The security operations centre (SOC) has been on the front line facing the pandemic-induced escalation of cybersecurity threats in the past eighteen months. A 2020 study by Forrester found that the average security operations team receives more than 11,000 alerts per day. That figure is likely to have grown in the intervening period.
SOC teams were deeply engaged in responding to the crisis. Simultaneously, they were facing the disruption common to all formerly office-based workers. They were switching to remote working and learning how to continue collaborating successfully with colleagues at a distance.
SOCs are now taking stock of the changes and challenges of the past year. It is an opportune moment to explore some of the factors that characterise the modern SOC and the common issues experienced in this crucial sector.
The SANS 2021 Survey: Security Operations Center (SOC) does just that in its fifth annual survey. By collecting and analysing the views of security analysts and team managers across a broad spectrum of industry sectors, the study draws insight across a range of issues. It is a valuable benchmark for SOCs who wish to compare their approach and actions with others in the industry.
Several findings stood out for me as priorities as we aim to equip SOCs for the future.
The cybersecurity skills shortage continues to bite
It’s not new, but it is a continuing issue. The number one barrier preventing full utilisation of a SOC’s capabilities is a lack of skilled staff. A typical team numbers between two and ten full-time equivalent employees. Within this mix, organisations would still like more human resources devoted to SOC activities and the acquisition of additional skills by existing staff.
Supporting in-house skills development should be a key priority for SOC leaders. It improves SOC performance and encourages staff to remain with the organisation for the long term. The most common tenure for a SOC analyst is between one and three years. The report found that training opportunities and career development are the key factors encouraging employees to remain with an organisation.
There are further benefits to growing your expertise. The report found that the top “missing skill” in teams was threat hunting experience. It is something that can be costly to bring in from the outside.
It also noted that threat hunting and intelligence monitoring are the activities most commonly outsourced by the SOC. Yet these are two areas where intimate knowledge of internal systems and infrastructure considerably improves effectiveness.
If analysts are allowed to acquire these skills and supported with tools that lift the burden of intelligence assimilation, it will amount to a double benefit for the business. They retain key staff and build stronger internal capability in the most beneficial areas.
Work from home becomes the norm
Linked to the challenge of staff retention are changes to the work environment. Unsurprisingly, 87% of those surveyed said that working from home was permitted in their organisation. It may have raised some issues around how to collaborate effectively, but the general success of remote working has liberated SOC analysts.
Previously, they may have looked for employment within an easy commute. Now, they can search further afield. It means organisations will have to work harder to attract and retain employees and gives analysts greater leverage over pay and working conditions.
This should lead to a greater focus on analyst workload, which is long overdue. Currently, organisations lack an appropriate method of calculating analyst workload. The majority of survey respondents say their SOC doesn’t calculate it. The next most common answer is that they use a basic time-per-ticket method. With 83% of SOCs operating 24/7 and the majority of these delivering this capability through in-house resources, managing workload is important to maintain team wellbeing.
As the workforce embarks on the “great resignation”, all the above factors should sound warning bells alerting employers that they need to develop and protect their employees if they want to retain them.
Automation and data context drive efficiency and security improvements
Automation and orchestration is another efficient way to mitigate the impact of escalating workloads on the SOC. Teams are struggling with this. Automation and orchestration were only just behind skills shortages, the most significant challenge facing SOCs.
When you are short of staff and skills, it is critical that mundane, repetitive and low-value tasks are automated as far as possible. It frees analysts to focus on higher-value activities that reduce time to detection and response and are more individually fulfilling. It also supports teams to meet performance objectives and handle the escalating volume of alerts.
Some quick wins can be implemented here. The study cites one respondent that has successfully deployed a portal integrating dozens of data sources. It enabled the consolidation of information from across the business. This resulted in a reduction in Level 0 to Level 2 response times by 25%.
Several respondents cited the lack of context-related data as a major barrier to operating an efficient SOC. The SOC of the future will be increasingly data-driven. It will ingest information from multiple sources within and outside the enterprise. However, data without context or relevance simply overwhelms analysts.
This is a challenge ThreatQuotient has addressed in the latest iteration of our ThreatQ platform. It incorporates a DataLinq Engine for connecting disparate systems and sources to enable XDR, along with Smart Collections for driving automation, plus an enhanced ThreatQ Data Exchange for bi-directional sharing of data, context and threat intelligence.
It allows teams to be more thorough in their investigations, collaboration, response and reporting – which is particularly critical in a remote working environment – and results in more efficient, effective operations. The benefits are measurable in terms of time savings and FTEs gained, improved risk management and greater confidence when detecting and responding to an event.
Supporting the SOC of the future
SOCs are now looking to the next phase. Focusing on people, data, and the technology that enables the two to work effectively together is key. By balancing automation to allow machine-based support where possible, together with the right tooling for human analysts, SOCs can drive improvements while also keeping analysts engaging and giving them more time to upskill into key areas such as threat hunting.
For more insight from the SANS 2021 Survey: Security Operations Center, visit: https://www.threatq.com/sans-soc-survey/
ThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organization’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritization and visualization, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.