How Information Overload, Talent Retention, and Burnout Impacts SOC Performance
Security operations centre leaders and staff report numerous pain points impacting SOC performance.
While most security teams believe that security operations centres (SOCs) play a pivotal role in cyber security programmes, several challenges are impacting SOC performance within businesses, according to a new report. Among these are information overload, worker burnout, and talent retention. The data comes from cyber security firm Devo following an independent survey of global SOC leaders (553) and staff members (547), and it adds evidence to reports of security operations becoming harder for teams to perform.
SOC teams face numerous pain points, leaders and staff consider quitting
An autonomic SOC is not one single thing; it consists of several key elements relating to scale, visibility and automation. As a starting point, an autonomic SOC requires the collection of as much data/telemetry as possible, as fast as possible, from all IT & OT environments, including the network, cloud and endpoints. Many businesses struggle with this kind of scale today and often have blind spots somewhere. Or, if they do collect all this data, they suffer from alert fatigue.
Automation is also essential because businesses cannot hope to scale up their security teams to match the modern telemetry needs outlined above. Therefore, they must embrace machine learning and the creation of human-made detection rules so that 99.99% of alerts are dealt with by software before analysts ever see them. Only then can businesses quickly determine if something is a known threat and automate response actions. Again, this is a radical departure from most current SOCs. Many SOC professionals prefer to handle most alerts themselves.
SOC pros call for stress support, automation, vacation time
Along with detailing their chief pain points, respondents were also asked what steps organisations should take to alleviate the challenges experienced SOC teams face. Stress management programs and psychological counselling (41%), help in prioritising incidents and tasks (37%), and automation of workflow (37%) were among the top suggestions made by SOC staffers. As for leaders, advanced analytics/machine learning (39%), better support and recognition from senior leadership (38%), and more paid time off/vacation time (35%) were among the top answers.
Security operations “more difficult” than two years ago
The issues highlighted in Devo’s report echo findings from recent research from ESG that details five reasons why security operations are becoming more difficult for SOC teams to perform. The findings revealed that 52% of security professionals believe security operations are more difficult today than they were two years ago. The five reasons cited for this were:
- A rapidly evolving and changing threat landscape
- A growing attack surface
- The volume and complexity of security alerts
- Public cloud usage
- Keeping up with the care and feeding of security technologies
ESG’s findings serve as a key reminder to CISOs that, as threats, IT, alerts and tools expand SOC modernisation must be designed to make the SOC team more productive so they can scale the amount of work they can do, which means more intelligent technology, better training and structured repeatable processes.
SOC challenges ring true with SOC pros
Many of the issues highlighted in both Devo’s and ESG’s research echo thoughts shared with CSO by SOC professionals when asked about the biggest challenges and frictions impacting SOC performance. John Lodge, SOC Manager at Socura, says alert fatigue is a particular problem. “As well as causing fatigue for the analysts, repeating false positives also draws attention from and potentially delays responses to real active threats,” he tells CSO. The main solution to this is with effective tuning, he adds. “Key challenges to overcoming this are getting investment from analysts to ensure tuning opportunities are exploited as soon as possible. In cases where tuning is not possible, automation should be used so as much manual work is taken off the analyst as possible. Again, the challenge here is making sure the initial effort is put in to automate these actions before the false positives build up.”
First-time fix challenges are also significant, Lodge says. “When escalating an incident, we ideally want to be able to have resolved the incident with the tools and information at our disposal. In some cases, this is not possible as further context is required.” The challenge is to ensure that, in all cases, we have carried out as much investigation and response as possible. “The solution to this revolves around analyst training and effective playbooks. The combination of both these things ensures the analyst has already carried out exhaustive investigation before presenting the issue, and it also helps to standardise the responses.”
Lastly is the issue of working shift patterns and finding the time to spend on one-to-one training time with analysts due to the fact they rotate between nights and weekends, Lodge adds. “Day shift hours are also typically the busiest. One approach we are using to overcome this challenge is to book time out in advance to review previous incidents. This time will act both as a quality control measure but also as a training opportunity. Booking this time out weeks ahead of the time means the schedule remains clear and the team are aware this time has been set aside.”
For ThreatX SOC Manager Neil Weitzel, the challenge the SOC team faces isn’t necessarily inundation or an inability to come up for air, but rather monotony. “The challenge with a monotonous workload – especially regarding the similar attacks and issues clients face and ask the SOC for assistance with – is that it can feel like a game of whack a mole, squashing the same issue in several areas. When team members’ job duties lack variety, they often don’t see career growth for themselves as they are not learning new skill sets or better understanding their interests,” he tells CSO. He adds that his team has therefore implemented a rotation system that allows team members to rotate across different roles: analysis, monitoring and dedicated project time. “Some days you might spend your time on the queue, but other days you’ll focus on threat intelligence or application security, or even working on training and research. I think it’s important to give your team the time to find their passion and give them the opportunity to home in on it so they can branch out into other roles or departments.”
This article originally appeared on CSO Online and can be found here.