Tool Overload & Attack Surface Expansion Plague SOCs

Security analysts and other professionals continue to suffer from burnout due to a lack of staff and too many tools, among other issues, new data shows. Now, three-quarters (72%) of security analysts have rated the pain of doing their jobs as a 7 or higher on a 10-point scale, with a score of 10 indicating that performing their jobs is a horribly painful experience. 

The report, published Dec. 14 by security management firm Devo, is based on a survey of more than 1,000 security professionals. Responses indicate the top issues they face include an increasing workload that continues to burn out security analysts, and more than two-thirds of respondents also blame information overload and a lack of visibility into the attack surface. Six in 10 security professionals have considered changing their jobs in the last year to move away from the security operations center (SOC), the survey found.

Unfortunately, the analyst staff and the security leadership do not see the same problems or all the same solutions, says Gunter Ollmann, chief security officer for Devo.

"There is still a fundamental gap between the executives and the SOC teams, and that is worrisome," he says. "The staff is saying, 'I have too much work to do, so, help me, because my bosses still require me to close my cases.' Where from the leader's perspective, there are more cases, so they are looking to solve that as a productivity problem."

SOCs are a complex endeavor, and the move to remote work for both employees and SOC analysts has made the issue worse in many ways. While 73% of respondents see the SOC as very important or essential to their organization's overall cybersecurity strategy, the lack of visibility into the organization's IT infrastructure, silos between IT and security, and ongoing demand for more staff have made about a quarter of SOCs less effective than average, according to the Devo report.

The expansion of the attack surface area, as driven by an increase in remote employees and devices, and a jump in the number of tools that security professionals need to work have increased the complexity of operating in a SOC.

"Having sat in SOCs myself, on one hand, you want tools to make your job more efficient, but in the security community now, there are so many different tools and so much overlapping," Ollmann says. "There is a move from the best of technologies to, now, moving from trying to integrate the best-of-breed tools and technologies, to look for a suite that is well integrated and I can be more secure by using that."

Staff shortages will not be solved quickly, and companies may have to consider outsourcing some security functions or working with consultants to design and implement specific security capabilities.

"The attack surface keeps on expanding across the enterprise, and with that expanding attack surface, you need deep expertise in outlying technologies," Ollmann says. "I think we need to look at the gig economy approach to security, ... tapping the wider community of experts in that particular vector to help mitigate these issues."

Two of the most important approaches to minimize the pain of security staff are to normalize the work schedule and provide stress management programs and counseling, with 52% and 49% of respondents requesting those steps, respectively, according to the report.

On the bright side, the move to remote work has improved the working conditions overall, allowing SOC analysts to spend more time with their families, within companies that have made a transition to a virtual or hybrid SOC.

"Operating a SOC has never been a 9-to-5 job, so being remote in your own home allows you to better manage your hours and allow you to be with your family, which is having a positive effect for those more advanced SOC operators," Ollmann says. "There are still a lot of companies that feel that they need to have people in a room, but that is slowly changing."

With respect to SOC effectiveness, the different viewpoints between leaders and staff highlight that communication needs to improve. Half of executives surveyed consider the SOC to be effective, while only 39% of staff feel likewise. The gap widens for the most critical capabilities, such as gathering evidence and investigating and finding the source of threats. For those capabilities, 55% of executives consider the SOC to be effective, while only a third (33%) of staff think the same.

"The gap between the leadership and the trenches is not closing." Ollmann says. "Those leaders and the security staff need to have the same view, because if the views are different, it is impossible to manage effectively."