For security leaders, a mature Security Operations Centre is about robust processes that bring teams and technology together for success. Yet, on a daily basis, many SOC teams are fighting fires without the time, staff, resources or visibility they need to operate effectively. SOC maturity aims to bring efficiencies and allow analysts to focus on higher value work. With careful planning and through the right combination of automation and standardised processes, a mature, effective and world-class SOC can be established.
Too few staff dealing with too many alerts
There are a number of tell-tale signs that a SOC is not as efficient and effective as it could be. The first is that analysts struggle to respond to the vast number of alerts they receive from different security solutions deployed. Our research shows that, on average, a SOC receives 840 alerts each day, many of which will be missed by those teams working through these manually. This is a significant worry for CISOs, with nearly a third believing that missed alerts due to high volumes is a substantial problem.
Alert overload is also severely impacting the well-being and retention of skilled SOC analysts who, on average, spend around 18 percent of their day managing alerts. More than half of analysts say that dealing with mundane tasks, such as alerts, is their biggest point of frustration. This has been exacerbated during the pandemic, which has seen a drop in staff levels with a corresponding jump in teams having to spend more time on routine tasks.
These frustrations combined mean that just under half are considering leaving their role. This should be of grave concern to organisations with disaffected SOC staff, because not only could they potentially lose analysts who have a wealth of experience, but the cyber skills shortage means they will be very difficult to replace.
A lack of integration
The average SOC operates around 18 different security solutions in an attempt to keep their corporate networks safe from attacks. However, without a unified view of these disparate tools, SOC analysts can waste large amounts of time pivoting from one UI to another. Further, not being able to effectively compare data between different tools can mean that vulnerabilities and potential security issues could be missed.
Another area which is hampering SOCs from performing well is a lack of processes about how to respond to any risk. These processes, known as playbooks, are important firstly because they help ensure consistency across the SOC team. For instance, if an analyst must pass on an issue to a colleague as their shift has ended, that colleague will be able to see what has already been done and what needs to happen next. Without documentation there either needs to be a lengthy handover process or the issue is not dealt with effectively.
Playbooks are built on the knowledge and experience of analysts and there should be one in place for each threat that an organisation might face, such as phishing or ransomware attacks. These should be detailed enough that they can be used to automate the process of dealing with each threat.
Improving SOC maturity
Creating a mature SOC is about ensuring teams can respond quickly and effectively to any threats that may arise. Being able to see on one dashboard all the data and alerts produced by different security solutions an organisation has is an essential element. This capability enables a SOC to immediately see which solutions are picking up potential vulnerabilities or threats and then correlate that with other tools to discover how widespread they are.
Security information and event management (SIEM) can collect, aggregate, categorise and analyse events to reveal patterns that could indicate a cyber attack. Most SOC maturity models will say that to achieve even a mid-level of maturity a SIEM system is required.
However, while SIEM is a significant boost to any SOC, it can only go so far. It needs regular tuning and optimisation from analysts to ensure accuracy, meaning it is, in effect, still a manual process. Analysts still have to investigate each alert to see if it is a false positive or true positive.
Achieving true automation, and a higher level of maturity, SOCs need to deploy Security Automation and Response (SOAR) solutions. SOAR takes the alerts produced by the SIEM and other tools and can respond to, triage and remediate them where necessary. It achieves this through information contained within playbooks.
While achieving a high level of maturity is a key objective for any SOC it should be a by-product of achieving efficiencies through automation, integration and continuous innovation. Deploying SOAR will increase a SOC’s maturity level but, more importantly, it will deliver a range of other benefits including helping to retain knowledgeable and experienced analysts, ensuring all alerts are handled effectively and improving an organisation’s security standing. In this way the SOC can become a centre of strategic value to the organisation focussed on reducing risk, rather than inundated with alerts which it simply cannot manage.
By Faiz Shuja, Co-Founder & CEO at SIRP