B (12:51)

Foreign.

A (12:57)

Machine identities now outnumber humans by more than 80 to 1, and without securing them, trust, uptime outages and compliance are at risk. Cyber Arc is leading the way with the only unified platform purpose built to secure every machine identity, certificates, secrets and workloads across all environments, all clouds and all AI agents. Designed for scale, automation and quantum readiness, Cyber Arc helps modern enterprises secure their machine future. Visit cyberark.com machines to see how on this week's Threat Vector segment, Palo Alto's David Moulton speaks with Liz Pinder and Patrick Bale about context switching in the SoC.

B (13:54)

Hi, I'm David Moulton, host of the Threat Vector Podcast, where we break down cybersecurity threats, resilience, and the industry trends that matter most. What you're about to hear is a snapshot from my conversation with Liz Pinder, Cortex Systems Engineer Specialist, and Patrick Bile, SecOps consulting manager at Palo Alto Networks. Together we take up no holds barred look at context switching in the soccer what it costs, why it's getting worse, and how smarter design can fix it. Listen to the full episode now in your Threat Vector feed. So when we were talking about putting this podcast together, we were talking about this idea of context switching and I ran across this HBR article that talked about workers switching apps something like a thousand plus times a day. It seems kind of wild, but then you start to observe your own patterns and you realize, yeah, you're moving back and forth in between desktop applications and web apps through your browser and your tab, your browsers and your tab. Get to the point where you can't even read the tabs anymore. There's so many there and each one is a different action or a different capability. And I imagine in the SoC that that kind of context switching shows up and that it's really costly. Can you talk about what the cost of that disruption and or the inability to focus because of all those tools looks like? Liz?

C (15:25)

Yeah, definitely. I mean when we talk about the impact of that actual screen switching, I feel like there's kind of two overall issues that happen. There's kind of the issues on the analyst side, so what I definitely experienced and then we see issues as well on that visibility and detection side and just kind of to talk more about the analyst side because it's obviously like my personal experience, but I kind of like to think about, I don't know if you've ever heard of the, the, the article by Paul Graham which talks about kind of maker and manager time. So it's a quite an old piece of research, quite a few years ago now, but, but essentially it goes through that Maker time is something where you have long interrupted blocks to actually build and create something, whereas manager time is kind of split into meetings, check ins, quick decisions. And it's really that kind of make a time that you can directly associate with an analyst. You need to have that time for deep thinking with no interruptions, especially when you are going through an incident when you're triaging. And of course if you, I mean just thinking back to my experience, if you're having to continuously collect data for an alert, an alert comes in and I'm going to have to go to different sources to collect this data, either through logging into a firewall platform or kind of going and querying logs in my SIEM solution or even contacting someone, like contacting the owner of this kind of misconfigured S3 bucket, for example, all of that time adds up on its own. But it's also that kind of mental overhead that you have, like that's not really kind of thought of. If, you know, if someone interrupts you and you're kind of in the zone and then you get a slack message come in or you have a meeting put in as you're doing this task that requires that deep thinking. For me personally, it takes me like a Good, you know, 30 minutes to get actually get back into the task that I was originally presented with. So you know, imagine that constantly when you are just triaging alone and how much time that adds to actually resolving that alert. You know, that's you know, a lot of the reason why we have such long meantime to respond is because of that jumping across different tools and gathering all of that information.

B (18:08)

Let's talk about alert fatigue. When analysts jump from tool to tool and alert to alert, how do we ensure that they can stay focused on what matters?

