As Security Operations Centers (SOCs) contemplate the next phase, it is essential to focus on the people, data and technology that enable the two to work effectively together. Firas Ghanem, Regional Director – Middle East and Pakistan, ThreatQuotient, tells Intelligent CIO Middle East how SOCs can drive improvements while keeping analysts engaged and giving them more time to develop in key areas such as threat hunting.
The Security Operations Center (SOC) has been on the front lines of the pandemic-induced escalation of cybersecurity threats over the past 18 months. A 2020 study by Forrester found that the average security operations team receives more than 11,000 alerts per day, and that number has likely increased in the meantime. While deeply engaged in the crisis response, SOC teams were simultaneously dealing with the disruption common to all former office workers. They were transitioning to remote work and learning how to continue collaborating successfully with remote colleagues.
As SOCs take stock of the changes and challenges of the past year, it’s time to explore some of the factors that characterize modern SOC and the common problems encountered in this crucial sector.
the 2021 SANS Survey: Security Operations Center (SOC) does just that in its fifth annual survey. By collecting and analyzing the perspectives of security analysts and team leaders across a wide range of industry sectors, the study provides insight into a range of issues. It is a valuable benchmark for SOC leaders who want to compare their approach and actions with others in the industry.
Several findings stood out to me as priorities as we aim to equip SOCs for the future.
Cybersecurity skills shortage continues to be felt
It’s not new, but it’s a persistent problem: the main obstacle preventing the full use of a SOC’s capabilities is the lack of qualified personnel. With a typical team of between two and 10 full-time equivalent employees, it seems that in this mix organizations would always want more human resources dedicated to SOC activities, as well as the acquisition of additional skills by existing staff.
Supporting internal skills development should be a key priority for SOC leaders, as it not only improves SOC performance, but also encourages staff to stay with the organization for the long term. The most common tenure for a SOC analyst is between one and three years and the report found that training opportunities and career development are the top factors encouraging employees to stay with an organization.
There are other benefits to developing your own expertise. The report found that the main “missing skill” in teams was threat hunting experience, something that can be expensive to bring in from the outside. He also noted that threat hunting and intelligence monitoring are the most outsourced activities by the SOC. Yet these are two areas where intimate knowledge of internal systems and infrastructure significantly improves efficiency. If analysts have the opportunity to learn these skills and are supported by tools that ease the burden of intelligence assimilation, it will be a double benefit to the business: they will retain key personnel and build internal capabilities in areas that would benefit the most.
Working from home becomes the norm
The evolution of the work environment is linked to the challenge of retaining staff. Unsurprisingly, 87% of respondents said working from home was allowed in their organization. This may have raised questions about how to collaborate effectively, but the general success of remote working has freed analysts from the SOC. Where before they could look for a job in an easy commute, now they can look further. This means that organizations will have to work harder to attract and retain employees, giving analysts greater influence over wages and working conditions.
This should lead to a greater focus on analyst workload, which is long overdue. Currently, organizations do not have a proper method for calculating analyst workload, with the majority of survey respondents saying their SOC does not calculate it, and the second most common answer being that they use a method base time per ticket. With 83% of SOCs operating 24/7 and the majority providing this capability through internal resources, workload management is important to maintaining team wellbeing.
As the workforce embarks on the ‘big quit’, all of the above factors should ring alarm bells to warn employers that they must develop and protect their employees if they are to retain them.
Automation and data context drive efficiency
Automation and orchestration is another effective way to mitigate the impact of increasing workloads on the SOC, and here teams are also struggling. Automation and orchestration was only a close second to skills shortages as the most significant challenge facing SOCs.
When you’re short on people and skills, it’s critical that mundane, repetitive, low-value tasks are automated as much as possible, allowing analysts to focus on higher-value activities that reduce time to detection and response and are more fulfilling individually. It also helps teams meet performance goals and manage the growing volume of alerts.
There are some quick wins that can be implemented here. The study cites one respondent who successfully deployed a portal integrating dozens of data sources allowing for the consolidation of information from across the enterprise. This resulted in a reduction in response times from level 0 to level 2 by 25%.
Several respondents cited the lack of data context as a major barrier to operating an effective SOC. The SOC of the future will be increasingly data-driven, ingesting information from multiple sources inside and outside the enterprise, but data without context or relevance simply overwhelms analysts.
It’s a challenge that ThreatQuotient has taken on in the latest iteration of our ThreatQ platform. It incorporates a DataLinq engine to connect disparate systems and sources to enable XDR, as well as smart collections to drive automation, plus enhanced ThreatQ data exchange for two-way sharing of data, context, and intelligence. the threats. It enables teams to be more in-depth in their investigation, collaboration, response and reporting – which is especially critical in a remote work environment – and results in more efficient and effective operations. The benefits are measurable in terms of time and FTE savings, improved risk management, and greater confidence when detecting and responding to an event.
Supporting the SOC of the future
As SOCs look to the next phase, it is essential to focus on the people, data and technology that enable the two to work effectively together. By balancing automation to enable machine-based support where possible, along with the right tools for human analysts, SOCs can deliver improvements while keeping analysts engaged and giving them more time to develop. in key areas such as threat hunting.
Click below to share this article