The Human Component in the Security Operations Center

As cybersecurity challenges become more complex, the tendency is for organizations to focus on what piece of security technology they can acquire next. But that usually means the human component of the security operations center (SOC) isn’t getting enough attention. The SOC must have its security tools, but it cannot rely solely on machines to protect the organization. People are a fundamental to the very core of SOC operations. To understand how SOCs can be improved to support the humans who make security possible, it’s important to start with an overview of the status quo.

By Gil Shulman, Vice President of Products, Illusive Networks

Inside today’s SOCs

The SOC is almost like a living organism built out of a symbiotic relationship between the different tiers of engineering and analysis. Most SOCs are saturated with security technologies to help analysts do their jobs. They generate piles of alerts by detecting malware signatures, rule violations and threshold exceptions, or suspicious patterns, sequences and anomalies — signs that something bad may be happening.

These alerts then require an examination or validation process so SOC analysts can know what’s worth escalating. SOC teams must filter alerts, separating millions of benign alerts to find and prioritize meaningful alerts that warrant further investigation. For verified incidents, they then collect data from multiple tools to piece together a picture of what actually happened, which can take weeks or months. In the event of a true attack, the attacker may already have been well entrenched in the network — or may already have exfiltrated data.

The toll on analysts

Though incident responders invest intensive time and effort, they continue to fret over what important alerts they may have missed.  As one survey after another shows, the process suffers from a shortage of skilled security personnel, lack of real-time forensic data and inability to accurately assess business risk.

Without knowing which incident poses the biggest threat to an organization’s crown jewels, teams can spend valuable time on non-critical incidents instead of using scarce expertise where it’s needed most. Consequently, the humans who work in the SOC – the analysts – are burning out. They repeatedly expend a tremendous amount of concentrated brain power and precious time on alerts that are largely false positives.

Burnout is endemic. A stunning 60% of SOC team members are thinking of leaving their jobs or changing careers altogether due to stress, according to the second annual Devo SOC Performance Report, based on a survey conducted by Ponemon Institute. Since SOC analysts are already hard to come by and replacing them is no easy task, this is a problem of significant proportions.

That’s because the human component of security analysis remains critical to success. AI and automation are being used to great effect within the SOC; they absolutely lighten the load in a world of increasing alerts and scarce cybersecurity talent. But algorithms lack a human touch. A survey conducted at RSA Conference 2020 found that the majority of industry professional respondents agreed that human analysts possess qualities that machines cannot match. These qualities include intuition, creativity, previous experience, and frame of reference.

In short, the SOC will always need humans, working in conjunction with helpful tools like automation and AI. Since that’s true, organizations need to find ways to ease the stress burden on their analysts if they hope to maintain the staff required to keep their networks safe.

How to improve the status quo

IDC has observed that “traditional cybersecurity leads with a ‘block and tackle’ strategy.” They note, though, that as the complexity and sophistication of threats increases, SOCs “require a better understanding of how threats beyond the perimeter interact with their network.” Incident response teams waste valuable hours sifting through multiple tools and systems, looking for the contextual data needed to validate escalation. Essentially, SOC analysts need decision-making context and broader correlation to be optimally effective at their job.

This is where automation shines. A wealth of forensic data collected automatically and directly from where the attacker is operating provides knowledge of where in the network the attacker is lurking and how far they are from privileged credentials. SOC teams can reclaim a vast chunk of the expensive time and effort lost to manual activities typical in the processes of triage, ticket enrichment, investigation, and validation — while becoming more proactive and efficient in incident response. Less stress and greater efficiency equate to higher job satisfaction – more benefits of automation.

Upskilling and reskilling are needed, as well. In the SOCs that the Devo report classify as “high-performing,” 67% have skills development and training in place. By implementing a training program, Tier 1 analysts can learn the more sophisticated skills they need to move up to Tier 2, and the same goes for Tier 2 analysts as they advance toward Tier 3. Additionally, as automation, AI and SIEM technologies become increasingly important, staff will need training in these areas.

Change is coming

Technology is democratic in that its evolution is available to all – the good and bad alike. SOC staff are already so overwhelmed that unless something significant changes, it’s only a matter of time before they are overrun by clever new attack types as well as the current deluge of alerts. For the health and retention of SOC teams and for the security of your organization, changes must be made. They include adopting automation and upskilling analysts for what’s ahead. The human component of the SOC must not be overlooked but instead nurtured in order to create a truly secure network environment.

About the author

Gil Shulman is the Vice President of products for Illusive Networks and has over 20 years of experience in the technology industry focusing on cyber defense. Before joining Illusive Networks, Shulman worked with a wide variety of market-leading companies, from Check Point Software, where he led the high-end products team; to Radware and Verint Systems, where he managed the product organization for national cyber defense. In recent years, he has focused on virtualization and cloud technologies, traffic and application management, and network appliances and platforms, creating new product categories and design strategies. Shulman served at the technological unit of the Israel Defence Forces Unit 8200.

Disclaimer

CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.