Of all the cybersecurity disciplines, one is uniquely and intrinsically connected to the human being: security operations.
The success of the modern security operations center, despite the infusion of automation, machine learning, and artificial intelligence, remains heavily dependent on people. This is largely due to the vast amounts of data a SOC must ingest – a product of an attack surface ceaselessly expanding in the age of professionalized cybercrime and the borderless enterprise. All those alerts coming in mean proactive and reactive human decision making remains critical.
Perhaps, then, it should come as no surprise that the security analyst now ranks as No. 1 in U.S. News’ 100 Best Jobs Rankings, “determined by identifying careers with the largest projected number and percentage of openings through 2030, according to the U.S. Bureau of Labor Statistics.” Security, namely detection and response, is not only a business imperative – it is arguably the top worry on the minds of CEOs.
In a somewhat cruel twist of irony, however, the security analyst is also one of the most likely professions to want to leave their jobs, according to a newly released “Voice of the SOC Analyst” study conducted by Tines.
Turnover woes are attributable to several key SecOps challenges that never seem to budge.
1) Alert Fatigue: Have you ever received so many spam and junk mails that you end up ignoring your new messages entirely, which leads you to missing an important one? The same can happen for alerts. Too much noise is unsustainable and can lead to the real threats being missed, especially as perimeters expand and cloud adoption increases.
2) Disparate Tools: Already in the company of too many point detection tools, security operations professionals saying hello to a few more in the era of remote work and increased cloud demands. The latest count is north of 75 security tools needing managing by the average enterprise.
3) Manual Processes: Use case procedures that result in inconsistent, unrepeatable processes can bottleneck response times and frustrate SecOps teams. Not everything in the SOC needs to – or should be – automated, but lots can, which will free up analysts and engineers to concentrate on higher-order tasks and be able to easily transfer knowledge to new employees.
4) Talent Shortage: Death, taxes and the cybersecurity skills shortage. As sure as the sun will rise tomorrow, so will the need for proficient individuals to wage the cybersecurity fight. But what happens when not enough talent is filling the seats? Teams must compensate to fill the gap.
5) Lack of Visibility: Security operations metrics are critical for improving productivity and attracting buy-in, but SecOps success can be difficult to track, as reports can require a significant amount of work to pull together.
The caveat of course is that it would be rare to find a SecOps team working without the above challenges. As such, what are some of the immediate steps you can take to push back against these stifling constraints? As you can probably induce, it comes down to processes and technology, powered by people, to remedy the issues.
Humans are—and will be—needed to both perform final triage on the most obtuse security signals (similar to conventional SOC Level 3+) and to conduct a form of threat hunting (i.e. looking for what didn’t trigger that alert).
Machines will be needed to deliver better data to humans, both in a more organized form (stories made of alerts) and in improved quality detections using rules and algorithms— all while covering more emerging IT environments.
Both humans and machines will need to work together on mixed manual and automated workflows, such as those enabled by SOAR tools today.
So, what does this ultimately mean you must do to improve your security operations? Here are five practical suggestions:
Efficiencies within the SOC can also be realized from a SIEM solution that automatically detects threats in real-time and at scale. The right platform will support massive data ingestion and storage, relieve traditional cost and scaling limitations, and broaden the lens for anomaly and machine learning/AI-based detection. With data stored and analyzed in one place, security teams can investigate and detect threats more effectively.
Security orchestration, automation and response can be a game-changer in terms of caseload reduction and faster (and smarter, especially when integrated with threat intelligence) response times. But before rushing headfirst into automation, you should consider your processes, review outcomes you are trying to achieve (such as reduced MTTD) – and then decide exactly what you want to automate (which can be a lot with SOAR). Once clear processes are determined where automation can contribute, humans are freed up to be more creative in the
Many teams lack a strategy for collecting, analyzing and prioritizing logs, despite the fact that these sources of insight often hold the clues of an ongoing attack. To help, we have prepared two cheat sheets featuring essential logs to monitor.
Process improvements may help you compensate for perceived personnel shortages (for example, perhaps fixing a misconfigured monitoring tool will reduce alert noise). Of course, most organizations need additional human hands to help them perform tasks like round-the-clock monitoring and more specialized functions like threat hunting. Here is where a managed security services provider or managed detection provider can be helpful. Be realistic about your budget, however, as you may be able to introduce something in-house.
Lack of management support was cited as the fourth-biggest obstacle to a full SOC model, according to a recent SANS Security Operations Center Survey. To overcome this, leaders must work to improve workflow processes, protect innovation, keep teams working on inspiring tasks, be flexible with employees and endorse training and career development. Because at the end of the day, the SOC is still distinctly human.
Dan Kaplan is a content marketer at Google Cloud Security.