Security operations centers – the units that manage overall cybersecurity within an organization – have been getting a workout during COVID-19. Many organizations moved their SOC staff to remote work within days of coronavirus being declared a pandemic.
This shift to remote work has put a spotlight on three inter-related issues for business and cybersecurity leaders in modernizing SOCs to meet the needs of today’s workplace. These are:
- The need for more extensive automation
- Expanding the use of machine learning and artificial intelligence
- Adapting practices for hiring, training and retaining cybersecurity personnel
Keeping the SOC properly staffed is a challenge in the best of times because of the ongoing cybersecurity skills gap. With the pandemic affecting corporate profits, CISOs are worried about maintaining staffing levels and ensuring that management continues to make the SOC a top priority.
“Bottom line is – this is probably not the time when we can depend on adding new bodies to close that skills gap,” said John Pescatore, director of emerging security trends at SANS Institute, a research and education organization.
For a CISO, the issue is a matter of upskilling the team and getting better productivity without necessarily adding more people, according to Pescatore. The best SOCs get improved results when CISOs spend budgets more efficiently “or at least not keep asking management for more money,” he said.
Embracing Automation and Intelligence
The SOC team receives on average over 11,000 daily alerts, according to a Forrester study, and only half the security professionals polled felt confident they can address all or most of them on a given day.
If your SOC team suffers alert fatigue, it doesn’t necessarily mean you don’t have enough people. Rather, it may mean you are not using automation and intelligence sufficiently to offload work that can be done more effectively by machines than humans. It may also mean you have the wrong people in the wrong spots and/or are not using your personnel resources most efficiently.
Experts recommend using automation to eliminate the manual rinse-and-repeat work of spotting and triaging alerts. This allows the SOC staff to become more of a proactive shield, upgrading the organization’s defenses.
“You need to be very careful with your security resources…finding that automation and those points where you can work smarter and align with the business,” said Bruce Beam, CIO of (ISC)², the association of certified cybersecurity professionals.
The talent shortage is not necessarily caused by a shortage of bodies but by bodies and budgets being poorly allocated, said Josh Zelonis, a chief technology officer at Palo Alto Networks. He compared the situation to an overwhelmed emergency room, where there may be enough personnel but too much time is spent time triaging incoming patients instead of treating them.
The Forrester study found SOC professionals spend more than half their workday investigating and triaging alerts. Less than 15% of their time is spent responding to alerts and mitigating vulnerabilities, and only 10.9% of their time is spent on improving security.
Using AI and machine learning, SOCs can automate a large part of that triage work and free the professionals to do the real work, said Zelonis. Right now, 17% of companies don’t use automation or machine learning in any part of the alert handling. Even companies that have automation are not using it to its full potential. The Forrester report found only 13% were using automation and machine learning for the full lifecycle of an alert—triage, analysis, and response.
“Without changing the allocation of budgets, you can solve that hypothetical challenge of not having enough people,” said Zelonis. Automation, combined with AI and machine learning, can make your organization’s SOC less defensive and more proactive.
Addressing the Skills Gap
The skills gap is two-fold: A shortage of cybersecurity personnel in general, as well as a shortage of personnel with the right skills to deal with emerging technologies and channels, such as the increased use of cloud and mobile devices.
“It’s not just about the manning. The manning is important but what we really need to know is the qualifications,” said Beam. “You need to have a good team of analysts and engineers that are constantly tuning your sensors and your processes.”
It’s been a good news/bad news situation, according to the (ISC)² 2020 Cybersecurity Workforce Study. The annual report found the workforce gap shrank in 2020 because while people are still being hired into the field, there is also reduced demand because of business uncertainty.
“The cybersecurity workforce gap is shrinking, but it persists,” the (ISC)² study concluded. “This demands that organizations be creative about how they fill roles and build their bench strength.”
The pandemic is expected to affect budgets into 2021. The (ISC)² survey found 49% of respondents expect their organizations to hire more cybersecurity professionals within the next year. But at the same time, more than half the cybersecurity practitioners polled expect budgets for both personnel and technology will be tight in the future.
The SOC of the future needs professionals who are problem-solvers and curious about keeping up with the latest technologies. That makes them more capable of spotting the vulnerabilities in emerging channels and devices, and able to spend time preventing attacks, rather than be passive spotters playing a game of digital whack-a-mole with cybercriminals.
But where can you find those people? The (ISC)² survey said the top sources for new hires are new college graduates (32%), consultants and contractors (31%), other departments in the organization (28%) and other companies in the same industry (27%). Beam said his organization has had good results training interns; one was hired as an associate and is now a senior engineer.
A SANS study found respondents said their best sources for “good” SOC employees—staffers their bosses are happy with—was hiring from within, followed closely by recommendations from existing staff. Internships, job fairs and college training programs ranked low in the quality of new hires.
Hiring and training internally also ensures the SOC has people who understand and align with the company’s operations. These internal staff may have a better understanding of how security affects business objectives and the importance of protecting data, not just stopping attacks. For example, someone who works with customer relationship management (CRM) software and has an interest in security could transfer his skills at brand protection and data privacy governance to the SOC.
Value the People You Have
Attrition is the enemy for many SOCs, and burnout is the enemy of SOC personnel. A Ponemon Institute report looking at the effectiveness of SOCs found that 65% of IT security operations staff said the stress of working in the SOC made them think about changing careers or quitting. And 66% of the respondents said it is very likely or likely that experienced security analysts would quit their SOC.
In the Ponemon report, IT security personnel describe working in the SOC as “painful” due to “being on call 24/7/365” and the constant flow of alerts. The report recommended automating the SOC workflow and normalizing the staff schedules to fight burnout. Among the respondents, 60% said automation helps reduce the stress of their organization’s security personnel and 43% added it’s making them more effective.
One tool that has been effective, according to the Forrester survey, is extended detection and response (XDR) capabilities. They aggregate data from various sources such as the company network and application stack, so companies can execute threat detection and response on all data sources and devices, whether they manage them or not. This makes the SOC staff more productive and the organization more secure.
Freeing SOC staff to spend more time improving security can cut back on attrition. Pescatore said interviews with respondents in the SANS survey showed that teams with lowest attrition rates have a mix of technology tools that are being constantly updated and built upon by the staff, so they avoid alert fatigue and remain creative and constantly upgrade their skills.
This requires change management, too, said Beam. SOCs are often set apart from the rest of the organization, disconnected from the rest of the business operations. “There’s not a lot of light or interaction with others,” he said. “It’s kind of its own isolated environment.”
Bringing the SOC in alignment with the rest of the business priorities helps both the SOC and other departments. “It starts with management. And it goes all the way down,” Beam said. “Make sure you’re working together.”
For more expert advisory and insights on the issues shaping cybersecurity today, visit Palo Alto Networks CXO Perspectives.