Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:00 PM
Connect Directly

The SOC Gets a Makeover

Today's security operations center is all about reducing the number of alerts with emerging technologies - and enhancing old-school human collaboration. Here's how some real-world SOCs are evolving.

Blame it on the success of the SIEM. For many security operations center (SOC) managers, the security information and event management system was both a blessing and a curse: It was a way to consolidate and correlate security alerts from firewalls, routers, IDS/IPS, antivirus software, and servers, for example, into a centralized console. But with the recent wave of new security tools, threat intelligence feeds, and constantly mutating threats, SOCs are drowning in anywhere from thousands to a million security alerts daily. 

"A lot of companies have tool fatigue right now. There are a lot of tools that are partially implemented and not getting the care and feeding they need," says DJ Goldsworthy, director of security operations and threat management at Aflac.

The flood of alerts and out-of-tune tools, compounded by the industry's persistent talent gap and high turnover rate for junior-level SOC analysts, have forced some organizations to rethink and retool how they organize and run their SOCs.

In many cases, the evolution is being spurred by another tool: The new generation of security orchestration and automation tools that streamline and automate some tasks with automated playbooks is replacing some of the more manual tasks of clicking through each and every alert, looking for that deadly needle in the haystack.

SOC operators are reorganizing their people power, too, collapsing the virtual hierarchical walls between Tier 1, 2, and 3 SOC analysts and fostering a more cooperative and collaborative team operation where analysts work together to analyze and troubleshoot an event – and don't simply pass the baton up the chain after completing their task.

Josh Maberry, director of security operations for managed security services provider Critical Start, says once security alerts from multiple tools started flowing into the SIEM way too fast and furiously, the floodgates opened, and SOC analysts became overwhelmed. "There's only so much you can manually get to one in day, only so much you can see," says Maberry, whose firm built its own event orchestration platform, Advanced Threat Analytics. "So [SOC] analysts began to drown ... The whole thing became an events-to-bodies ratio, and that's no way to win."

Organizations struggle to staff their SOC operation today, both due to that losing events ratio and also because there just aren't candidates to fill the jobs. Some 80% of organizations don't have enough analysts to run their SOC, according to a new report from security event orchestration vendor Demisto. It takes eight months, on average, to train SOC analysts for readiness; meantime, there's a two-year turnover for one-quarter of all SOC analysts, the study shows. The fallout: It takes organizations an average of 4.35 days to resolve a security incident.

More than half either don't have incident response process playbooks in place, or they do but don't bother updating them, the study found. "One relatively overlooked side effect of the alert fatigue and day-to-day firefighting that security teams face is the stagnancy of security processes. When analysts are strapped for time, they find it difficult to capture the gaps in current processes and update them on an ongoing basis," the report states.

Taking Back the SOC
One of the larger SOC operations is that of security vendor Symantec, with six SOC locations worldwide. Symantec's Herndon, Va., site houses both the company's internal SOC as well as a SOC that manages security event and response services for its customers. A team of more than 500 security professionals make up Symantec's global SOC operation, which handles more than 150 billion security logs per day.

Symantec's internal SOC analysts are designated by level of experience and seniority (think: tiers), but they often work as a team when a security event occurs. Tony Martinez, cybersecurity operations lead for the Joint Security Operations Center (JSOC) in Herndon, says all SOC analysts – even Tier 1 analysts – are encouraged to handle an incident "end to end," meaning from detection to resolution/response. "They don't have to just throw the ticket over the fence" to a senior analyst, he says. "They ask a senior analyst to assist them."

Symantec's JSOC recently added Splunk's Phantom security orchestration and automation platform to consolidate security tools and alerts. On the managed security services side of the house, SOC analysts sit in close proximity to foster more collaboration during their shifts, and Tier 1/entry-level SOC analysts undergo three months of intense training plus a timed "queue" test that simulates incoming incidents in the SOC. Not only do they have to solve each issue correctly in the queue test, but they also must explain why they chose a specific answer, says Steve Meckl, director of managed security services at the Symantec SOC.

Junior SOC analysts ultimately get to take on more regular calls with customers and attend on-site customer visits for face-to-face meetings.

"We don't work in silos at all," Meckl says. All SOC analysts get to work on a problem from start to finish, with the junior analysts getting input from a senior one.

