Should a WFH SOC Be a New Reality?
In my last article, I laid out a path for how organizations could quickly get up to speed in deploying a work-from-home (WFH) security operations center (SOC) amidst the current pandemic. Since then, there has been a lot of discussion as to whether most organizations may operate remotely long-term. Here are some of the challenges to doing that—and why a WFH SOC should only be used during an emergency.
WFH SOC Challenges
Team Well-Being and Productivity
For the average team member, the shift from being in the office to work from home can be a difficult transition. Research shows that productivity usually drops by about 15% at first. Employees suddenly feel isolated, disconnected and possibly stressed. This can lead to distraction and lower productivity. Studies have also shown that when a group of employees is given the choice to work either from home or the office after an initial work-from-home transition, more than half choose to come back to the office.
Why is that? WFH doesn’t “work” for everyone. Some people do not like it, mostly due to isolation, but it also lacks the structure that a 9-to-5 office day provides. People have trouble focusing at home, separating work from home life. When they go to work, they can mentally put themselves in work mode.
IT Support for the Home Worker
For an IT organization that suddenly needs to support employees working from home, it can be a challenge.
- Equipment: Obtaining and setting up equipment, including laptops and cellphones, can be challenging to do at scale. Many distributors are having a hard time keeping laptops in inventory during this crisis.
- Network Bandwidth: While most employees have cellular and internet, sometimes the available bandwidth may not be enough for an endless stream of teleconferences and network-intensive applications.
- Secure Connectivity: IT organizations will need to ramp up VPN access from home to ensure secure connection from home to corporate resources—and do it at scale. And, is there room in the budget?
- Collaboration Tools: Employers may need to buy and implement employee collaboration tools, such as video conferencing, messaging tools and virtual whiteboards. Again, is there enough IT bandwidth and incremental budget to support this?
New Analyst Training and Management
New analysts will have trouble working home alone. They learn and grow typically by working with more senior analysts, in the SOC, side by side. This ongoing collaboration, mentoring and tutoring is almost impossible to achieve remotely. Web conferencing tools (if left on full-time) can help here. The more junior or new your analysts are, the more they (and, therefore, you) will struggle to remain productive.
Access to SOC Tools
Access to security tools through a remote connection is imperative. Can the SOC console where alerts are processed and viewed be accessed by remote employees? How about incident response ticketing systems, shift turnover logs, investigation notes and more? These tools and associated reporting need to be shared across analysts and with other teams, including other SOC analysts, incident responders, CISO, HR, Legal, PR, business owners, the CEO and so on.
Analysis and Investigation Collaboration
Troubleshooting is more difficult when remote. It’s a lot easier when the person you need to help make a change is in the building. I remember trying to deploy security software for a customer a few years back. It was a midsized bank in Los Angeles. We hit a snag in our deployment and the security guy literally called over the cube-wall to the IT guy: “Hey, I can’t connect to XYZ. Can you check?” The IT guy responded, “Ah, the firewall is blocking you, let me update the firewall. … Try now. Good?” “Yep!”
I’ve never seen anything like that. Normally, it takes hours or days to complete that kind of change, i.e., open a ticket, get it in the queue, answer a call from IT for clarification of what was really needed, get approval and so on.
Sometimes two heads (or more) are better than one. Analyzing complex security incidents often requires insights from multiple people. SOC teams work best when they can collaborate when analyzing new and interesting attacks. Sometimes, it takes a village. It’s about reasoning through the problem; you draw on the collective experience of the team. You whiteboard, in real-time. It’s hard to do from home, and at best, it’s going to take you a lot longer. And in security operations, time is not on your side. You need to respond quickly when you have a critical incident.
Bottom Line
Moving to a remote WFH SOC is necessary for your business continuity planning and under these current conditions. However, for a normal, healthy security operations practice, I’d recommend using it only in case of an emergency. Hopefully, we’ll all be bugging each other in the office sooner rather than later.
