Attaching responses from the first survey (most questions were designed to help with the design process).
What is your current role?;How many years of experience working in this (or similar) field do you have?;In one sentence, how would you describe your mission?;What three activities take most of your time?;What SIEM (or similar) tools are you using to perform your duties?;How would you rate the software you're currently using?;In your day to day activities, what types of data do you work with the most?;Are there data sources that your current tools doesn't provide but should?;What types of enrichment would you like to see on the raw data that would allow you to do your job more effectively?;What third party intel feeds do you find most valuable that lead to credible threats?;What are most the useful static rules that lead to credible threats as opposed to false positives?;When using your chosen software, do you find anything frustrating that you wish was easier or different? ;Is there anything that you wish it allowed you to do that it doesn't allow now?;In SIEM (or similar) tool, what information would you expect an alert to contain?;Which way of filtering/search for events would be your preferred one? Security Analyst;6 months;To secure our customer data;Security monitoring, tool eval, research, etc. ;Log Rhythm? ;3;logs, pcap, splunk queries, etc.;Network Visibility;;CrowdStrike intel;;N/A;Case management ;;Both work for me equally well Security Analyst;10;Provide expert knowledge in security and intelligence for customer support;Data queries, intelligence gathering, data enrichment;Log Rhythm, Falcon Host;2;Logs;;IP lookup, Virus/Malware lookup, Hash lookup;unknown;unknown;unkown;Threat Intelligence feed, Intelligence profiles/baseball cards;Importance, Event type, location of detection, time fields, enrichment data;I prefer clicking with my mouse to select/deselect types of data I want to find Security Analyst;18;We provide cyber-security in Rackspace customer environments;Research, Analysis, Reporting;We don't have one that works yet.;3;Open-source, Host data, Intelligence feeds;Yes;Network, netflow, Log data, even correlation;Recorded Future, Threat Connect;Nothing that we currently have.;Yes, the UI is terrible (feels beta) and we have no idea which customer console we're logged in to. ;Create custom dashboards, and be able to tell which customer I'm logged in to.;Rule information (why it fired) all pertinent information relating to the alert, alert context, correlation information. ;Both work for me equally well Consultant;5;Proactively monitor, detect, and respond to any and all security threats and events in near-real-time for RMS Customers.;N/A - currently not enough visibility or Customer data/alerts to give an accurate picture, also, I perform duties separate from the typical RMS Analyst role that aren't pertinent to this survey.;Currently no SIEM. Main tool is CrowdStrike Falcon Host. CloudPassage has been implemented as well. Analysts spend time in the UI of these individual tools.;3;"Hard to answer currently due to limitations; however, we will interact heavily with firewall/proxy/IDS/IPS logs, pcap, CrowdStrike data, system logs (e.g. Win event logs), etc.";Hard to answer currently due to limitations;FQDNs, hostnames, user names, system details, associated threat intel info, file names/hashes, additional malware info (e.g. VirusTotal lookup), etc.;CrowdStrike, iSIGHT Partners, Verisign iDefense, Emerging Threats, Symantec, McAfee, Dell SecureWorks, FireEye, Cyveilance, ThreatStream, ThreatConnect, etc.;Longer offline discussion for this;N/A - currently not operational;N/A - currently not operational;Severity/Priority, Date/Time, Device IP Addresses/FQDN (Internal & External), Alert Category/Name/Type, Alert Source (e.g. Falcon Host, BlueCoat Proxy), Alert ID/#, User name, Alert Status, etc.;Sometimes one works better that the other, so having the option so query and also filter via clicking fields is necessary to me Analyst;0-1;To identify anomalous behavior among disparate data.;Creating queries: 30%, Pivoting through data to isolate interesting artifacts 50%, Aggregating data to form a conclusion 20%;The only tool we are using at the moment as a SIEM is Falcon Host.;3;Indexed process execution data available in Falcon Host.;Network;;CrowdStrike Intel is the only one I am familiar with.;N/A;We do not have the ability to search across all customers at this point so hunting is a tedious task.;Unified search across all customers and Network visibility;Customer, Time in GMT, Host, Local and External IP, Remote IP if applicable, User or Service Account if applicable, event description;I want to write a query to find what I'm looking for Security Analyst;10;To monitor customer environments in order to identify nefarious activity for the sake of protecting said environment;"Searching for new threats - 10%; Investigating identified threats - 25%; Documenting and updating known incidents - 15%";FalconHost, JIRA, Office, ;3;logs;yes;parsing and correlation - this should be both predefined based on rules and signatures as well as definable in an ad-hoc situation by analyst;crowdstrike, CVE (multiple), multiple focused sites;IOCs/IOAs that are currently active in the wild which may not have a specific legitimate administrative function;Correlation is the key and any advantages that can be gained by automated correlation would be nice.;The case management that LogRhythm uses seems to be effective. The more data that can be directly pulled, the more seamless it would be;time, customer, source of info, IOC/IOA triggered, relevant 3rd party supporting evidence, related host and network data;Both work for me equally well Contractor in the CSOC;12;Make the CSOC successful by improving the processes and documentation around their mission.;"Documenting processes - 80% Developing work flow - 10% Documenting use cases - 10%";"Falcon Host Log Rhythm OpenSOC";2;Not doing operations day-to-day;OS and application logs, FW logs, netflow, IDS\IPS, remote access;"file information- VT, hash, file analysis lookups; Network - IP info, domain info, domain reputation, ";Crowdstrike, VT, systemexplorer.net, cymru, bit9, domaintools, centralops, *** I have a list ***;completely dependent on scenario, but the most important thing is event validation;Don't really use the tools here yet. Need to get live feeds for all of the data types.;;event type, what specifically alerted, any other correlating events, information about the host and customer;I prefer clicking with my mouse to select/deselect types of data I want to find Security Analyst II;1;Deliver Fanatical cyber security services that mitigate damage to Rackspace and our customers from cyber attacks.;Analysing SourceFire events, Crowdstrike events & phishing emails.;Splunk and QRadar;4;logs;No;N/A;FireEye;NA;Fewer false positives;Mark an event or alert as a false positive so it doesn't alert again. Suppressions.;Source and Destination IP addresses, host names, alert name.;Both work for me equally well Security Analyst I;11;Deliver fanatical cyber security services that mitigate damage to Rackspace and our customers from cyber attacks;Investigating IDS Events (50%), Investigating Phishing Emails (25%), Investigating Malware (25%);Splunk;4;logs;not sure;correlation to similar data;Crowdstrike;Exploint kit rules;;;timestamp, severity, description;I prefer clicking with my mouse to select/deselect types of data I want to find Security Analyst II;20 years;Deliver Fanatical cyber security services that mitigate damage to Rackspace and our customers from cyber attacks.;Intrusion Detection analysis, Rule implementation, Tuning;Splunk;4;pcap, snort;Yes.;More log access (e.g. authentication, dns, dhcp);Crowdstrike;Exploit kit, Cryptowall;Yes.;Yes.;Alert name, Src/Dst IP, Src/Dst port, protocol, sid (if applicable), packet, device;I prefer clicking with my mouse to select/deselect types of data I want to find Analyst;4;our mission is to protect corporate assets, employees, and networks. ;"identifying system owners - 20% searching multiple systems to find the correct logs - 20% finding systems in the building 10%";splunk enterprise seurity;2;pcap, logs, netflow;dhcp logs, dns logs;better event aggregation ;n/a;signature based rules will always have a higher false positive rate than heuristic based detection;customizing the interface and finding open events;create cases of events;Timestamp, origin of alert, Source/Destination IP and port , urgency;Both work for me equally well Security Analyst II;3 years;Deliver cyber security services that mitigate damage to our business and our customers from external and potentially internal threats.;Evidence gathering and incident documentation in tickets.;Splunk Enterprise for SIEM, Jira for documentation.;4;Sourcefire Alerts, FireEye Alerts, pcap or network metadata. ;;Better organization of the data, easily view pcap or traffic that caused the alert from inside the siem, and be able to make custom templates for documenting incidents.;CrowdStrike, VirusTotal and FireEye intel. ;Scanner detection so far has been the most reliable resource.;The UI is slow to load at times, the over all workflow could be better as well. Such as incident assignment, adding notes, and then documenting results and closing out ticket. It does not have a natural flow, SIEM's often forget the documentation aspect of incidents.;Create custom modulus windows or easily extend event alerts to work with other tools.;Source and Destination, Hostname if it can pull it, and packet of traffic that caused alert.;Both work for me equally well Security Analyst;7;protect the company from information security-related threats;responding to alerts (60%), improving/tuning tools/processes (20%), keeping up to date on security news/techniques/etc (20%);splunk;4;summarized alert data, pcaps, logs;linux process data;comprehensive pcap coverage, correlation between tools, identity/asset info applied to alerts;ones that provide additional context beyond IP address/domain/etc;more specific rules (Snort ETPro), publicly available rules;Easier automation of updates, easier integration of enrichment data (user/identity/asset info);;alert description, the detection rule, the content that was detected, references/links, additional context when possible (user info, asset info, etc), pcap;I want to write a query to find what I'm looking for Security Analyst ;3;Provide leading edge security with fanatical support. ;SIEM work 50% Emails 25% Tickets 15%;Splunk, it aggregates all the events from different sensors into one location. ;4;Pcap, logs;user authentications ;system details of host attacked;slashdot, and reddit cyber security ;angler regex rules;no;"create ticket if event is a true positive ";to, from ip's ports and time aswel as alerting packet and rule that triggered;Both work for me equally well Security Analyst;6;Deliver Fanatical cyber security services that mitigate damage to Rackspace and our customers from cyber attacks;Investigating, responding to, and mitigating security incidents;Qradar and Splunk ;3;pcap, vpn logs, snort, etc.;Splunk really just aggregates from other sources;Filtering of data could be cleaner. Queries take time to type out and are prone to mistakes.;;;Formatting of output when running a query could be cleaner.;;source IP/port, destination IP/port, timestamp, protocol, rule that triggered the alert, pcap of traffic that triggered the alert.;I prefer clicking with my mouse to select/deselect types of data I want to find
Metron Survey I (Responses).pdf
Description: Adobe PDF document
Metron Survey I (Responses).xlsx
Description: MS-Excel 2007 spreadsheet
Best, Oskar
signature.asc
Description: Message signed with OpenPGP using GPGMail
