Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
By Julian Waits, General Manager, Cyber Business Unit, Devo
By Julian Waits, General Manager, Cyber Business Unit, Devo
Sponsored Article

Reshaping the SOC: How to Foster a Culture of Growth

People, process, and technology working together to keep the organization secure are the keys to an effective, sustainable SOC team.

We often talk about security operations centers (SOC) as if they’ve been around for years. But it is a relatively new concept to have a defined team spending all its time looking at and managing security events and using consistent processes for remediation. But while SOCs may not have a long history, it’s imperative for security organizations to examine how to make them more effective, especially given the aggressive adversaries in the form of nation-state hackers, cyber gangs, and ransomware cartels.

The biggest indicator that problems exist in SOCs is the unacceptably high burnout rate among analysts. This is supported by a recent Ponemon Institute survey of more than 500 IT and security practitioners. Two-thirds of respondents said it is very likely or likely that their experienced SOC analysts would quit because of job stress. As security leaders, we have a responsibility to reduce the stress and pain that come with working in a SOC so we can improve employee job satisfaction, health, and retention, as well as SOC effectiveness.

The SOC Must Align with the Business
A well-managed SOC is the heart of an organization’s security program. Other disciplines—vulnerability management and threat intelligence, for example— feed into the nerve center that is the SOC. With this in mind, deciding which are the most important events SOC analysts should focus on is simple. Analysts must focus on the threats that are most important to the business: the events, alerts, and indicators of compromise (IOC) that require action. Analysts should not spend their time chasing everything that enters the environment. A higher level of SOC maturity, prioritization, and understanding of the alerts targeted at high-value assets, is essential.

CISOs need to ask themselves “What key benefits does the SOC contribute to my overall risk management security program?” Once those benefits are defined, the other pieces — visibility, automation, and even the way you design machine learning — should be built around enabling the SOC to deliver what the business needs most.

Analysts are People Too
Fostering a SOC culture starts and ends with people — the analysts. You must invest in their ongoing education and professional growth and empower them to do their jobs. Tools aren’t valuable until people learn to use them effectively. This starts with establishing performance metrics, understanding the needs of the business from a risk perspective, and using your SIEM technology properly. In other words, weed out everything that’s unimportant while ensuring that analysts have the right technology for a mature SOC environment.

Do these things and tier-one analysts won’t burn out from chasing everything that crosses their screens. They’ll be able to work 9 to 5, without regularly being called in late at night to continue working on an investigation. They’ll also be able to work remotely quite effectively. Reducing burnout also will help you scale your SOC as your business grows, and reward deserving analysts with promotions and greater responsibilities.

Process is Critical
If people are the most important asset of a mature SOC, then process is the foundation needed to make the people successful. Process brings to life the objectives you want to put in place and it’s how you measure success. It’s also the way to evaluate how well people interact with technology to achieve those metrics. You can deploy the most advanced SIEM or other technologies but unless you have the right processes in place to use them effectively, and the right people with the right skills operating them, you won’t realize the full value.

Every SOC analyst worth their salt wants to work on what’s interesting versus what’s just happening at the moment. The goal for CISOs is to build an environment where analysts can focus on the things that are interesting — which usually means the things that are hard —  and not the stuff that routinely should be handled by technology.

Automation: An Ally not an Enemy
When the word automation is discussed in terms of SOC teams, people often jump to the conclusion that it means automating analysts out of jobs. That’s not how I see it. Automation can be a huge asset in helping SOCs deal with alerts and IOCs quickly and effectively.

When I think about the right type of automation for SOCs, it’s about automating the incident workflow to provide analysts with more context and slashing the time from detection to response. Do that, and the SOC team can significantly reduce or eliminate damage from an attack. And that’s the ultimate goal for any SOC team and the organization it supports.

People, process, and technology working together to keep the organization secure are the keys to an effective, sustainable SOC team that can meet today’s—and tomorrow’s—security challenges.

About the Author: Julian Waits, General Manager, Cyber Business Unit, Devo
Julian has 30+ years in senior leadership roles at technology companies, specializing in security, risk and threat detection. He serves on several industry boards, including ICMCP and NICE, promoting development of the next generation of cybersecurity professionals.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...