Chris Sanders πŸ”Ž 🧠

Okay, now I'll post the responses I wrote down before I read what everyone else had to say...

https://infosec.exchange/@chrissanders88/109315290472660056

1. SOC Analyst = Family Medicine / General Practitioner. They diagnose afflictions and refer to specialists where needed. They also triage the severity of issues to prioritize various tests, treatments, or referrals.

2. Incident Response = Emergency Medicine. They identify enough information to stabilize the situation and determine the next steps for diagnosis and/or treatment.

3. Malware Analyst = Virology or Pathology. They study the characteristics and symptoms of afflictions by isolating them and performing behavioral and static tests.

4. Threat Hunter = Infection Disease. They're diagnosticians that form hypotheses and try to find evidence that either proves them or rules them out. Likely the weakest of the comparisons in terms of inputs, since most folks they see do have symptoms whereas TH usually doesn't.

5. Threat Intelligence = Epidemiology. They study the characteristics and proliferation of afflictions, as well as the relationships between them.

Chris Sanders πŸ”Ž 🧠 (@[email protected])

Which medical specialties are most comparable to each of these security roles: 1. SOC Analyst 2. Incident Responder 3. Malware Analyst 4. Threat Hunter 5. Threat Intelligence I'm curious about your thoughts... I'll post mine a bit later. πŸ©ΊπŸ§‘β€βš•οΈ

Infosec Exchange
Nov 10, 2022 at 5:44pmWeb
Show threadChris Sanders πŸ”Ž 🧠Nov 10, 2022

When I considered these comparisons, I thought about them in terms of inputs, outputs, tasks, tools, interaction with patients/systems, and mindsets.

After reading everyone's responses, I think there's a good case to be made for SOC Analysts as triage nurses, but... triage nurses aren't as heavily focused on diagnosis, and I think SOC analysts are.

There's also a case to be made for IR as trauma surgery. The initial input is usually some high priority symptom or affliction that must be quickly acted on to contain, eradicate, or remediate. But perhaps a bit less focused on identification a lot of the time.

While medicine and information security look different in many ways, it’s interesting how the specialties we create across disciplines are often more related in their processes and goals than we might think.

In my study of analyst cognition, I've been heavily influenced by the development of the medical field, which is also one that is based on investigations. I make some comparisons in my doctoral research on the analyst mindset (and in my classes): https://chrissanders.org/2021/12/dissertation/

A lot of how specializations form is based on finding ways to best distribute expertise. But, those specializations also form as products of a field's history and growth and economic needs at various times. It's interesting to peel back the layers and figure out which is which.

A Cognitive Skills Assessment of Digital Forensic Analysts – My Doctoral Dissertation | Chris Sanders

Chris Sanders | Information Security Analyst, Author, and Instructor
Show threadGoblinLucyNov 10, 2022
@chrissanders88 I've found the function of SOC analysts has a degree of variability. Some teams equip their analysts to triage alerts from start to end (my preference) others usually just initial "oh this doesn't look good I should escalate".
Show threadChris Sanders πŸ”Ž 🧠Nov 10, 2022
@goblinlucy Absolutely -- I see this vary quite a lot. Some analysts are purely triage and quick investigations whereas others also handle IR processes.
Show threadGoblinLucyNov 10, 2022
@chrissanders88 which ironically is probably observed in its own way in medical care too. Some really interesting thought exercises there.
Show threadChris Sanders πŸ”Ž 🧠Nov 11, 2022
@goblinlucy Watching specialization develop historically across the fields is interesting too. A doctor used to cover all the bodily systems, along with dentistry, a lot of veterinary duties, and those of a mortician. Sysadmins used to do all the security and coding and sometimes fix the phone systems.
Show threadzeno's paradox speedrunnerNov 10, 2022
@chrissanders88 Security Engineer = Surgeon, some generalize, and some specialize. They do the more hands on technical work with systems. They work in close conjunction with Analysts.
Show threadbetonglenNov 16, 2022

@chrissanders88

love this! thank you πŸ––πŸ½

#medicine #medtwitter