Should a WFH SOC Be a New Reality?

In my last article, I laid out a path for how organizations could quickly get up to speed in deploying a work-from-home (WFH) security operations center (SOC) amidst the current pandemic. Since then, there has been a lot of discussion as to whether most organizations may operate remotely long-term. Here are some of the challenges to doing that—and why a WFH SOC should only be used during an emergency.

WFH SOC Challenges

Team Well-Being and Productivity

For the average team member, the shift from being in the office to work from home can be a difficult transition. Research shows that productivity usually drops by about 15% at first. Employees suddenly feel isolated, disconnected and possibly stressed. This can lead to distraction and lower productivity. Studies have also shown that when a group of employees is given the choice to work either from home or the office after an initial work-from-home transition, more than half choose to come back to the office.

Why is that? WFH doesn’t “work” for everyone. Some people do not like it, mostly due to isolation, but it also lacks the structure that a 9-to-5 office day provides. People have trouble focusing at home, separating work from home life. When they go to work, they can mentally put themselves in work mode.

IT Support for the Home Worker

For an IT organization that suddenly needs to support employees working from home, it can be a challenge.

  • Equipment: Obtaining and setting up equipment, including laptops and cellphones, can be challenging to do at scale. Many distributors are having a hard time keeping laptops in inventory during this crisis.
  • Network Bandwidth: While most employees have cellular and internet, sometimes the available bandwidth may not be enough for an endless stream of teleconferences and network-intensive applications.
  • Secure Connectivity: IT organizations will need to ramp up VPN access from home to ensure secure connection from home to corporate resources—and do it at scale. And, is there room in the budget?
  • Collaboration Tools: Employers may need to buy and implement employee collaboration tools, such as video conferencing, messaging tools and virtual whiteboards. Again, is there enough IT bandwidth and incremental budget to support this?

New Analyst Training and Management

New analysts will have trouble working home alone. They learn and grow typically by working with more senior analysts, in the SOC, side by side. This ongoing collaboration, mentoring and tutoring is almost impossible to achieve remotely. Web conferencing tools (if left on full-time) can help here. The more junior or new your analysts are, the more they (and, therefore, you) will struggle to remain productive.

Access to SOC Tools

Access to security tools through a remote connection is imperative. Can the SOC console where alerts are processed and viewed be accessed by remote employees? How about incident response ticketing systems, shift turnover logs, investigation notes and more? These tools and associated reporting need to be shared across analysts and with other teams, including other SOC analysts, incident responders, CISO, HR, Legal, PR, business owners, the CEO and so on.

Analysis and Investigation Collaboration

Troubleshooting is more difficult when remote. It’s a lot easier when the person you need to help make a change is in the building. I remember trying to deploy security software for a customer a few years back. It was a midsized bank in Los Angeles. We hit a snag in our deployment and the security guy literally called over the cube-wall to the IT guy: “Hey, I can’t connect to XYZ. Can you check?” The IT guy responded, “Ah, the firewall is blocking you, let me update the firewall. … Try now. Good?” “Yep!”

I’ve never seen anything like that. Normally, it takes hours or days to complete that kind of change, i.e., open a ticket, get it in the queue, answer a call from IT for clarification of what was really needed, get approval and so on.

Sometimes two heads (or more) are better than one. Analyzing complex security incidents often requires insights from multiple people. SOC teams work best when they can collaborate when analyzing new and interesting attacks. Sometimes, it takes a village. It’s about reasoning through the problem; you draw on the collective experience of the team. You whiteboard, in real-time. It’s hard to do from home, and at best, it’s going to take you a lot longer. And in security operations, time is not on your side. You need to respond quickly when you have a critical incident.

Bottom Line

Moving to a remote WFH SOC is necessary for your business continuity planning and under these current conditions. However, for a normal, healthy security operations practice, I’d recommend using it only in case of an emergency. Hopefully, we’ll all be bugging each other in the office sooner rather than later.

Chris Triolo

Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Chris Triolo

Chris Triolo is the vice president of customer success at Respond Software. His security expertise includes building world-class professional services organizations as vice president of professional services at ForeScout and global vice president of professional services and support for HP Software Enterprise Security Products (ESP). Chris’ depth in security operations and leadership includes a long tenure at Northrop Grumman TASC supporting various Department of Defense and government customers including Air Force Space Command (AFS PC) Space Warfare Center, United States Space Command (USSPACECOM) Computer Network Attack and Defense, Air Force Information Warfare Center (AFIWC), and others.

chris-triolo has 4 posts and counting.See all posts by chris-triolo