The depressingly depleted talent pool in the information security profession is what typically draws most of the attention when personnel and skills challenges are raised, but less talked about is the length of time it takes to backfill a position.
Industry group ISACA has found that the average cybersecurity position lies vacant for up to six months, with positions like security analyst one of the most difficult to find suitable candidates for (partially because of issues like burnout).
As the old phrase goes, time is money. So when organizations are fortunate enough to fill a position with the appropriate talent, they want to be able to make up for lost time as quickly as possible. This is especially true for roles in the security operations center (SOC), a setting notorious for staff needing to field never-ending alerts generated by a disparate collection of security tools.
Training new analysts can be a daunting task. They need time to get acquainted with the SOC’s technology stack and processes. In the absence of documentation, they often ask senior analysts for guidance. This can create distractions and consume time.
And, oftentimes, three senior analysts, for example, will give three different answers to the same question. This reliance on “tribal knowledge” creates inconsistency within the SOC that contributes to longer ramp-up times for new analysts. Undocumented processes, combined with security tools that don’t talk to each other, typically mean a SOC will need to spend nearly 100 hours – the equivalent of 2 1/2 weeks – getting a single new analyst up to speed.
Enter automation. Throughout an analyst’s career in the SOC, a security orchestration, automation and response (SOAR) solution can be their best friend, helping expedite routine tasks and liberating them up to perform more exciting work. But the technology can also allow even the most junior analysts to have an auspicious onboarding experience — hitting the ground running on day one, acclimated to their new environment and feeling comfortable about and confident in their future.
Here are five ways a SOAR solution can aid in analyst onboarding.
1) The SOAR solution deploys automated playbooks.
The average SOC receives at least 10,000 alerts per day, and the large majority of them will be nothing but noise, aka false positives. That amounts to a lot of dead-ends for analysts to chase and leaves little time to investigate legitimate anomalous network activity. The sheer volume of alerts has even prompted some analysts to turn off high-alert features on detection tools, potentially causing teams to miss something important. SOAR helps analysts hurdle these roadblocks by allowing teams to create custom, automated playbooks, workflows that equalize resources and knowledge across the SOC and help maintain consistency in the face of new hires and staff turnover. And if analysts should need to create or edit any of the steps in these playbooks, the optimal SOAR solution will enable them to do this without knowledge of specific coding or query languages, acumen that a novice analyst may lack.
2) The SOAR solution groups related alerts.
As multiple alerts from different security tools are generated, some SOAR solutions allow you to automatically consolidate and group these alerts into one cohesive interface. This is what is known as taking a threat-centric approach to investigations, with the SOAR looking for contextual relationships in the alerts and, if identified, grouping these alerts into a single case. Having the ability to work more manageable and focused cases right off the bat will help ensure a smoother transition for new analysts.
3) The SOAR solution pieces together the security stack.
From next-generation firewalls to SIEM to endpoint detection and response, the security stack in any given organization can be vast and complex. No incoming analyst has reasonable time to familiarize themselves with every tool living within the stack – or to manually tap into these different tools to obtain the appropriate context to apply to alerts. A SOAR solution alleviates this challenge by delivering context-rich data that can be analyzed in one central platform, eliminating the need for multiple consoles for alert triage, investigation and remediation. Plus, with a SOAR solution, there is no need for the SOC to directly touch a detection tool that another group may manage. SOAR enables actions, such as blocking an IP or isolating an endpoint, to be taken from a single place through a simple API call.
4) The SOAR solution streamlines collaboration to enable easy escalation and information sharing.
Oftentimes the SOC is not capable of responding to every threat, meaning other departments, such as networking, critical ops or change management, need to be involved. In addition, executive personnel are likely interested in security trends happening within the organization. Because not every group communicates in the same way – or consumes information in the same way – breakdowns can occur, and frustrations can mount, especially for a new analyst. A SOAR solution can even the playing field by automatically generating instructions, updates or reports from the SOC to other teams, and vice versa. SOAR is also a useful solution for collaborating within the SOC team as well, especially in the age of remote work amid COVID-19.
5) The SOAR solution prevents analysts from quickly burning out.
There is a reason why the SOC has obtained the dubious acronym of “sleeping on chair.” Life in this environment can be a tedious, mental grind, prompting certain inhabitants to literally fall asleep from boredom. SOAR solutions can counter this tedium in two ways: one, preventing analysts from, while working long shifts, from having to stare at a multitude of monitors. But the second is ultimately the most important to ensure a new entrant to the SOC doesn’t lose immediate steam: The AI and machine learning contained in a SOAR solution free up analysts to work on more strategic – and thought-provoking – assignments to help improve the company’s overall security posture.
Dan Kaplan is director of content at Siemplify. Siemplify Senior Security Solutions Architect Oleg Siminel contributed to this post.