We often talk about security operations centers (SOC) as if they’ve been around for years. But it is a relatively new concept to have a defined team spending all its time looking at and managing security events and using consistent processes for remediation. But while SOCs may not have a long history, it’s imperative for security organizations to examine how to make them more effective, especially given the aggressive adversaries in the form of nation-state hackers, cyber gangs, and ransomware cartels.
The biggest indicator that problems exist in SOCs is the unacceptably high burnout rate among analysts. This is supported by a recent Ponemon Institute survey of more than 500 IT and security practitioners. Two-thirds of respondents said it is very likely or likely that their experienced SOC analysts would quit because of job stress. As security leaders, we have a responsibility to reduce the stress and pain that come with working in a SOC so we can improve employee job satisfaction, health, and retention, as well as SOC effectiveness.
The SOC Must Align with the Business
A well-managed SOC is the heart of an organization’s security program. Other disciplines—vulnerability management and threat intelligence, for example— feed into the nerve center that is the SOC. With this in mind, deciding which are the most important events SOC analysts should focus on is simple. Analysts must focus on the threats that are most important to the business: the events, alerts, and indicators of compromise (IOC) that require action. Analysts should not spend their time chasing everything that enters the environment. A higher level of SOC maturity, prioritization, and understanding of the alerts targeted at high-value assets, is essential.
CISOs need to ask themselves “What key benefits does the SOC contribute to my overall risk management security program?” Once those benefits are defined, the other pieces — visibility, automation, and even the way you design machine learning — should be built around enabling the SOC to deliver what the business needs most.
Analysts are People Too
Fostering a SOC culture starts and ends with people — the analysts. You must invest in their ongoing education and professional growth and empower them to do their jobs. Tools aren’t valuable until people learn to use them effectively. This starts with establishing performance metrics, understanding the needs of the business from a risk perspective, and using your SIEM technology properly. In other words, weed out everything that’s unimportant while ensuring that analysts have the right technology for a mature SOC environment.
Do these things and tier-one analysts won’t burn out from chasing everything that crosses their screens. They’ll be able to work 9 to 5, without regularly being called in late at night to continue working on an investigation. They’ll also be able to work remotely quite effectively. Reducing burnout also will help you scale your SOC as your business grows, and reward deserving analysts with promotions and greater responsibilities.
Process is Critical
If people are the most important asset of a mature SOC, then process is the foundation needed to make the people successful. Process brings to life the objectives you want to put in place and it’s how you measure success. It’s also the way to evaluate how well people interact with technology to achieve those metrics. You can deploy the most advanced SIEM or other technologies but unless you have the right processes in place to use them effectively, and the right people with the right skills operating them, you won’t realize the full value.
Every SOC analyst worth their salt wants to work on what’s interesting versus what’s just happening at the moment. The goal for CISOs is to build an environment where analysts can focus on the things that are interesting — which usually means the things that are hard — and not the stuff that routinely should be handled by technology.
Automation: An Ally not an Enemy
When the word automation is discussed in terms of SOC teams, people often jump to the conclusion that it means automating analysts out of jobs. That’s not how I see it. Automation can be a huge asset in helping SOCs deal with alerts and IOCs quickly and effectively.
When I think about the right type of automation for SOCs, it’s about automating the incident workflow to provide analysts with more context and slashing the time from detection to response. Do that, and the SOC team can significantly reduce or eliminate damage from an attack. And that’s the ultimate goal for any SOC team and the organization it supports.
People, process, and technology working together to keep the organization secure are the keys to an effective, sustainable SOC team that can meet today’s—and tomorrow’s—security challenges.
About the Author: Julian Waits, General Manager, Cyber Business Unit, Devo
Julian has 30+ years in senior leadership roles at technology companies, specializing in security, risk and threat detection. He serves on several industry boards, including ICMCP and NICE, promoting development of the next generation of cybersecurity professionals.