Cutting Through the Noise of SOC Overload
Security operations center (SOC) analysts are grappling with a flood of alerts, and the current world situation is creating a perfect storm of cybersecurity risk. The rise of remote work has expanded an already porous attack surface, there’s increased aggression from nation-states and criminal gangs and an unfortunate upswing of insider threats. Further complicating the situation is the failure of existing security controls that were built to detect anomalies in a world where suddenly nothing is normal.
According to a recent survey by CriticalStart, the current alert volume is composed of 50% or more false positives, but separating falsities from real problems becomes ever more difficult as the volume expands.
The SOC Is Overloaded and Overworked
Today’s SOCs are overloaded to the point of unsustainability. Lacking any automated coordination and response, analysts burn out trying to find the real threats in the morass of alerts. Meanwhile, research indicates upwards of 39% of real threats slip past them undetected.
SOC operators are under enormous pressure, from data overload to the sheer volume of disparate technologies they maintain. SOC teams must examine and prioritize meaningful alerts that are worthy of further investigation. Piecing together a picture of what actually happened can take months. That’s more precious time wasted.
As today’s networks push massive amounts of data throughout their ecosystems, valuable time is spent in search of the missing context needed to find and prioritize real threats.
The SOC Team Is Burning Out
Sixty percent of SOC team members are considering changing careers or leaving their jobs due to stress, as reported in the second annual ”Devo SOC Performance Report,” based on a survey conducted by Ponemon Institute.
A skills shortage further compounds the problem. Even if an organization wants to expand its SOC and find the best and brightest people to improve efficiency and accuracy, there’s a good chance it won’t be able to. In fact, (ISC)2 estimates that currently, more than 4 million trained professionals are needed to close the existing cybersecurity skills gap.
Addressing the Noise Problem
Organization leaders must recognize that a combination of human experts, technology and strategic alignment is needed to combat the noise problem. The current SOC situation is difficult but not intractable. In short, organizations need to get back to the basics. Before they deploy the next shiny new security solution, they have to ensure that they have an infrastructure and processes that support their ongoing needs properly.
Executives and leaders need to focus on transitioning the SOC to a place where it isn’t just ingesting a lot of data, but rather is actually making use of it. This is where recent improvements in accessing forensic data can play a key role in allowing analysts to work more effectively and reduce the time spent on eliminating noise. Armed with the contextual data they need to make decisions quickly, analysts more efficiently process real threats to the environment, including the entry point of an attack, the infecting vector and misconfigurations or other vulnerabilities. This information can then be incorporated to create best practices for future alert response efficiency and optimization.
Transforming the SOC
Gartner predicts that by 2022, 50% of all SOCs will transform into modern centers with integrated incident response, threat intelligence and threat-hunting capabilities, up from less than 10% in 2015.
It’s important to ensure senior leadership alignment on the organization’s cybersecurity posture and funding and staffing needs. And that includes ensuring SOC teams have rapid access to forensic data that can speed response and shift the odds in favor of defenders. With the right data available at the right stage of the incident response process, false or low-priority incidents can be culled earlier, and more time can be spent on rooting out higher priority threats.
