Working in a Security Operations Center (SOC) is like working in an emergency room on a weekend shift at 2 AM. The steady stream of new alerts screaming for attention and combined with the lack of enough trained personnel make it a miracle that it all seems to work through on a string and a prayer.
The question is though, when will the luck run out?
A recent study from earlier this year reported that 64% say that they are likely to switch jobs next year, due in no small part to the level of stress that they are undergoing in their positions.
Corporate security teams and others managing security for large companies depend on their SOC analysts to orchestrate, investigate, and generally wrangle the mess of alerts that come in from across all of their different systems.
And the challenges are many.
So how can the organizations that depend on their SOC analysts retain good talent and make them even better prepared to take on what is likely to be an exceedingly challenging year ahead?
Challenges Facing SOC Analysts
Digging into the report, as well as other research on SOCs, it is not surprising that so many analysts are on the verge of quitting their positions.
The study found that 53% say that they’re using between 11-30 different security products.
This means that they not only have to handle the overload of alerts being generated by these products, but likely rarely have the opportunity to actually learn how to use them to the fullest extent where they can get real value out of them.
They are being fed a lot of data from a lot of systems covering cloud systems, endpoints, threat intelligence, XDRs, and many, many more.
More tools mean more alerts. A 2020 study from Forrester found that SOC analysts have to contend with over 11,000 alerts a day. Over a third of these are estimated to be false positives, but they still have to be triaged and investigated.
Cutting through the slog of manual work for tasks like investigating, reporting, and a laundry list of other drudgery is taxing on the SOC teams. Unsurprisingly, 66% of them reported that they believed that over half of their tasks could be automated, thus freeing them to concentrate on the tasks that actually require their skilled attention.
Adding to their troubles is the fact that there is a continuing drought of skilled cybersecurity professionals that can help the SOC analysts to carry the load. By some estimates, there are over 3 million open cybersecurity seats waiting to be filled around the world.
Given these challenges, organizations are going to face an uphill battle in not only keeping their people in house, but actually making them more effective at handling the avalanche of threats barreling down on them.
Here below are a few ideas of what they can do.
3 Tools and Approaches for Supporting Your SOC
The focus for improving SOC effectiveness and resilience should be on selecting the right technologies for reducing the workload on the human, directing them in the right direction for the most pertinent threats, and preparing them to be better equipped for their mission.
Implement Machine Learning
Given the scale and velocity of the alerts, SOC analysts need tools to help them cut through as much of the noise as possible as we cannot expect humans to sort through these quantities of data.
Machine learning technologies can be trained to spot threats and improve their accuracy over time. The two main goals here are to clean out many of the false positives and provide context for the analysts to be more effective at their investigations
Seek Out Suspicious Behavior
A SOC is more than just a human collection of anti-viruses looking for disallow listed signatures. More and more attacks are going after resources by compromising the identity layer, so understanding how users are supposed to be using the systems is essential.
User Behavior Analytics help to learn what the baselines of normal behaviors are and alert on activities that may be an indicator of compromise.
These can be actions like large data transfers, failed authentications for logins, access to sensitive areas outside of the employee’s regularly used systems, and more.
Continue to Educate Your Team
Buying the right security products are important, but the most valuable asset you have in your SOC are your analysts. Invest in them.
We are throwing more and more tools at our SOC, but unfortunately are not really teaching them how to get the most out of the tools and data that they’re collecting. We can do better.
Invest time and resources into regular training sessions, making resources available to your team to do both structured and unstructured learning. Work with your vendors to set up feature training sessions for your analysts so that they can really become familiar with their tools.
Offer to sponsor certifications and for them to attend industry education events.
The more capable they can become by furthering their education and familiarity with the technologies, the better off your organization will be. This is also good for analysts to feel that they are being invested in by their organizations, and not just treated like a meat grinder.
Work Smarter, Not Harder
SOC analysts are the first line of defense and bear the brunt of the weight of corporate information security responsibilities on their shoulders, so it makes sense that analysts in this department would be looking for an easier path in their InfoSec careers.
SOC analysts agree that they need to work smarter and not harder. In practice, this means automating more of their tasks so that they can focus more of their efforts on tasks that require added human attention. Companies that recognize this and take the right steps will reap the benefits of a more motivated and capable workforce.
Organizations have the opportunity now to invest in the right tools, practices and ongoing training to not only retain good people but make them even more effective for the future, hopefully improving their security response effectiveness in the process.