During an incident, cybersecurity analysts often waste too much time copying data between different systems, feeds, and tools. We think that your analysts should be spending their time actually doing analysis, not trying to wrangle standalone spreadsheets and notebooks.
In this post we’ll talk about how Kaleidoscope’s holistic view of cybersecurity analysis workflows can help your teams organize their efforts better. Keep reading to learn more, or click here to jump to the demo video!
One of the most common things plaguing cybersecurity teams is what most people call alert fatigue – where the quantity of alerts and events that require investigations overwhelm and wear down the organization’s engineers and analysts. Teams are often incentivized to add new tools and data feeds in the hope that they will offer a new insight into their existing flood of problems, but what often happens is that the new tool becomes just another tool that’s also producing more alerts and analysis that need to be squared with whatever came before.
But why is this the case? If we have all of these tools to expedite analysis, enrichments, etc. then shouldn’t that also mean that we can scale alongside the flood of alerts? Which part of the analysis workflow is breaking down?
At Outcome Security, we believe that your analysts are the lifeblood of your entire security organization, and because of that tools should not only help them do their jobs as efficiently as possible, but also capture and identify as much of the analysis process as possible so you can make more informed decisions about how your tools and teams are performing. For today’s post we wanted to talk about Kaleidoscope’s workbooks, and how you can use them to help retain and organize your teams’ analysis, and how they can act as a building block to improve workflows and analysis processes in cybersecurity.
The almost constant swath of attacks, alerts, and analysis that most cybersecurity teams have to handle means that they’re going to be context switching, whether that means switching between tools to perform different data lookups, or switching between entirely different tasks. This constant bouncing around necessitates the need to put notes and status reports somewhere which is partially what’s driven the prevalence of tools like Excel and standalone notebooks in the industry – these tools are catchalls that analysts can use as a brain dump to sift through later.
However, this introduces another problem – notes can be of varying quality, there can be a mismatch in understanding between team members, and every time data is copied between systems you lose insights, context, and potentially findings that might be valuable to your organization in the future.
In Outcome Security’s Kaleidoscope platform, we’ve worked to address these issues with what we call workbooks. Workbooks are functional tools in the platform that act as a way for teams and users to track ongoing analysis efforts, integrate with internal and external data sources, and to provide tools tailored to common investigation and analysis problems.
The goal of workbooks is to provide everything an analyst needs for their daily mission, and to use insights captured inside of workbooks as a better source of truth for how teams are doing and what they need. Workbooks are also a cornerstone of our collaborative investigation environment: data brought in through workbooks is available to others in your organization, and workbooks can be shared between users and teams to eliminate common pain points around handing off analysis.
See Kaleidsocope and its workbooks in action below!
