How the Human Still Plays the Biggest Role in Security Operations
Of all the cybersecurity disciplines, one is uniquely and intrinsically connected to the human being: security operations.
The success of the modern security operations center, despite the infusion of automation, machine learning, and artificial intelligence, remains heavily dependent on people. This is largely due to the vast amounts of data a SOC must ingest – a product of an attack surface ceaselessly expanding in the age of professionalized cybercrime and the borderless enterprise. All those alerts coming in mean proactive and reactive human decision making remains critical.
Register Today to for the Google Cloud Security Summit on May 17
Perhaps, then, it should come as no surprise that the security analyst now ranks as No. 1 in U.S. News’ 100 Best Jobs Rankings, “determined by identifying careers with the largest projected number and percentage of openings through 2030, according to the U.S. Bureau of Labor Statistics.” Security, namely detection and response, is not only a business imperative – it is arguably the top worry on the minds of CEOs.
In a somewhat cruel twist of irony, however, the security analyst is also one of the most likely professions to want to leave their jobs, according to a newly released “Voice of the SOC Analyst” study conducted by Tines.
What gives?
Turnover woes are attributable to several key SecOps challenges that never seem to budge.
1) Alert Fatigue: Have you ever received so many spam and junk mails that you end up ignoring your new messages entirely, which leads you to missing an important one? The same can happen for alerts. Too much noise is unsustainable and can lead to the real threats being missed, especially as perimeters expand and cloud adoption increases.
2) Disparate Tools: Already in the company of too many point detection tools, security operations professionals saying hello to a few more in the era of remote work and increased cloud demands. The latest count is north of 75 security tools needing managing by the average enterprise.
3) Manual Processes: Use case procedures that result in inconsistent, unrepeatable processes can bottleneck response times and frustrate SecOps teams. Not everything in the SOC needs to – or should be – automated, but lots can, which will free up analysts and engineers to concentrate on higher-order tasks and be able to easily transfer knowledge to new employees.
4) Talent Shortage: Death, taxes and the cybersecurity skills shortage. As sure as the sun will rise tomorrow, so will the need for proficient individuals to wage the cybersecurity fight. But what happens when not enough talent is filling the seats? Teams must compensate to fill the gap.
5) Lack of Visibility: Security operations metrics are critical for improving productivity and attracting buy-in, but SecOps success can be difficult to track, as reports can require a significant amount of work to pull together.
The caveat of course is that it would be rare to find a SecOps working with the above challenges. As such, what are some of the immediate steps you can take to push back against these stifling constraints? As you could probably induce, it comes down to processes and technology, powered by people, to remedy the issues.
Detect Threats More Efficiently
Efficiencies within the SOC can also be realized from a SIEM solution that automatically detects threats in real-time and at scale. The right platform will support massive data ingestion and storage, relieve traditional cost and scaling limitations, and broaden the lens for anomaly and machine learning/AI-based detection. With data stored and analyzed in one place, security teams can investigate and detect threats more effectively.
Respond to Threats Automatically
Security orchestration, automation and response can be a game-changer in terms of caseload reduction and faster (and smarter, especially when integrated with threat intelligence) response times. But before rushing headfirst into automation, you should consider your processes, review outcomes you are trying to achieve (such as reduced MTTD) – and then decide exactly what you want to automate (which can be a lot with SOAR). Later, one can insert more decision automation where simple cognitive processes, first undertaken by humans, have proven to be correct over time.
Prioritize Logs
Many teams lack a strategy for collecting, analyzing and prioritizing logs, despite the fact that these sources of insight often hold the clues of an ongoing attack. To help, we have prepared two cheat sheets featuring essential logs to monitor.
Outsource What You Can’t Do Yourself
Process improvements may help you compensate for perceived personnel shortages (for example, perhaps fixing a misconfigured monitoring tool will reduce alert noise). Of course, most organizations need additional human hands to help them perform tasks like round-the-clock monitoring and more specialized functions like threat hunting. Here is where a managed security services provider or managed detection provider can be helpful. Be realistic about your budget, however, as you may be able to introduce something in-house.
Institute Career Models
Lack of management support was cited as the fourth-biggest obstacle to a full SOC model, according to a recent SANS Security Operations Center Survey. To overcome this, leaders must work to improve workflow processes, keep teams working on inspiring tasks, be flexible with employees and endorse training and career development. Because at the end of the day, the SOC is still distinctly human.
Dan Kaplan is a content marketer at Google Cloud Security.
The post How the Human Still Plays the Biggest Role in Security Operations appeared first on Siemplify.
*** This is a Security Bloggers Network syndicated blog from Siemplify authored by Dan Kaplan. Read the original post at: https://www.siemplify.co/blog/how-the-human-still-plays-the-biggest-role-in-security-operations/
