Rik Ferguson, VP of Security Intelligence at Forescout talks about the Security Operations Center (SOC) analyst is often considered the last line of defense in the detection and mitigation of security incidents, but is this really their primary purpose, or indeed the best use of their time?
SOC analysts are too often constrained to the repetitive and stressful mechanics involved in simple triaging of alerts; alerts that are often false positives, incorrectly classified, duplicates or worse. The similarity of the content and presentation of alerts, the repetitive nature of the task, and the constant pivoting between platforms and interfaces are all significant contributors to burnout in the SOC. The sheer volume of events to triage means that Tier I SOC analysts have no time for anything else. Even when they do find something worthy of further investigation, they are forced immediately to escalate it, so they can return to the insistent call of their monotonous primary duties. It doesn’t have to be this way; we don’t expect the master carpenter to be chopping firewood.
Most tools in use in SOCs today are designed as either “best of breed” or “good enough for now,” conceived, created, and deployed in splendid ivory towers that rely on the UI as an API and the SOC analyst as the point of integration. Or like SIEM, in their attempt to be all things to all people and fulfil their initial promise of “the only SOC tool you will ever need,” end up shipping as an entirely unconfigured, one-size-fits-all template. These tools, almost by definition, require a significant initial investment of time and training for initial configuration and constant tuning. In fact, some SOCs maintain a team solely responsible for this ongoing tuning effort of dialing down the volume of useless and time-consuming alerts.
Like SIEM, SOAR tooling has also been developed as an answer to some of the constant stress of working in a SOC, as has XDR. Rather than addressing the entirety of the analyst experience, they are only fixing parts of the problem, symptoms rather than root cause. This piecemeal approach to empowering the SOC has left analysts in a constant state of context switching; from SIEM console to AV console to IPS console to DLP console to SIEM to SOAR…
Networks continue to evolve and diversify, threat actors continue to explore new attack vectors and targets; cloud, operational technology, and medical device are all now equally “in play” in an enterprise attack surface. Higher levels of visibility have traditionally meant an ever-increasing multiplicity of user interfaces (sometimes even within a single vendor’s “solution”), and an endless tsunami of data and its corresponding alert fatigue. This deluge of information, coupled with a focus on small, repetitive, and often manual tasks are critical components contributing to fatigue, boredom, and a feeling of powerlessness in the workplace; and the consequent staff turnover acts as a force multiplier.
The correct application of technology within the SOC relies on enterprises prioritizing the Analyst Experience (AX) as proposed by Forrester. The SOC in any enterprise is primarily a service organization, whether internal or outsourced, and as such should be focused on a process-driven approach. The design and application of process will necessarily focus on the points where analyst meets technology, and too many points of intersection mean a greater process overhead. In addition to enhancing the analysts’ day-to-day experience, much greater attention must be paid to the human factors that can limit attrition and retain valuable, experienced analysts.
Cutting down on the donkey work that is Tier I triage today means that SOC analysts have the time to take proactive steps to enterprise security like threat hunting exercises or the creation and delivery of security training for the wider employee base. It creates the space for SOC analysts to add value and a sense of wider purpose by leveraging their knowledge and experience to pursue and integrate their own research and threat intelligence, to develop or enhance existing process though application of lived experience, or simply to undertake training that allows them to further career goals within your organization.
After all, there will always be another Wannacry or another NotPetya. Wouldn’t it be great to have your experienced and motivated SOC ready to find it during a hunt rather than working backwards from the devastation it would otherwise leave in its wake?