2012-09-06 04:24 PM
The most successful enterprises that use NextGen have mastered the workflow concept, and fully utilize the Informer as the starting point for most investigations. Understanding these roles associated with this workflow will help you identify how best to fill these workflow positions on your team.
Know Your Roles!
!
Analyst
The analyst is the front line consumer of Informer alerts, reports and graphs. The alerts, reports and graphs are the output of automated queries that answer specific use cases and he takes action as prescribed by the team's internal handling process. He clicks through these alerts to take him to sessions within Investigator for validation or further analysis. He provides feedback to Content Authors that alerts and reports are still actionable.
Forensics Experts
Only the forensics experts should be spending the majority of their time in Investigator looking for the next big zero-day or looking for ways to automate queries that the Analysts need to respond to.
Content Authors
These are information managers that are well versed in internal policies, workflows, and using Informer. Their role is to implement use cases and automate as much of the workflow as possible. They take input from forensics experts and analysts and convert it to actionable alerts and reports. The content authors are also responsible for the use case lifecycle management- when a threat is no longer a threat or needs to be monitored, that use case is closed and the automated content brought to a close.
The critical roles do not represent new hires or an expansion of staff. These functions can and should be fulfilled by existing personnel who spend time working with OldGen tech or SIEMS. Some qualifications for each role follow: