Problems and Solutions for the SOC
by Robert Bond
How to Improve Your Security Operations Center
The Problems with the Security Operations Center
The Security Operations Center or SOC is considered an essential component of business, however, most professionals working in the SOC rate their organization’s security effectiveness as low. Further, 49 percent say it is not aligned with the needs of the business, according to a survey conducted by Devo Technology in partnership with the Ponemon Institute.
Issues such as a lack of visibility into their own organization’s network and IT infrastructure, a lack of confidence in the SOC’s ability to uncover threats, and perhaps most importantly the growing stress on security professionals because of added workload and the now imminent breach are contributing to diminishing SOC effectiveness.
Security team members responding to the survey suggest that working in the SOC is increasingly more difficult; 65% of SOC team members report having considered changing careers or quitting their jobs. Further, 78% of respondents say the mean time to resolution (MTTR) can be weeks to months or even years according to the Devo/Ponemon survey. MTTR has a direct correlation to the damage that results from an attack and is a critical component to SOC and incident response team effectiveness.
“The survey findings clearly highlight that a lack of visibility and having to perform repetitive tasks are major contributors to analyst burnout and overall SOC ineffectiveness,” said Julian Waits, General Manager of Cyber, Devo. “It is critical that businesses make the SOC a priority and evolve its effectiveness by empowering analysts to focus on high-impact threats and improving the speed and accuracy of triage, investigation, and response.”
The problem of SOC analyst pain: IT security personnel say working in the SOC is painful because of an increasing workload and being on call 24x7x365. The factor that truly stands out is the level of analyst burnout due to their heavy workload, and the immense amount of stress and pressure they are facing,” said Larry Ponemon, founder of Ponemon Institute.
The Solution for Improving Your Security Operations Center
Security operations centers (SOCs) have become essential for every healthy and functioning organization. At least 55% of small and medium-sized businesses claim to have experienced some kind of cyber-attack within the last 12 months. Without a team dedicated to network and technology security, companies leave themselves open to attack from any number of cyber threats. The SOC strategy you create, and implement can directly influence your ability to not only prevent threats from causing harm, but it can also greatly improve the speed at which remediation occurs.
Although each organization may have specific needs based on the type of industry and network with which it operates, most SOCs will serve several main functions: prevention of malware attacks, identification of system vulnerabilities, log monitoring, firewall management, incident response, threat intelligence, as well as other malicious activity tracking within the network. As the complexity of the system grows, the need for more experienced staff and tool integration increases.
Identifying Common SOC Weaknesses
As we understand from the Ponemon survey, many cybersecurity analysts rate the overall effectiveness of their current SOCs as low. Specific reasons for this can vary between lack of funding for proper technology or staffing, lack of integration between tools, excessive workload, and lack of support from leadership within the company. Analysts often become burned out when they don’t have the right tools or integration of the tools and technology to handle heavy workloads or repetitive tasks; particularly when they are tasked to monitor and manage logs and other data 24×7.
Comparing logs, monitoring traffic, analyzing patterns and behaviors, conducting penetration testing, and much more, means tasks are not simple and are often very tedious and require time and skill. When the burden is placed on the shoulders of just a few people, it can lead to burnout and high turnover rate.
Lack of funding in the SOC can cause organizations to choose between technology and staffing. Whether the lack is due to insufficient revenue in smaller businesses or a lack of priority within leadership, it can mean the SOC does not have what it needs to fulfill its necessary function. Without technology that leads to quick insights and answers, even the most experienced staff will not have what they need to adequately identify and protect against the wide variety of threats they see their IT environment.
Further, without skilled staff, the best technology one could purchase will not be implemented correctly or utilized to its full potential. There needs to be an understanding in leadership about what is required for an adequate SOC and then a budget should be put in place to ensure availability of staff and technology.
System complexity is another issue some organizations face with their SOCs. As the needs of the company become more diverse, organizations are finding that they need too many experts on staff to handle the processes effectively. This is out of the question for many small and medium-sized businesses. With complexity often comes a decline in productivity. Excessive amounts of work and analysis can often result in distracting the SOC from finding vulnerabilities and responding quickly to real threats. Especially as SOCs invest in more tools to handle new avenues of protection, many of those tools may not integrate, leading to further complexity and greater workloads.
Improving Overall Function of the SOC
Identifying specific weaknesses in your SOC is the first step to improving the overall function and ensuring every need is met. Without understanding the weaknesses, there is no clear starting place for improvement. Identify the areas in which analysts are being overworked or hindered from focusing on priorities. Identify security controls not being implemented, or areas in which they are not being fully utilized. Hiring outside consultants who understand SOC best practices is often critical to help identify and manage system and organizational risks.
We have learned that SIEMs, Firewalls, IPS/IDS and other threat management technology is never a replacement for human skill, understanding, and expertise. Specialists work to understand attacker behavior, pattern, and technique, which is clearly a challenge for technology on its own. Technology provides essential defense tools; however, incidents and breaches require human mediation to properly identify and resolve.
SOC Budgetary Considerations & MSSPs
Risk management is all about how organizations handle the security needs in a cost-effective manner. Often, being both effective and cost effective comes down to whether it’s time to outsource to an experienced managed security services provider (MSSP) or other security resources. As systems increase in complexity, the need arises for more experienced and capable staff. To handle every aspect of email and web browser safety, firewall management, data recovery, application and software security, log monitoring, penetration testing, and tool integration is commonly too much for smaller organizations and often even large Fortune 50 organizations.
Quality MSSPs empower organizations and their SOC analyst’s with highly trained support at cost effective rates. MSSPs also offer 24x7x365 service, meaning they have teams that are always monitoring the customer’s environment and can quickly respond to threats. Leveraging service providers may also mean not having to maintain advanced equipment or software applications.
Many service providers use and maintain their own cyber-defense technology and upgrade as the needs of changing technology arise. In addition, when working with the best-in-class MSSP’s organizations will benefit from; (1) Superior Protection (2) Cost Savings (3) Advanced Technology (4) Security Experts and of course (5) a sharper focus on their business. These 5 benefits of an MSSP have been proven by even the most skeptical CIO’s and heads of IT security.
If you do manage your own team of in-house IT and security specialists, it’s important to remember to keep a balance between the resources being spent on staff and technology. Without trained staff who understand the techniques and habits of attackers, all the technology in the world will not be helpful for protecting your organization.
Experts trained in using specific cyber-defense tools while understanding malicious behaviors and techniques are what will keep your systems safe from attackers. Once you have the right people in place, maximizing the use of their time and empowering them with partners at a reliable MSSP means automation, integrated tools, incident response, and other benefits will improve the effectiveness of your SOC while preventing undue fatigue among your security staff.
June 23, 2020
June 16, 2020