A deepening skills shortage, data overload, and a lack of a clearly defined mission are among several factors undermining the ability of security operations center (SOC) teams to carry out their functions effectively at many organizations. Numerous recent studies suggest that, even as the role of the SOC has evolved and become more business-critical, so have the challenges facing them.
Modern SOCs—or at least those at organizations following best practices—handle the entire cyber-risk monitoring and management functions for the enterprise. Responsibilities include everything, including architecture planning, administration, and compliance; capturing and analyzing log and event data; identifying, investigating, and responding to incidents; assessing vulnerabilities; and, increasingly, conducting threat intelligence and threat hunting.
Many organizations have begun deploying new technologies alongside SIEM—including AI and machine learning, next-gen firewalls, endpoint detection and response (EDR), user and entity behavior analytics (UEBA), and security orchestration and automation (SOAR) tools—to try to extract more insights from the flood of data generated by enterprise security tools.
The changes are putting tremendous pressure on SOC teams and exacerbating existing challenges caused by skills shortages, data overload, turf issues, and undefined or under-defined mission scoping.
A recent survey by the Ponemon Institute for Devo Technology found that 70% of SOCs are struggling from a lack of visibility into the environment they are supposed to protect, that turf issues are slowing down more than 60%, and that 71% feel they don't have enough automation. Complexity, chaos, and burnout from information overload have contributed to a startling 60% of SOC professionals expressing a desire to leave their jobs or switch careers.
To build an environment that doesn’t overstress their people, SOC leaders need to understand their team’s needs and challenges, define processes, and implement the right technologies to set their team up for success, said Julian Waits, general manager cybersecurity at Devo Technologies.
"Security leaders seeking to retain their top SOC personnel need to remember, first and foremost, that it’s not about technology; it’s about people."
—Julian Waits
Here are four tips for aligning your SOC team for success.
1. Automate to augment staff
Most SOCs are drowning under a deluge of security event and alert data from their networks. Analysts at inadequately staffed SOCs spend a majority of their time poring through the alerts, sifting the true from the false, and trying to drill down into the ones that matter. Experienced analysts, who would be more useful hunting down threats and conducting vulnerability assessments, often end up analyzing threat data instead—and even then a vast number of the alerts received daily are left unaddressed.
"The modern SOC needs tools to automate responses and cut down the amount of manual investigation time that ends up looking into false positives," said Gil Shulman, vice president of products at Illusive Networks. For an organization with a mature, three-level SOC, the average triage time per incident for Tier 1 analysts—the ones who analyze threat data—is between 19 and 24 minutes, he said. Often these organizations can have about 20 to 25 of these incidents per day. Tier 2 analysts—who triage and investigate the alerts—can spend between 60 and 80 minutes on a typical incident with as many as six to seven per day to address.
"This leaves essentially no time for any other activity, with a significant portion of those workdays devoted to incidents that turn out to be false positives," Shulman said. Decreasing time wasted on ticket enrichment will allow analysts to perform to their strengths and provide a much more satisfying job experience for them, he said.
"Ideally, the goal should be to move investigation downstream where possible, away from Tier 3 down to Tiers 1 and 2."
—Gil Shulman
The 2019 State of SecOps Report, sponsored by Micro Focus, found that technologies such as UEBA, SOAR tools, and AI and machine learning are growing in popularity within organizations looking to automate. The report noted:
"SOCs must first identify relevant security use cases and then select the right tools to meet them head-on."
—Julian Waits
2. Align your SOC with IT and the business
Devo's Waits advises establishing clear lines of communication across the security group and IT and working to ensure that the SOC is also closely aligned with the business priorities of the organization.
Devo's survey found that turf battles and silo issues between the SOC and IT are common even for high-performance teams. Nearly two-thirds (64%) in fact described turf issues and siloed functions as damaging SOC ROI. "Establishing mature management of the security function—which needs to start with the CEO—demands clear and open communications between the CISO and the VP of IT."
Organizations need to share and centralize security information and ensure visibility into the entire environment and all of the organization’s data. "This will enable SOC teams and their IT counterparts to work together much more efficiently and effectively as they perform their respective jobs."
A defined mission is critical as well. Micro Focus' study found that many SOCs have a less-than-clear understanding of their mission. As a result, there often is a lack of understanding of what exactly the SOC is required to protect from the standpoints of the user, applications, and data.
"To align security staff with the goals of the business, SOCs must not only define a mission, but clearly and frequently communicate it throughout the organization."
—Julian Waits
3. Educate, retrain and retain
A study that the SANS Institute conducted last year on common and best practices for SOCs found that the organizations that had the most success improving SOC performance were the ones that focused on increasing staff skills and providing people with opportunities to learn and grow. SANS found that organizations that gave their SOC analysts regular job rotation opportunities, including threat detection and use case development, had lower staff turnover rates than those that did not.
Those that used managed security service providers for Tier 1 and Tier 2 monitoring functions focused on educating and skills enhancement of their internal staff to increase productivity. Those relying on internal staff for all their SOC needs look toward the network and IT organizations for new hires because they already have some knowledge of the technology and the business.
Daniel Kennedy, an analyst with 451 Research. Organizations often can have a hard time retaining junior staffers who over time gain experience but get stuck with repetitive work.
"We hear a good deal about the difficulty in keeping the SOC staffed. Given the nature of a SOC and turnover, my advice has always been to seek broad-based skills in IT in the first level of SOC analysts."
—Daniel Kennedy
The goal should then be to continually seek ways to move people up to more complex roles as quickly as their experience and acquired skill sets allow, Kennedy said.
To build an environment that doesn’t overstress their people, SOC leaders need to understand their team’s needs and challenges, establish clearly defined processes, and implement the right technologies, Waits said.
"Cross-training analysts on various job functions is a great way for individuals to develop skills across the wide array of specialties [within an SOC]. It will also keep them engaged and interested in their work, which is good for everyone."
—Daniel Kennedy
4. Enable better visibility
The SOC has become the nerve center for an organization's security posture. The continuously evolving—and broadening—nature of SOC responsibilities has driven major changes in its structure, said Waits. For SOC analysts to be able to deliver on their responsibilities, they need full visibility of the assets they are required to protect. That includes visibility into a centralized repository of all of an organization's data.
"Security analysts now require interoperability, automation, and orchestration to enhance and streamline processes across a set of integrated tools and systems."
—Julian Waits
SANS' survey found that organizations that have integrated their network operations and SOC generally tended to have higher levels of visibility and quicker threat detection, even on infrastructure-as-a-service platforms.
A call to action
Enterprise SOCs are in a state of flux. Evolving business requirements and an increasingly sophisticated threat environment have significantly expanded the scope of responsibilities for SOCs even as challenges posed by staff shortages and other issues have continued to mount.
To better align their SOC for success in coming years, organizations need to augment existing staff through automation and tactical outsourcing where possible, and focus on retaining staff through cross training and opportunities for career-growth.
