The coronavirus pandemic is reshuffling our priorities and changing life as we know it, and with the climax of the disruption – never mind its conclusion – still unclear, the uncertainty of when our routines will “return to normal” is only adding to the discomfort many are feeling.
Yet as workers from across the world hunker down in their homes, many preparing for lengthy confinement as they await answers as to when society will reopen, essential services must persist, including those in cybersecurity operations.
Malicious hackers are not slowing down, with widespread reports of coronavirus-themed phishing and malware campaigns drawing headlines, although dark web observers report that not all of the criminally minded are without empathy.
Of course, for those who have no qualms about exploiting the global crisis, the opportunity is wide open. The massive migration to remote setups is enabling a boon in work-from-home weaknesses and exposure points (many of which are well documented in this article).
Security operations teams are being challenged, not just to address the emerging risks of a phenomenon created virtually overnight, but to also ensure they are a cohesive and ready unit as many security operations centers move to remote work as well. (For those still maintaining a partial or fully physical SOC presence, this blog post offers several important tips for keeping staff healthy).
Already burdened by an industry-wide talent shortage, SOCs transitioning to remote work will find a path littered with mines, but there are mitigating steps and recommendations to implement. If you are to find success outside of the physical walls of a SOC, this is snapshot of the top concerns and suggestions to consider in the coming weeks and months (or even longer if a permanent paradigm shift toward remote work unfolds).
1) Adequately Assess Risk
Like any effort to secure your infrastructure in time of crisis, the first step to a remote SOC migration is to evaluate risk. Chief among your SOC continuity/disaster recovery planning should have been crafting a contingency for coping with extended downtime at a physical location, and now looks like the time to implement it.
Risk assessment also involves ensuring you are able to maintain full SOC coverage during an emergency such as this, and if you are a managed security services provider (MSSP), you must assure you can maintain proactive and reactive touches with customers, continue to execute service-level agreements, and achieve key performance indicators.
If your team is transferring operations to remote, you will also need to verify that connectivity and physical/digital security are covered in these at-home environments. More on the latter later.
2) Address WFH Motivation and Concentration
Anyone knows that life in the SOC can be full of grunt work requiring the “eyes on glass” tedium of monitoring, triaging and potentially escalating alerts, with much of analyst time spent sifting through the digital equivalent of a monster haystack in search of a needle or two. While technologies like security orchestration, automation and response (SOAR) can help to alleviate alert deluge – and the harsh consequences of alert fatigue and analyst burnout – some degree of front-line coverage is needed.
But not everyone will thrive away from their cubicle, especially during periods of quarantine when homes will include others (and possibly children) under guidance to also stay put. This is not to mention that Tier 1 work is often performed by entry-level analysts whose homes may not be conducive for multi-monitor telecommuting, who may be uncomfortable with the autonomy work-from-home life requires or who simply may be distracted by the temptation of their PlayStation sitting a few yards away from their workstation. To overcome this potentially damaging dynamic, your SOC will require strong mentorship and support from more experienced colleagues.
3) Harden Home SOC Environments
Aside from having to address all the alerts that result from a newly remote workforce, at-home SOC analysts must also deal with the potential vulnerabilities that can result from their team’s newfound decentralized configuration. It is unlikely the home of an analyst can easily meet your corporate and compliance policies, but as Voltaire wrote, perfect is the enemy of good. While every organization will approach remote SOC security differently, here are some tools to consider to safeguard your remote access topology:
- Virtual desktops
- Secure access controls, including multi-factor authentication
- Endpoint security
In addition, you must ensure that analysts are working with (fully patched) computers that are performance capable of handling the CPU-consuming workload required for rapid detection, investigation and resolution of alerts and cases.
4) Properly Communicate and Knowledge Share
Collaboration is a key pillar by which organizations can reduce arguably their most important security metric: detection and response time. But teamwork and camaraderie can be eroded when security personnel move out of a central physical setting and into remote locales.
We mentioned SOAR earlier for its functionality of assigning, automating and prioritizing analyst tasks (and even grouping alerts by related threat, saving analysts valuable time), but it really is a powerful tool in times of crises because of it can unify an entire SOC team – or even an entire organization if a crisis communication feature exists – within a single interface.
Situational awareness will also be important when a team is dispersed, especially with a dangerous disease like coronavirus in which staff has a realistically greater chance of getting ill. Because of this possibility, if you are already stretched thin, you may be in for a greater talent shortage ahead, so try to get ahead of that predicament now.
5) Keep Morale High
The unique circumstances of many SOC duties already make analysts highly susceptible to discontent and burnout, even without adding in the potential complications of remote work, which can lead to only further feelings of detachment and disconnection.
One tried-and-true remedy for keeping staff motivated and engaged – tasking personnel with more cognitively demanding and proactive assignments like incident response and malware analysis – must carry over to the remote SOC as well. Breaking up duties will prevent at-home analysts from falling into a rut from the redundant humdrum of alert handling. Extra kudos if you can maintain ongoing training and teaching efforts without disruption, which is another way to keep the brain stimulated during forced quarantine.
Another way to keep spirits up is through regular check-ins, which will not only help to ensure the physical and mental well-being of SOC staff, but also help account for other team responsibilities, such as performance, reporting and documentation, which can easily fall through the cracks during a time like this.
Dan Kaplan is director of content at Siemplify.