D (18:19)

So yes, when we speak to SOCs and we say, what would you like to automate? And it's an intentionally provocative question, we normally get two answers, everything or we don't know. And that's, you know, I'm not sure which one's, which one's scarier, to be honest. But probably we don't know because like, if we're talking about alert fatigue, they should know the type of alert that is causing them to be fatigued or alerts. So really, like, when we're talking to SOCs, don't pick that one horrible task on that horrible system that you don't like doing, that you have to do once every six months or every year, do the things that you do little and often. If you can shave off 30 seconds here, a minute here, and you do that numerous times a day, week, month, then there's your return of investment on your sock and there's automation being key for you and there's your reduction on burning out because you're not doing the same thing over and over again. And that's the stuff that drove me up the wall, repeating those mundane tasks and also thinking about from the risk perspective. Again, that's the stuff that people in the soc would forget to do or intentionally not do because they have a bias to know what that the result is. So they assume it's benign or they assume it's malicious and they'll just quickly try and close the incident down. That's the wrong behavior that introduces risk, which the stock is there to avoid. Right. Or reduce the risk. Sorry.

C (19:51)

It's all about giving them something interesting to look at. Right? Because we talk about, you know, how do we, how do we not interrupt that flow? And first of all, we can go by automation. So not just automation in terms of, you know, all the way to resolution, all the way to, let's block this straight away, really simply, we can utilize automation to enrich an alert. So instead of me having to go to my various open source intelligence tools to look up this one IP address, I can have all that information provided to me straight away so I can just make that informed decision. So analysts can make that informed decisions to then isolate that machine or close that alert down. So it's really that low hanging fruit almost, that helps combat that alert fatigue.

B (20:47)

Liz, you've designed playbooks and that's what we tend to call these pre flight checklists. And some of the automations in security is a playbook or a workflow with a lot of customers. What mistakes do you see teams make that actually increase their context switching during incident responses?

C (21:07)

Yeah, so something that was probably most common, and I think Patrick will agree, is you can't automate without having that processor in the first place. Right. So quite often customers come to us or I'm building a playbook and that process either doesn't exist in the first place or it's a bad process. For example, we had a customer that wanted to simply just reset a password and remove them from AD if there was an insider threat. So what they, they didn't have the proper process written down. So it was really difficult to kind of then automate it. They didn't think about, you know, what if this, what if this person was a VIP user? Do you want to like change the password of a ciso, for example? You know, so things like that, if you, if you put in a bad process into automation, you know, into create a playbook out of a bad process, you're going to have a bad playbook. So really you need to think about that process and go through it beforehand before you think about automation.

D (22:23)

It's not all or nothing. And I think there is that fear of, well, we want to automate, we want to automate fully, but we don't trust it. But you can and should implement guardrails for break glass situations like potentially putting yourself at risk of losing your job by resetting someone's password who's in the exact position that you shouldn't. But you could argue as well that they're probably the people who would like it to be targeted. And let's test it, keep testing it. It's not a set and forget type thing, you know, it's, it's an iterative process that you want to test and refine. Unless it's not, you know, the, the high fidelity, 100% accurate things that I said, like who is user, what is ip, what is machine, what is cve? All those things.

B (23:12)

These aren't just tech problems, they're human performance issues with real security outcomes. If this got your attention, don't wait. Listen to the full episode now in your Threat Vector podcast feed. It's called Designing Human Centered Security Operations and it's live.

A (23:38)

Be sure to check out the complete episode of Threat Vector wherever you get your favorite podcasts and now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker and finally, the South Yorkshire Police has earned itself a polite scolding from the UK's data watchdog after it somehow managed to delete 96,000 pieces of body cam evidence, a feat of digital spring cleaning nobody asked for, according to the Information Commissioner's Office. The trouble began after an it upgrade in May 2023 left the force's digital evidence management system groaning under the weight of video files. Footage was temporarily stored on a local disk until July 26, when a third party transfer to a new storage grid turned into a large scale vanishing act. South Yorkshire Police admits the data probably went missing in error, which is as reassuring as it sounds. Although much of the footage had already been copied elsewhere, the force can't say how much was lost forever thanks to years of poor record keeping and unresolved backup issues. Unfortunately, when the files went missing, the.

D (25:32)

IT team couldn't radio or backup.

A (25:53)

And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August. There's a link in the show notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.