Improving the Efficiency and Effectiveness of SOC Teams

I think it is safe to say that we are all struggling to hire and retain qualified cybersecurity analysts and operators to keep pace with ever-increasing cyber threats and the growing complexity of our enterprise environments. As cyber threats grow in number and become more stealthy and sophisticated, what can we as CISOs and security practitioners do to make the most of the cyber resources we have?  In this blog, I’ll explore some strategies for increasing the efficiency and effectiveness of your security analysts and operators to allow the limited resources that you have to be refocused from chasing false positives to the things that have the greatest potential to impact your enterprise.

Dealing with stealthy and sophisticated threats demands specialized knowledge and skillsets. Unfortunately, these resources are spread thin across many sectors. This has had a pressing impact on cyber workforce shortages across many enterprises and agencies, with a wide variety of key cybersecurity positions remaining unfilled and vacant. Additionally, areas that continue to plague an already limited team include information overload, alert fatigue, and limited resources from both a personnel and expertise standpoint.

Risk Determination for SOC Teams

This cyber skills gap means Security Operations Center (SOC) teams have to rely on skeleton crews to defend the entirety of the enterprise or agency cyber terrain. This has a negative ripple effect on the enterprise risk posture, as SOC teams do not have enough resources to mitigate risk in a cyber relevant timeframe. Similar issues pertain on the federal side. For example, in the latest iteration of its biennial High Risk List, the Government Accountability Office noted, “mission-critical skills gaps are a contributing factor in making other areas across the government high risk. Of the 34 other high-risk areas, skill gaps played a significant role in 16 areas.” This is especially true for the cybersecurity field, where many agencies are still modernizing.

The State of Security Stacks Eliminates Efficiency

One of the biggest contributing factors to heightened risk postures is the state of enterprise and agency security stacks. Over the years, security stacks have often been shaped to address specific, past cyber incidents. Disparate point solutions have been procured to address a specific incident and then bolted onto the security stack without sufficient consideration for how well those solutions play with the existing (sometimes legacy) architecture. This approach inevitably leads to inefficiencies and bloat within the security stack. Too often, point solutions are added without evaluating what capabilities are already present in the stack, leading to unnecessary duplication. Additionally, many of these solutions operate in a vacuum, isolated from other capabilities in the stack that could provide needed context or visibility.

This security stack “bloat” has led to analyst overload. Already understaffed SOC teams are left to react to a barrage of alerts (many redundant or lacking actionable context), and piece together in their heads what is going on across multiple tools. This means most of the average SOC team’s time is spent manually documenting and evaluating the urgency of incident alerts instead of actually responding to or preventing incidents. This, in combination with the fractured and bloated state of the security stack, creates visibility gaps in the enterprise or agency’s cyber defense, opening up additional avenues of attack for cyber adversaries and exponentially increasing risk levels. 

Operationalizing Threat Frameworks to Maximize Efficiency for SOC Teams

The key to getting out of this trap is to improve the integration and automation of tools – performing internal assessments of their security stacks, looking for ways to reduce the footprint of their stacks and better integrate the capabilities they have.

We recommend that our customers begin their assessments by mapping their current capabilities against the MITRE ATT&CK framework and use the framework to highlight where they have redundancies and/or gaps in their stack. Once you’ve settled on an appropriate mix of tools and an appropriate level of coverage across the ATT&CK framework, the focus can shift to better integrating the remaining tools. Here is where redundancy is to your favor as you can trade off multiple redundant tools to select tools that better integrate and help to alleviate the analyst workload.

Addressing the Cyber Skills Gap

After the risk assessment, agencies should have a good idea of what capabilities they are lacking, and how they can streamline their security stack by reducing bloat and introducing automation. The beauty of automating is that if done properly, it has the power to elevate tier 1 or junior analysts to the level of tier 2 analysts, as it can provide a deeper level of insight, so that they can quickly draw accurate conclusions and complete investigations at a faster pace. In this way, automation acts as a workforce multiplier, helping to mitigate some of the risk consequences of the cyber workforce shortage.

Being able to effectively implement automation ultimately comes down to how well enterprises and agencies understand all of the assets on their network – both managed and unmanaged – and the risk each asset poses to the enterprise.

On the federal side, legacy security stacks and threat detection systems tend to be very noisy, generating a flood of alerts and notification that require manual validation. They also tend to react poorly to tracking different stages of the attack lifecycle, generating new alerts as the same artifact or behavior moves to the next TTP in the kill chain. Similar issues are seen on the enterprise side.

For CISOs that do not have budget to staff a full SOC team for continuous monitoring, they can partner with a Managed Security Services Provider (MSSP) or Managed Detection and Response (MDR) provider to deliver the full-time coverage of people and technology necessary to ensure the proper risk education to the organization and coverage to quickly identify and respond to active threats.

Automating Detection and Response for Greater Efficiency

There are key ways alert fatigue can be reduced through automation and in turn help security teams stay on task and focused.

1. Prioritized Alerts – Alert prioritization should be automated to ensure the team focuses on alerts associated with the highest level of risk. A robust automated detection capability will use analytics and machine learning to produce high confidence alerts and then prioritize those alerts based on risk to the enterprise and past actions taken by analysts. At Fidelis, we prioritize alerts based on the severity of an alert, the level of coverage for the asset, and the importance of the asset.
2. Grouped Alerts – Grouping or collecting relevant alerts together into analytical conclusions helps analysts to quickly “connect the dots”, determine interrelated alerts, and identify what assets are being impacted. Intelligent grouping allows security teams to focus on those alerts and assets that matter so that they can quickly respond and contain the attack before significant damage is done.
3. Actionable Alerts – In order to provide this deep context, the solution should include key information such as the full sandbox execution report, a link to the entire network path and all endpoint activity before and after the violating activity – as well as any relevant asset information – all in one screen at your fingertips

Having higher confidence in your alerts allows you to focus your limited resources on the most critical and most actionable alerts. And as a side benefit, if you have higher confidence in your alerts, you will feel more comfortable enabling automated responses. Prevention workflows can be automated in various ways to reduce the impact on a busy security operations team, and ultimately speed up prevention of new and previously unknown threats. This ultimately helps security teams to react to threats in cyber relevant time, and provides analysts with the time, visibility, and context they need to do what they’re best at.

A great place to start with gaining efficiency includes implementing automated playbooks for detection, triage, and response actions. With a more consolidated and integrated set of security tools, automation for detection and response actions allows for alert dashboards to be more quickly attended, analysts can gain valuable time to perform more in-depth threat hunting, and the entirety of the security program can see an uplift in positive metrics, such as a decrease in false positives, a decrease in time from detection to mitigation, and decreased analyst burnout and turnover.

Federal teams that would like to learn more about how you can use automation and increased visibility to alleviate some of the burden on their security teams, should check out our on-demand Federal Cyber Skills Gap webinar.