Landing a job as an entry-level security operations center (SOC) analyst often provides a foot in the door to the cybersecurity field, but a new survey shows the more seasoned a SOC staffer gets, the more likely he or she will become disillusioned with the position.
New data from the Cyentia Institute's "Voice of the Analyst Study" of security operations center teams shows that while three in four SOC analysts are satisfied with their jobs, some 45% say the reality of the SOC isn't what they had expected. Some 70% of entry-level (one- to two years' experience) SOC analysts say their job meets their expectations, while just 43% of more experienced SOC analysts say so, according to the report, commissioned by SOC automation vendor Respond Software.
As one SOC analyst respondent quoted in the report explained, the novelty of a new SOC gig basically wears off after a while: "I was drawn to the SOC by misguided youthful ideals, which have been ground into a fine powder by years of poor management and lack of support from higher-ups."
The report, provided in advance of its publication to Dark Reading, also found that job dissatisfaction ranks 25% higher among experienced SOC staffers, and one in three SOC analysts overall is currently job-hunting for a position elsewhere. Of the 160 respondents, three-quarters are SOC analysts, 20% SOC managers, and 5%, engineers or project managers in the SOC.
Wade Baker, co-founder of The Cyentia Institute and an author of the report, says he had expected entry-level SOC analysts to be the most unhappy members of the SOC, not the seasoned ones. "It was counterintuitive to me. I thought the quintessential entry-level analysts feel less respected and maybe more dissatisfied. We found the opposite: the longer you're in the SOC and the more experience you have, dissatisfaction and things like that grow," Baker says.
SOC analysts say they were drawn to their positions for a new challenge, skills, more money, and as a way to make a difference, but those same incentives also are what's drawing them to leave their current jobs, according to the report. "If you want to keep them around, offering those same positives in-house is just as important as eliminating the negatives that drive them out," the report says. "Roughly 3 out of 4 point to a desire for more intellectually challenging work, the chance to learn new skills, and/or a chance to defend and help the business."
Change of SOCs
Entry-level, or Tier 1, SOC analyst positions are notoriously high burnout gigs. Sitting in front of a monitor and manually clicking through thousands of raw alerts from firewalls, IDS/IPS, SIEM, and endpoint tools, looking for that needle in a haystack, is at the same time both monotonous and stressful. Ignoring an alert tied to a real attack happens: just ask Target, which mistakenly dismissed alerts as false positive that flagged its massive breach in 2013.
SOC experts say the job of the entry-level SOC analyst gradually will be replaced with automation and orchestration technologies that streamline the traditionally manual, front-line role. The Tier 1 analyst position will evolve into a new more advanced role akin to the Tier 2 analyst, who triages flagged alerts.
"For me, the SOC of the future is having as much done automatically as possible" on the front lines, says Brett Wahlin, the former CISO at HP. The first level of human contact with the event data, a next-generation SOC Level 2 analyst, brings human analysis to the issue once it triggers a set threshold, for example. "It takes a human touch to see if you actually have got a bad guy or not," he says.
Today's Tier 1 SOC analyst job basically was born out of the mass of logs security tools produce, notes Josh Maberry, director of security operation at Critical Start, an MSSP. "The Tier 1 analyst was never supposed to be a manual-event job in the first place. It became that as a necessity because there weren't any automation and orchestration [tools] there yet," he says. "They [became] eye filters … So analysts began to drown. The whole thing became an events-to-bodies ratio."
It's those factors that have led to the high turnover in the SOC, experts say. The most time-consuming tasks in the SOC is monitoring, followed by intrusion analysis and shift operations handoff duties, according to the Cyentia SOC analyst survey. "The notion of monitoring taking a lot of time is not surprising," says Mike Armistead, co-founder and CEO of Respond Software, noting that monitoring earns a low value in the tasks SOC analysts want to be doing.
Shift operations also is considered a burden: that's when analysts receive feedback on their incident reports, or transfer information during the handoff of their shifts. "That's the place where tribal knowledge is transferred among people," he says, so if SOC analysts are unhappy with that process, it could be a red flag for the organization.
New data published today from a separate study by Advanced Threat Analytics (ATA) of 50 managed security services provides a glimpse at the volume of security alerts MSSPs face: nearly 45% say they see a 50% or higher rate of false positives, and 64% say it takes an average of 10 minutes or more to investigate each alert.
That volume of alerts forces SOC analysts of all levels to spend in some case smore than five hours a day investigating even false positives, according to that study. Alin Srivastava, president of ATA, says that distracts the MSSPs' SOC analysts from real threats and incidents.
According to Cyentia's SOC report, monitoring is the least likely task tied to catching an intruder, according to the SOC analysts in the survey. "You get the sense [from the survey] that they feel a lot of time is wasted on relatively low-value efforts," Cyentia's Baker says.
Automation can help eliminate the low-level, repetitive monitoring tasks that "require human fingers more than human brains," the report says. Threat hunting and forensics, meanwhile, require humans to handle that level of anlaysis.
- Death of the Tier 1 SOC Analyst
- 3 Ways to Retain Security Operations Staff
- 6 Steps for Sharing Threat Intelligence
- Mischel Kwon Unplugged
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.