If you want to build your own XDR team, you’ll need to find a variety of “hard to hire and retain” security specialists, then find a way to keep them in a high-stress career, involving hard work and long hours, and where it is difficult to find affordable training.
To top it off, chances are your XDR vendors are trying to poach them.
That’s the grim prognosis for what Allie Mellen, Forrester Research’s senior SecOps cybersecurity analyst, considers a very stressful role. “You’re trying to prevent the company from being hacked. And so, you have a big responsibility there.
“It’s a job where you have to work outside of your normal hours, you have to do your own research, you have to work very hard to stay in this area. Internal security is not considered a profit center, it is considered a loss, and because of that, it’s usually not funded to the same level that we would expect with product teams,” adds Mellen.
She also says that many security professionals also struggle to use the tools provided to them.
“So a SOC can have 10 tools, 30 tools, 50 tools, depending on which SOC you’re talking about. It’s a lot of work to not only become familiar with and/or be an expert on all these different technologies, but also to manage them throughout an incident.
If that hasn’t deterred you and you’re still determined to build your own team, you’ll need to take on roles such as Detection Engineer, Threat Hunters, Threat Intelligence Managers, and maybe even threat researchers.
The first piece you need is a detection engineer, says Mellen. “He’s the person who actually works in day-to-day SIEM or XDR and develops detections to find the behavior of the adversary.”
They’re hard to find, warns Mellen, because it’s a very specialized skill. “It’s not an entry-level position… They’re hard to remember because everyone wants a piece.”
“Sensing engineers set the rules and they need to be aware of the environment and the attackers in it, as well as the technology they are working in, which is typically SIEM. They also need inputs.
But they also need input, which is where Threat Intel Manager comes in, Mellen explains. “The Threat Intelligence Manager is someone who gathers threat intelligence from a variety of sources they have selected to see who the latest threat actors are and what the business needs to be concerned about, and which is targeting the industry right now.”
Meanwhile, threat hunters are out in the environment every day building hypotheses about what they think a threat actor would take advantage of in the environment.
“And then they’re just looking to see if they can find an attacker that the detection engineers that were built into the SOC haven’t caught yet.”
Mellen says their job is to find product defects, especially where product protection is inadequate.
“It’s hard to measure success because success isn’t about finding an attacker in the environment. Yet their goal is to find that attacker, their findings usually feed into the detection engineer, because if they find something the engineers would then be able to create a detection role based on that.