Between networks, endpoints, cloud technologies and critical infrastructure, digital footprints are growing for virtually every organization. This means greater efficiency and opportunity for business, but also greater pathways for attackers.
Inside many companies (or at providers that help manage their security for them), security operations center (SOC) analysts spend their days monitoring data streams and network logs for anomalous activity, and most enterprise SOCs receive thousands of alerts per day.
And therein lies the problem. Whether you’re weeding through an onslaught of alerts, searching for indicators of compromise or rooting through logs or running queries to compile asset information relevant to the case you’re working, time becomes your most precious commodity. Spending so many minutes and hours of your day on data gathering, enrichment and escalation decision-making can take time away from deeper investigations, analysis and remediation.
Meanwhile, plenty of false positives are rearing their ugly heads. Recent numbers from the Ponemon Institute found that organizations typically get about 17,000 alerts per week, with 80% of them being bogus. The consequences are two fold: 1) The important stuff that should be investigated further is sometimes missed amid all of the noise and 2) Overtaxed SOCs adopt a “see no evil” attitude to certain alerts by tuning down thresholds or outright ignoring certain categories.
Security operations teams have never had more data points available to them – according to Enterprise Strategy Group, organizations are averaging up to 50 security tools from 10 different vendors – to identify, investigate and analyze threats. That’s a good thing, considering relying largely on prevention technologies and methodologies doesn’t cut it in today’s threat landscape. But it also means a lot of unorganized, out-of-context and unactionable data for you and the team to ingest.
Another side effect of this “alert fatigue” is that triage can involve performing similar manual tasks over and over again. This how the the SOC got the dubious distinction as being short for for “sitting on chair.” (Sorry.)
More importantly, this redundant work can result in consequences for the business in terms of mistakes being made and take an emotional toll on analysts in terms of boredom, which studies have found can be directly linked with burnout.
You also may not be getting the proper support. Within the SOC, communication among analysts and managers is essential. Both need to have a way with words: analysts to cogently and authoritatively discuss data security incidents, and managers to share technical guidance and build appropriate processes. Yet, lack of management support was cited as the fourth-biggest obstacle to a full SOC model, according to the 2019 SANS Security Operations Center Survey. To overcome this, leaders must work to improve workflow processes, introduce technology solutions and endorse training and career development.
Support can also simply mean showing appreciation. According to Paul White, a workplace relationship psychologist who recently polled 130,000 workers, nearly two-thirds hadn’t received positive feedback in the past 12 months. Employees tend to thrive on affirmation, and underappreciation is a common reason for vacating their positions.
And then there’s your schedule being off. If you follow professional football in the United States, you’ll know the public narrative generally gives East Coast teams playing at home the advantage versus a squad traveling from the West Coast. The idea is that the changing time zones disrupts players’ normal biological cycles, known as the circadian rhythm, giving the home team an edge.
The theory is not off base, and it has long been posited that shift workers who work irregular hours can experience sleep loss, among other physical and mental health problems. Organizations running 24x7x365 security operations centers stand to suffer the most.
Next time, we’ll discuss some of the cultural and environmental factors that expose SOC personnel to high risk of burnout.
This is an excerpt from our new e-book on burnout in the SOC. To read it, visit here.
Dan Kaplan is director of content at Siemplify.