Incident Response – How do you deal with analyst fatigue?

As I talk with people I know who are either Security Managers, CISOs or friends, a topic has come up that I haven’t read much about analyst fatigue.

Fatigue Symptoms

Below, I have brainstormed some indicators on how to recognize analyst fatigue:

High false positive rates

Slower or less complete triage or containment activities

Incomplete incident or alert documentation

Calling out sick too much

Analysts not as “sharp” as in the past

High turnover

Little or no cross-training

Incident Response within many organizations is a custom process, requiring knowledge of a company’s infrastructure, control, and culture. Turnover has a high cost, especially with the negative unemployment that we see in Cybersecurity today.

How to prevent analyst fatigue

Some ideas for preventing analyst fatigue include:

Empower your analysts not to have to churn through repetitive false positives

Embed senior analysts and automators in your line analysts world. Ensure regular day long ride alongs for those who have a direct impact on analyst with their direct tasks.

Resource your team to allow for rotating project work. Each member should be learning something new working on something that does not alert regularly.

Have a generous, enforced time-off policy. Make sure your team members are getting enough time for some R&R.

Keep a healthy reserve of alternate resources – either internal or external- for critical situations

Rotate staff periodically. For example, if you have an analyst that looks at content that is disturbing all day every day, don’t have him do this for six months.

Cross-train. When analysts have the ability to work in different functions, it gets them out of the day-to-day, but also builds out a stronger team.

Automate. Build scripts to automate triage. Look into a solution like IR Flow to automate and streamline where possible, freeing up your analysts to do interesting, motivating work instead of the mundane ticketing and documentation associated with day-to-day incident handling.

If you have other ideas – please share them in the comment section.