excuses for it or ignore the problem.
BTW, the answer is no in 80% or more of the SOCs I’ve seen the past 5 years, and higher in managed service providers handling security for small businesses.