This more advanced and hands-on role for entry-level SOC analysts is becoming a trend: The Tier 1 SOC analyst role is expected to evolve into more of a Tier 2 role, where he or she can analyze a flagged alert themselves rather than passing it over to a Tier 2 SOC analyst.

In most SOCs, Tier 3 analysts are the more skilled analysts who can investigate a threat or malware more deeply, and do forensics. As more of the Tier 1 analysts work gets picked up by automation (think: security orchestration and automation tools), that provides Tier 3 the bandwidth to conduct more proactive operations like threat hunting. Tier 1 and 2 take on more of the investigative duties. 

Brian Genz, a senior engineer at Northwestern Mutual and an expert in security orchestration and automation, response, and threat hunting, says the insurance company decided to fashion its SOC as slimmer and more collaborative to better thwart rapidly evolving threats.

Northwestern Mutual's implementation of a new security orchestration and automation tool has helped shape that transformation with automated playbooks for handling events as the come in. "Our junior SOC analysts are becoming more engaged in the what and why now  –  not just 'close this tickets to hit your metrics,'" Genz says.

Genz says the insurer, which uses an MSSP for around-the-clock security ops, actually considers its SOC an IR analyst operation. "So we don't typically use the term 'SOC,'" he says. "We try to put people in the shoes of an incident response analyst."

Sometimes it takes a little homegrown technology to streamline SOC operations. Take Aflac, which in its SOC runs a centralized SIEM with a behavioral analytics platform that handles a terabyte of security log data each day. The system is streamlined with a proprietary risk algorithm created by Aflac that aggregates and filters alerts. Aflac has reduced its alert count by about 70% with this combination of automation, analytics, and risk scoring.

It has also changed the role of Aflac's entry-level SOC analysts. They're not manually clicking through raw alerts and either ignoring or escalating them like traditional Tier 1 analysts. "This has automated Tier 1 to an extent," Aflac's Goldsworthy says.

The junior analysts at Aflac examine the insurer's pre-vetted alerts: "They analyze them, do a smell test, and if they think it's worthy of investigation, they send it to a Tier 2 analyst," he says.

Even so, the SOC still operates in a traditional tiered manner, but each level has more advanced duties than in the old days. Tier 2 analysts handle preliminary incident investigation and then hand off confirmed events to the incident response team. Tier 3 analysts provide forensics investigations and typically have deep endpoint and network analysis skills, Goldsworthy says.  

Another tool that's changing Aflac's SOC operation is deception technology – a sort of next-generation honeypot – to further minimize its false-positive alerts. Goldsworthy calls its Attivo Networks deception tool "an insurance policy for the unknown."

Goldsworthy says deception decoys give SOC analysts a "unique perspective" about attackers and their methods, which they then can share with other members of the team and, in turn, respond accordingly with proper defenses. "Deception also allows our security team to collaborate with and enable the business by allowing for more rapid adoption of new technologies because deception can be deployed wherever the business needs IT to go," he says.

(Next Page:  SOC Analyst Mashup)

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

1 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: We need more votes, check the obituaries.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-26
The affected product has uncontrolled resource consumption issues, which may allow an attacker to cause a denial-of-service condition on the OPC UA Tunneller (versions prior to
PUBLISHED: 2021-01-26
Insider Threat Management Windows Agent Local Privilege Escalation Vulnerability The Proofpoint Insider Threat Management (formerly ObserveIT) Agent for Windows before 7.4.3, 7.5.4, 7.6.5, 7.7.5, 7.8.4, 7.9.3, 7.10.2, and as well as versions 7.3 and earlier is missing authentication for a ...
PUBLISHED: 2021-01-26
An issue was discovered in Xen 4.12.3 through 4.12.4 and 4.13.1 through 4.14.x. An x86 HVM guest with PCI pass through devices can force the allocation of all IDT vectors on the system by rebooting itself with MSI or MSI-X capabilities enabled and entries setup. Such reboots will leak any vectors us...
PUBLISHED: 2021-01-26
The affected product is vulnerable to an out-of-bounds read, which may allow an attacker to obtain and disclose sensitive data information or cause the device to crash on the OPC UA Tunneller (versions prior to
PUBLISHED: 2021-01-26
The Application Development Clients component of TIBCO Software Inc.'s TIBCO BPM Enterprise and TIBCO BPM Enterprise Distribution for TIBCO Silver Fabric contains a vulnerability that theoretically allows a low privileged attacker with network access to execute a Cross Site Scripting (XSS) attack on...