Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

4/23/2018
09:35 AM
Alan
 Zeichick
Alan Zeichick
Alan Zeichick
50%
50%

It's the People: 5 Reasons Why SOC Can't Scale

There are always more security alerts and threats to respond, but the answer isn't to simply throw more money at the SOC to hire additional Tier 1 and Tier 2 security analysts.

SAN FRANCISCO -- Blame people for the SOC scalability challenge. On the other hand, don't blame your people. It's not their fault.

The security operations center (SOC) team is frequently overwhelmed, particularly the Tier 1 security analysts tasked with triage. As companies grow and add more technology -- including the Internet of Things (IoT) -- that means more alerts.

As the enterprise adds more sophisticated security tools, such as Endpoint Detection and Response (EDR), that means more alerts. And more complex alerts. You're not going to see a blinking red light that says: "You're being hacked." Or if you do see such an alert, it's not very helpful.

What's the problem? It's the people, say experts at the RSA Conference, which wrapped up last week. The SOC team -- or teams -- simply can't scale fast enough to keep up with the ever-increasing demand. Let's talk about the biggest problems challenging SOC scalability.

Reason #1: You can't afford to hire enough Tier 1 analysts
You certainly can't afford the Tier 2 analysts who respond to real -- or almost certainly real -- incidents. According to a quick glance at sites like Glassdoor and Indeed, be prepared to pay over $100,000 per month, per person. Reason #2: You can't find the analysts; there's not a huge talent pool
"We've created a growing demand for labor, and thus, we've created this labor shortage," said Malcolm Harkins, chief security and trust officer of Cylance.

There are huge numbers of open positions at all levels of information security, and that includes in-enterprise SOC team members. Sure, you could pay more, or do competitive recruiting, but go back to the previous point: You can't afford that. Perhaps a managed security service provider can afford to keep raising salaries, because an MSSP can monetize that expense. An ordinary enterprise can't, because security is an expense.

Reason #3: Team training is a never-ending journey without a happy ending
Even with the best security tools, being an analyst requires constant training on threats and techniques -- which is expensive to offer, especially for a smaller organization. And wouldn't you know it, as soon as you get a group of triage specialists or incident responders trained up nicely, off they go for a better job. Reason 4: Collaboration is tough for incident handoffs to the next analyst
Rishi Bhargava, co-founder of Demisto, pointed out that around-the-clock, follow-the-sun security, with investigations and incident response, brings its own challenges, particularly during shift changes.

"Collaboration, along with all the skill set problems, is a real problem," Bhargava said. "How do you do the handoff? How does the collaboration happen? How do you ensure that everyone has the right context to advance the investigation?"


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

You can't send the next shift team an email explaining the status of today's incidents, he added, and hope an analyst can pick up it up at the start of his or her shift.

Reason #5: Security management can't scale either
There's alert fatigue for the Tier 1 and Tier 2 analysts, but the problems go all the way up the food chain.

"There's decision-maker dementia for the executives, who are pulled in too many different directions with competition priorities -- and they can't figure out how to scale either," said Cylance's Harkins. There are too many risks that senior analysts and management must address, contain or stop, for the good of the company.

It's not their fault
Go ahead, blame the analysts, and security managers, for not handling an ever-increasing workload, while fighting alert fatigue, knowing the next incident might be a Target-sized, or Equifax-sized, data breach. The real challenge is to find more resources, including better tools, practices and procedures, for scaling the SOC.

Because you can't simply throw more people at the problem.

Related posts:

— Alan Zeichick is principal analyst at Camden Associates, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him @zeichick.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I can't find the back door.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21275
PUBLISHED: 2021-01-25
The MediaWiki "Report" extension has a Cross-Site Request Forgery (CSRF) vulnerability. Before fixed version, there was no protection against CSRF checks on Special:Report, so requests to report a revision could be forged. The problem has been fixed in commit f828dc6 by making use of Medi...
CVE-2021-21272
PUBLISHED: 2021-01-25
ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the ...
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting