Vulnerabilities / Threats

2/12/2018
03:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

One in Three SOC Analysts Now Job-Hunting

The more experienced a SOC analyst gets, the more his or her job satisfaction declines, a new survey of security operations center staffers shows.

Landing a job as an entry-level security operations center (SOC) analyst often provides a foot in the door to the cybersecurity field, but a new survey shows the more seasoned a SOC staffer gets, the more likely he or she will become disillusioned with the position.

New data from the Cyentia Institute's "Voice of the Analyst Study" of security operations center teams shows that while three in four SOC analysts are satisfied with their jobs, some 45% say the reality of the SOC isn't what they had expected. Some 70% of entry-level (one- to two years' experience) SOC analysts say their job meets their expectations, while just 43% of more experienced SOC analysts say so, according to the report, commissioned by SOC automation vendor Respond Software.

As one SOC analyst respondent quoted in the report explained, the novelty of a new SOC gig basically wears off after a while: "I was drawn to the SOC by misguided youthful ideals, which have been ground into a fine powder by years of poor management and lack of support from higher-ups."

The report, provided in advance of its publication to Dark Reading, also found that job dissatisfaction ranks 25% higher among experienced SOC staffers, and one in three SOC analysts overall is currently job-hunting for a position elsewhere. Of the 160 respondents, three-quarters are SOC analysts, 20% SOC managers, and 5%, engineers or project managers in the SOC.

Wade Baker, co-founder of The Cyentia Institute and an author of the report, says he had expected entry-level SOC analysts to be the most unhappy members of the SOC, not the seasoned ones. "It was counterintuitive to me. I thought the quintessential entry-level analysts feel less respected and maybe more dissatisfied. We found the opposite: the longer you're in the SOC and the more experience you have, dissatisfaction and things like that grow," Baker says.

SOC analysts say they were drawn to their positions for a new challenge, skills, more money, and as a way to make a difference, but those same incentives also are what's drawing them to leave their current jobs, according to the report. "If you want to keep them around, offering those same positives in-house is just as important as eliminating the negatives that drive them out," the report says. "Roughly 3 out of 4 point to a desire for more intellectually challenging work, the chance to learn new skills, and/or a chance to defend and help the business."

Change of SOCs

Entry-level, or Tier 1, SOC analyst positions are notoriously high burnout gigs. Sitting in front of a monitor and manually clicking through thousands of raw alerts from firewalls, IDS/IPS, SIEM, and endpoint tools, looking for that needle in a haystack, is at the same time both monotonous and stressful. Ignoring an alert tied to a real attack happens: just ask Target, which mistakenly dismissed alerts as false positive that flagged its massive breach in 2013.

SOC experts say the job of the entry-level SOC analyst gradually will be replaced with automation and orchestration technologies that streamline the traditionally manual, front-line role. The Tier 1 analyst position will evolve into a new more advanced role akin to the Tier 2 analyst, who triages flagged alerts.

"For me, the SOC of the future is having as much done automatically as possible" on the front lines, says Brett Wahlin, the former CISO at HP. The first level of human contact with the event data, a next-generation SOC Level 2 analyst, brings human analysis to the issue once it triggers a set threshold, for example. "It takes a human touch to see if you actually have got a bad guy or not," he says.

Today's Tier 1 SOC analyst job basically was born out of the mass of logs security tools produce, notes Josh Maberry, director of security operation at Critical Start, an MSSP. "The Tier 1 analyst was never supposed to be a manual-event job in the first place. It became that as a necessity because there weren't any automation and orchestration [tools] there yet," he says. "They [became] eye filters … So analysts began to drown. The whole thing became an events-to-bodies ratio."

It's those factors that have led to the high turnover in the SOC, experts say. The most time-consuming tasks in the SOC is monitoring, followed by intrusion analysis and shift operations handoff duties, according to the Cyentia SOC analyst survey. "The notion of monitoring taking a lot of time is not surprising," says Mike Armistead, co-founder and CEO of Respond Software, noting that monitoring earns a low value in the tasks SOC analysts want to be doing.

Shift operations also is considered a burden: that's when analysts receive feedback on their incident reports, or transfer information during the handoff of their shifts. "That's the place where tribal knowledge is transferred among people," he says, so if SOC analysts are unhappy with that process, it could be a red flag for the organization.

New data published today from a separate study by Advanced Threat Analytics (ATA) of 50 managed security services provides a glimpse at the volume of security alerts MSSPs face: nearly 45% say they see a 50% or higher rate of false positives, and 64% say it takes an average of 10 minutes or more to investigate each alert.

That volume of alerts forces SOC analysts of all levels to spend in some case smore than five hours a day investigating even false positives, according to that study. Alin Srivastava, president of ATA, says that distracts the MSSPs' SOC analysts from real threats and incidents.

According to Cyentia's SOC report, monitoring is the least likely task tied to catching an intruder, according to the SOC analysts in the survey. "You get the sense [from the survey] that they feel a lot of time is wasted on relatively low-value efforts," Cyentia's Baker says.

Automation can help eliminate the low-level, repetitive monitoring tasks that "require human fingers more than human brains," the report says. Threat hunting and forensics, meanwhile, require humans to handle that level of anlaysis.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Araedon
100%
0%
Araedon,
User Rank: Apprentice
2/13/2018 | 1:15:40 PM
Cybersecurity is a constant battle.
Of course, SOC Analysis is a high burnout job. After 17 years in the cybersecurity field, directly and indirectly, the refusal to see security as a critical business process will burn out the most idealistic and enthusiastic practitioner. If the employee has to face dismissive administration on a daily basis, how do you think they'll react? I'm surprised that more insider threats don't come from the cybersecurity professionals after being treated like a leper for most of their careers. Our jobs aren't to make life harder for the users, but for the cybercriminals that take advantage of them. Somehow, through cultural pressure, the cybersecurity professional has become almost a derogatory term thanks to the lack of understanding from management perspectives. We have to lead up the chain of authority but we've become Sisyphus pushing the cybersecurity boulder up the hill for all eternity because it's not the easiest solution. We need support from our co-workers and especially our leadership to take security more seriously.
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1744
PUBLISHED: 2018-10-15
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148423.
CVE-2018-1747
PUBLISHED: 2018-10-15
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 148428.
CVE-2018-18324
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter.
CVE-2018-18322
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.
CVE-2018-18323
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Local File Inclusion via directory traversal with an admin/index.php?module=file_editor&file=/../ URI.