At 8:30 a.m. this morning, a level 3 security analyst, Mikey “The Jedi” Allbright of [COMPANY NAME REDACTED], announced he’ll be leaving for the next six months due to “seriously fatigued fingers” and “a wonky eye” resulting from viewing and traversing too many screens in the course of his daily activities to ensure data security and compliance at [COMPANY NAME REDACTED].
We sat down with Allbright after this grandiose proclamation for further details. “All security analysts have it tough,” Allbright mused as he gingerly held his Darth Vader mug with his three fully operational fingers. “We’re ingesting data all day, every day, from a multitude of sources so we can detect the events that seem to be anomalous in nature, analyze those events to see if they’re actual threats and, finally, stop the threat if it’s an actual attack.”
When asked if the problem is on equal footing for junior or level 1 and 2 analysts, Allbright had this to say: “Security information and event management (SIEM) offerings have grown leaps and bounds since I moved from Windows tech support to the security desk eight years ago. Back then, if we pulled data from the firewall, for instance, we might only get an IP address sent back, all the other DNA of the event was sitting in unstructured logs.
“Today, the new kids have it relatively easy. SIEM providers have really upped the game on integrations and the correlation engines to give a full picture view of brute-force attacks. I mean, they still have their own challenges as the business grows and our data leaves the building, trying to secure let’s say mobile devices, but it’s nothing to the level I deal with each day. No one will be getting seriously fatigued fingers or a wonky eye.”
Physician’s Diagnosis Points to ‘Extreme’ Repetitive Stress Disorder
For further context, we continued the conversation with Allbright and his physician, Moonstone Riverbeam.
“This is a case of repetitive stress disorder taken to the extreme,” Riverbeam chanted.
Allbright interjected, “I’m responsible for finding the truly unknown threats, the ones that are coordinated and complex, that need the SIEM and a host of other systems to fully identify and ferret out. In a low and slow attack, the hackers will start their intrusion with a spear phishing email to an unsuspecting user within our company. To simply see if spear phising is taking place, I’m sifting through data across packet capture, web proxy, email gateway, detonation chambers, SSL/TLS inspection, DNS records and mail servers. Just culling the information is a ludicrous amount of clicks that whittles away the marrow of my finger bones. Now, imagine I have to collate and analyze that information in a spreadsheet. Welp, that’s many, many more clicks.”
Riverbeam provided no further comment, but we could hear mild weeping in the background before he hung up the phone. We then received a notice that Allbright’s phone card minutes were almost depleted, so he concluded with the following:
“That example above assumes we can stop a possible attack at intrusion, which is rarely the case. When you look at this from the lens of the MITRE ATT&CK framework, there is a multitude of other steps that occur before your company makes the news about being breached. Each of those steps from hackers performing data discovery, to lateral moves across systems, to exfiltration of data requires a whole other set of IT systems we need data from to provide a thorough investigation and hopefully stop the bad guys. I’m lucky to still have three working fingers.”
Company Leans on Design Thinking Approach in Security Analyst’s Absence
To bring balance to the acting forces in this story, we reached out to Allbright’s direct superior, the chief information officer (CIO) of [COMPANY NAME REDACTED], who asked to remain nameless. They said:
“While of course we have concerns about Mikey’s ‘condition,’ what scares me more is the time it’s taking our analysts to find these threats. I believe in the fortitude of the human finger, but each click that has affected Mikey is extra time we’re allowing rogue agents to run amuck in our environment.”
When I asked what the plan was moving forward while Mikey was healing, she said, “We built our security tools like a castle, adding new bricks each time an outside force came up with a new weapon in their arsenal. With Mikey gone, we need to add the same design thinking to security we used to build the rest of our infrastructure. Begin with the security outcomes we hope to achieve and integrate or add technology from there. Start with new rules, then we’ll add the tools. Also, I think Mikey is faking it. I wanted that out there since I doubt my sarcasm will come through in text.”
When I asked Allbright his plans during his convalescence, his eyes brightened.
“While I may be a Jedi and master threat hunter in IT security, I’m still only a Padawan (as recognized by the official Jedi Council of America). I plan to spend the next six months honing my lightsaber skills.”
When asked if he plans to wield the Jedi weapon of choice given his “condition,” Allbright wryly smiled and said, “I believe the Force will be with me.”