It’s no secret that companies across the world face serious challenges when it comes to designing and maintaining their Security Operations Centers (SOC).
With the depth and scope of threats rising with each day, IT budgets directed to security go up concomitantly. Historically, companies have thrown whatever analysts and tools they could at the problem in hopes of staying one step ahead of their attackers. But despite the increase the people and resources, corporations still fall prey to an ever-expanding litany of attacks.
It’s clear that the formula isn’t working.
Not enough people, too many tools
According to an RSA and ISACA study, 35% of companies were unable to fill needed security positions. According to Forbes, there are currently 1 million open security positions in the US alone and that number is expected to grow exponentially.
In an environment where the security of digital assets is paramount, the lack of people qualified to protect those assets is disturbing and can lead to some serious problems, namely:
- Overburdened analysts: Meritalk found that 68% of security teams are overwhelmed by the amount of data to be processed, and 78% feel that, as a result, they had no opportunity to proactively address threats. Teams reactively run from fire to fire, and burnout levels are high because so much responsibility is placed on the shoulders of very few people. This unnecessary noise creates additional layers of complexity which further obscure the true picture of what’s taking place.
- Unresolved alerts: With tens of thousands of alerts, many of which are false positives, coming in each month from a slew of disparate tools, it’s no wonder that events slip through the cracks. In fact, the high-profile Target breach of 2013 was in part due to an alert that went uninvestigated.
- The work has become overly complex: It takes a person of a certain skill set to be capable of dealing with the high volume of alerts and numerous individual tools and platforms intricately involved with keeping a SOC moving. It’s a nuanced process that poses a challenge to even the most qualified security personnel. And the confusion created by these different point “solutions” causes additional frustration among analysts.
There has to be a better way
Security Operations Centers have long been criticized as the weakest link in the cyber threat ecosystem. And viewed under the microscope, it’s easy to see why – with unending streams of data and alerts, disconnected point solutions (each proclaiming to be the holy grail), manual processes, and the shear limits of human horsepower, analysts are being held hostage by their own systems.
But if adding more people and more point solutions isn’t the answer, then what is?
There has to be a better way to solve this challenge, making the most out of the analyst team already on board. It’s time for leaders to rethink their approach to maintaining their SOC.
One thing we know for certain is that there will never be enough qualified people for the job. The skills are too nuanced and the gap is too wide. The real focus should be on helping existing teams be more efficient, and effective, with the people they already have, rather than adding more analysts and complexity into the mix.
Putting the SOC into a framework
There is a problem within the SOC, but it’s not one that more people or more point solutions will fix. To properly address the issue, organizations need to target the source: the lack of an underlying, unifying fabric—one that places all events, tools, and people into a single framework across the security landscape. Giving analysts this singular view will drastically cut the noise, complexity and stress that has become commonplace in the SOC. Looking at all aspects of the SOC as a whole will:
Consolidate alerts, eliminating redundancies
– Streamline manual processes
– Enable analysts to ask the right questions in a fraction of the time
– Connect disparate tools within the SOC, so that analysts won’t need to rely on multiple systems to perform basic investigations
– Allow tier one analysts to perform with the same level of accuracy and understanding as tier two and three analysts.
Simply put, teams can do more with less when they can see the entire SOC ecosystem laid out in front of them. With that underlying framework in place, analysts will have all the tools and manpower needed to successfully meet the security challenges of today.