The Current State of SOCs
Security Operation Centers (SOCs) can be a revolving door, a constant battle of exit interviews, offer letters, onboarding, call offs, and stressed out analysts. How is someone in a leadership position supposed to deal with this challenge? You may be asking yourself, “How can we, as security leadership, lower our SOC turnover rate”? While every SOC has different maturity, culture, and business to protect, this issue can be tackled from people, process, and technological perspectives.
Support Your People
1. Career Pathing and Training
Training and career development are key needs for both SOC analysts and the organization they are defending. The cyber threat landscape is ever changing, which requires constant learning. An organization should not rely on laurels earned in previous years but invest in their defense personnel for the future.
Additionally, SOC workers might not want to stay analysts for their entire careers. Many of them might already have a roadmap planned for their career and enabling them to reach their goals will garner trust and loyalty. What better way to hire an aspiring security engineer, forensic expert, malware analyst, or penetration tester than internally?
2. Cybersecurity Community Involvement
Getting involved with the local cybersecurity community will expose analysts to new tools and techniques, new threats, emerging research, and social and physical networking. Many SOCs operate in a vacuum, in which new data only comes from various security blogs and news sources. There must be an intention to come up with new ideas and perspectives, which are often hard to come by. Community involvement can have a direct, positive impact on a SOC.
While these benefits sound great, not many analysts are going to use their vacation days to attend these events. The easiest solution is to consider these events a responsibility of the SOC analyst role. Local conferences like B-Sides and InfraGuard are great to get started in and won’t consume a lot of time or resources.
3. Creating an Open Dialog
For many reasons, SOC work can often be a stressful job. It is important to make sure analysts feel they have a voice. A good SOC analyst will be quick to identify inefficient processes and procedures, false positive identifications, and suggestions for improvement. No one wants to work at a job where they feel their feedback doesn’t matter. All feedback should be personally discussed and never outright dismissed.
This can be accomplished through a variety of ways. As an example, weekly or monthly “one on one” meetings with a supervisor and an “all hands” meeting with the entire SOC would help immensely. This meeting structure would allow for not only individual issues and concerns to be brought up but also foster team collaboration.
1. Onboarding: Setting analysts up for success
A proper onboarding process should accomplish two goals:
- Spin up a new analyst as efficiently as possible and
- Give the new analyst confidence to navigate the environment.
Onboarding should not simply be a process for acquiring access to the security tooling, showing them a file share filled with documentation (that may or may not be updated), and pointed to the Security Incident and Event Management System (SIEM) to start working alerts.
An onboarding process should be purposeful and help the new analysts to feel comfortable. While the steps above should be part of onboarding, here are some ideas to help improve the process:
- Create weekly meetings with senior analysts or the supervisor.
- 30/60/90-day milestone meetings to discuss any challenges.
- Create training material to help get new hires up to speed.
- Encourage ad-hoc questions.
- Review analysis of completed alerts.
- For the first couple days or week, let the new hires shadow senior analysts and any other members of the SOC (preferably different analysts in each session).
- If needed, provide entry level certification opportunity to get knowledge up to speed. Examples would include the CompTIA Sec+ or CySA+ or SANS GSEC credentials.
2. Reevaluate Existing Processes and Procedures
When SOC workers are inundated with alerts to respond to, updating documentation can fall by the wayside. New skills and experience from within the SOC might also highlight inefficiencies within current processes and procedures. Repetitive tasks and incorrect documentation can contribute to the SOC analysts' burnout.
SOC Supervisors and senior analysts could meet periodically (quarterly, bi-annually, etc.) to decide what needs to be updated. Certain questions can be asked to facilitate conversation, such as:
- Has there been any feedback from the SOC?
- When were these last updated?
- Are there any repetitive tasks that can be automated?
- Are these clear for new hires coming into the SOC?
- Has any technology changed that would require an update?
3. Reevaluate Schedules
Any SOC operating 24/7, working on the weekends, or any other hours outside of the normal 9-5 setup should revisit its shift schedules. Not many SOC analysts prefer to work a second shift, night shift, or weekends. Working night shifts, especially for an extended period, can quickly lead to a burned-out analyst. This requirement always must be met for some organizations, but there are some steps that can be taken to lower the rate of burnout.
- One solution is to hire specifically for the shift role. While few, there are analysts that prefer the second, nights, or weekends. Look for analysts who have previous experience in roles outside of normal hours and prefer it.
- Create a periodic rotation for various roles. As an example, day to night shifts could change every two months, quarterly, or semi-annually.
- Create incentives. If remote work is an option, give analysts a day or two to work from home or let weekend work be done from home. Quite often, work outside of normal business hours does not require a physical presence in the office, especially since most other departments might not be 24/7.
1. Periodically Evaluate Your Security Stack
Security departments are often evolutionary. A SOC may start off small but quickly grow in maturity. More advanced capabilities, increased analyst expertise, and better understanding of the environment are all hallmarks of a maturing SOC. This increased maturity will highlight key gaps in security tooling.
Much like the rest of the security field, new products and technology are released regularly and existing products are greatly improved upon. Over time, SOC analysts may identify needs within the security stack. Working with outdated, inefficient, or inadequate tooling will contribute to SOC turnover and burnout. Security architecture should be continually reevaluated for SOC enablement, closing security gaps, and facilitating more efficient processes.
2. Automate the Mundane
By nature, SOC work is often comprised of repetitive tasks with occasional deep dive, thorough investigations sprinkled throughout the work week. Some of these repeat tasks are necessary, such as reviewing alerts generated by the various security systems. However, SOC analysts will grow to resent tasks viewed as unnecessary repetition. Ensure that any feedback given by SOC workers is addressed. If a certain repetitive task is necessary and cannot be automated, explain the technical limitations of what the SOC analyst is asking. A clear explanation may help change their perspective or even facilitate a solution, such as an automation script.
Taking this concept a step further, skilled SOC analysts are not fully utilized working rudimentary alerts. They may grow tired of performing the same “by the numbers” playbooks day after day, which further adds to the burnout rate. When properly implemented, a Security Orchestration, Automation, and Response (SOAR) platform can be an efficient solution. These systems can perform many of the initial tasks a SOC analyst would take and can fully handle lower effort security alerts. This frees up SOC analysts to spend their time performing more advanced analysis and triaging.
3. Combating Alert Fatigue – Proper Tuning
Alert fatigue is a main contributor of SOC burnout, and a factor relatively easily managed. While the nature of the work is reviewing alerts, the main point here is volume. Each security alert should be as relevant and actionable as possible. Given a count of the alerts per shift and the number of analysts on shift, an average time to closure estimate can be calculated. If this value is anything less than 15 minutes, volume is most likely a problem. Analysts should be able to take their time on alerts that need it and not feel pressured to close for the sake of meeting a demanding turnaround time.
Proper alert metrics are key to tuning out high volume false positives and unnecessary alerts while also highlighting needed changes to alert logic. Once metrics have been gathered and a trending report has been made, the obvious tuning needs will stick out. If no significant tuning opportunities arise, you might simply need to hire more analysts.
Transform your SOC to outpace cyber threats.
We can help you overcome resource challenges to build functionality, expand capabilities, and integrate security operations into every aspect of the enterprise.