From TDR to TDIR — using tools to drive investigations

I think we can all agree that one of the primary responsibilities of a SOC is to efficiently bring the organization back to a known good state after being hit by an attack.

And yes, that includes detecting that an incident took place and responding to that incident. The proverbial “threat detection and response (TDR)”. But is that enough?

No!! Investigation is equally — if not more — important than detection and response. In fact, data from the Exabeam SIEM Productivity Study independently conducted by Ponemon Institute LLC shows that SOCs spend 1/3 of their time on detection and response, and 2/3 on triage and investigation.

Figure 1: Percent of time spent for each phase in threat detection, investigation and response (TDIR)

During my career at Gartner, I have observed SOCs obsessively focus on using tools to solve threat detection and response, and throw human misery to solve the problem of triage and response. This inevitably leads to an overreliance on scarce resources and to employee burnout, which contributes to skills shortage. Over-pivoting on threat detection and response is detrimental to the overall efficiency of the SOC and to the organization’s security posture.

Let’s put triage and investigation at the center of the mission of a SOC and stop talking about “threat detection and response”. Instead let’s talk about “data collection, threat detection, triage, investigation and response” — or in short “threat detection, investigation, and response” (TDIR).

Further, let’s push for all the phases in the lifecycle of TDIR to be done by tools as much as possible, including triage and investigation. For that, vendors need to provide 1) great capabilities and feature sets for each of the phases in the TDIR lifecycle, 2) great content that codifies SOC knowledge, and 3) great integration between each of the phases of the TDIR lifecycle so as to cover the overall SOC workflow.

Sure, threat detection will never be a fully solved problem, and neither will response. They are both a never-ending continuous improvement journey. However, there’s been enough progress on these now that it’s time to include triage and investigation in the scope of duty that we should ask tools to help us with. We know how to drive the bulk of the heavy lifting on investigation of many threats, incidents and use cases. It would be a shame to not offer this to the industry. Let’s stop wasting people’s time on repetitive tasks that machines know how to solve efficiently, at scale. Let’s free people to work on more important activities.

If your TDIR tool (SIEM or XDR) mainly focuses on detection and response capabilities, I suggest you look at vendors — OK quick plug for my employer, check out Exabeam ;) — who offer great coverage across the broader lifecycle of the workflow, and can drive all phases of TDIR using tools, including triage and investigation.

Demand that your SIEM and XDR automate investigations and go from TDR to TDIR!!

Cybersecurity expert and Chief Strategy Officer at Exabeam. Former Gartner analyst driving SIEM and SOC research and builder of the Splunk security ecosystem.