5 Top Challenges Every SOC (Security Operations Center) Analyst Faces
By Arie Fred, VP of Product, SecBI
In the fight against cyber threats, the SOC (security operations center) is the battlefield with security analysts as the soldiers. This was recently demonstrated in a order issued by the state of California, that exempted cybersecurity practitioners from the coronavirus stay-home order.
But even in times of relative tranquility, being in a SOC (security operations center) can feel like war. An average enterprise SOC encounters anything between 10,000 and a million alerts per day, and these are usually understaffed and have very little margin for errors. Security analysts, like soldiers, need to stay alert and prepared for battle. As said in the military, “know your enemy”, which may not be the hacker but the barrage of alerts and false positives. Another useful practice from military paradigms is that in times of stress, people can’t handle much, so there’s no point in teaching complicated concepts. While “under fire”, people (and security analysts are humans, not machines) return to basics. With this in mind, we would like to highlight the top five challenges that every SOC analyst encounters when dealing with cyber threat detection and response.
1. Alert floods make it hard to evaluate the incident alerts for their urgency and relevancy.
The number one challenge of SOC today is the high volume of alerts, often leading to “Alert Fatigue”. Another phrase taken from military jargon, alert fatigue describes the degradation in performance by those who have to respond to multitude of alerts (the term was originally used to described the degraded performance of radar operators in WWII). In a modern SOC context, the main challenge is to prioritize the alerts by evaluating the urgency and relevancy to the incident.
2. The “cry wolf effect” or understanding the incident before triage and escalation
It’s not only the multitude of alerts, but the fact that many of these alerts are false positives that create stress and reduce the effectiveness of analysts’ response. One survey found that more than half of the respondents reported a rate of 50% or higher of false positive alerts, leading to spending the majority of analysts’ time trying to manage the high volume of alerts. So instead of chasing wild geese, analysts should acknowledge this tendency, and quickly determine if an alert is true or false, and if it’s severe enough to handle immediately (triage and escalate) or at a later stage.
3. Using threat intelligence (TI) to identify infected/affected systems and the scope of the attack
Once an alert has been deemed important enough to investigate further, analysts must use threat intelligence (TI) to enrich the associated data and assess the full scope of the breach to include all infected systems. This is done by applying relevant and timely TI that can help identify which other systems have been impacted by the breach and what could be the source of the breach/ attack.
4. Collecting data for further investigation
Before moving further with the investigation, analysts must collect all the relevant information such as network log files, endpoint logs, etc. This should by done quickly because some cyber threat actors are masters in disguising their trails and could potentially delete or erase some of their “digital footprints”, which will make the investigation impossible to complete.
5. Making the correct modifications and configuring security tools
Once the “battle” is over, and the security investigation has ended, it is only natural that the weary “soldiers” (analysts) need to rest. But unlike the physical battleground, the cyber battleground offers no rest. One breach attempt could be detected and remediated perfectly, only to be followed by another, and another, until the attacker succeeds. Therefore, it is crucial to end the investigation by determining not only the source and the impact, but also to determine the necessary changes that are required to prevent this breach from happening again. Firewall rules should be updated, security policies modified as needed and the next shift of analysts briefed so they can identify the next wave of cyber attackers quickly.
SOC analysts are not putting their lives at risk on the battlefield, but they are your organization’s first line of defense. With proper training, methodology and tools, they will be able to secure the organization and when they experience the inevitable breach, security analysts will respond promptly and effectively to enable the organization to continue to operate with none or few losses, just like soldiers on the battlefield would.