This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

The Critical Roles of NextGen Workflow

RSAAdmin
Beginner
Beginner

‎2012-09-06 04:24 PM

The most successful enterprises that use NextGen have mastered the workflow concept, and fully utilize the Informer as the starting point for most investigations.  Understanding these roles associated with this workflow will help you identify how best to fill these workflow positions on your team.

 

Know Your Roles!

!rock.jpg

Analyst

The analyst is the front line consumer of Informer alerts, reports and graphs.  The alerts, reports and graphs are the output of automated queries that answer specific use cases and he takes action as prescribed by the team's internal handling process.  He clicks through these alerts to take him to sessions within Investigator for validation or further analysis.  He provides feedback to Content Authors that alerts and reports are still actionable.

 

Forensics Experts

Only the forensics experts should be spending the majority of their time in Investigator looking for the next big zero-day or looking for ways to automate queries that the Analysts need to respond to.

 

Content Authors

These are information managers that are well versed in internal policies, workflows, and using Informer.  Their role is to implement use cases and automate as much of the workflow as possible. They take input from forensics experts and analysts and convert it to actionable alerts and reports.  The content authors are also responsible for the use case lifecycle management-  when a threat is no longer a threat or needs to be monitored, that use case is closed and the automated content brought to a close.

 

The critical roles do not represent new hires or an expansion of staff. These functions can and should be fulfilled by existing personnel who spend time working with OldGen tech or SIEMS.  Some qualifications for each role follow:

 

  • Analyst:  Typical novice staffer who can accurately process alerts and reports based on defined use cases and incident handling guidelines.
  • Forensics Experts:  These are your packet-heads- people who enjoy picking apart protocols and understanding how networks tick.  Should have a good working knowlege of the threat landscape, vulnerabilities and an understanding of the environment's governing policies.
  • Content Authors:  This is often a graduated forensics expert, or anyone with a good understanding of the NextGen query structure.  Some experience with HTML coding helps create the best reports.  Should be an expert on the environment's governing policies.
0 Likes
0 REPLIES 0
© 2022 RSA Security LLC or its affiliates. All rights reserved.