The evolving role of the SOC analyst

  • As the cyber threat landscape evolves, so does the role of the Security Operations Center (SOC) analyst.
  • Cybersecurity industry veteran and OneTrust VP of Security Colin Henderson says organizations should avoid hiring armies of specialists for repetitive tasks.
  • The evolution of modern SOC teams forces analysts to adopt new approaches even if their work remains the same. Despite rising threat levels, automation is the key to improving efficiency and job satisfaction for security analysts.

I met with a cybersecurity industry veteran and OneTrust’s VP of Security, Colin Henderson, to talk about the evolution of the SOC analyst role within cybersecurity. Colin’s career began at the National Security Agency (NSA) before applying his security skills to manufacturing, financial services and SaaS companies.

Colin is no stranger to change, and he knows one thing is true: as the threat landscape continues to evolve, so does the role of the Security Operations Center (SOC) analyst.

These security specialist roles don’t get any easier. In recent years, he has seen a persistent increase in threat levels, false positives and alert fatigue. Analyst burnout can occur in as little as 18-24 months. It’s tempting to simply hire more specialists to deal with the ever-increasing number of repetitive tasks in what amounts to a “churn and burn” strategy. But Colin postulates that effective noise management is key to dealing with the problem intelligently.

Changing SOC requirements create pressure on security teams to adapt quickly in this extremely challenging environment, but they need the right tools. Automation is the answer to reduce the noise of near-constant alerts. It plays a vital role in improving the efficiency, effectiveness and job satisfaction of security analysts.

Automation is the answer to reduce the noise of near-constant alerts.

An evolution in detection and response

Colin entered the workforce immediately after the dot-com bubble burst in the late 90s. His best options were to work for the government or the military, so he joined the NSA. This spring, he entered the private sector, where he worked with manufacturing, financial services and SaaS companies.

This work formed the backbone of his expertise in building SOCs for organizations around the world. Security has always been more interesting to Colin than writing code. Currently, he is responsible for the overall safety program at Bakkt, a crypto wallet startup. His background gives him insight into exactly how threat detection and response has evolved over the past twenty years.

It’s a brave new world for cybersecurity

Just a few years ago, the world of security was very different from what it is today.

Rapid changes and the growing volume of data and threats require organizations to do more with less, whether it’s people or other resources. That won’t change anytime soon.

Twenty years ago, SOC analysts had very different roles. Cloud infrastructure sounded like science fiction: Infrastructure as Code (IaC), DevSecOps and Continuous Integration and Continuous Delivery (CI/CD) the pipelines did not exist. Now, these are all crucial parts of any tech-focused business (hint: all businesses are).

Another factor that security analysts need to consider is the pace of change. Once upon a time, understanding networks, systems and infrastructure was simple from an administrative perspective: it was about establishing what was “normal” and “bad”.

But even over the past decade, the basic knowledge expected of analysts has grown exponentially. Analysts have always had to know a lot about a little (rather than a little about a lot). But detection and response experts cover many more areas than ever before.

The noise keeps growing

In this rapidly changing environment, every organization works with a number of resource constraints. We need smarter strategies to deal with growing noise, and just as important, we need tools that effectively separate signal from noise.

The problem is that there has been no real progress since the advent of SIEM.

Businesses always need as much visibility into their systems as possible, but a staff is not an infinite resource. Hiring the right people is a top concern for businesses of all kinds, and trained security specialists are even harder to find.

Manage the team – and let the team handle it

To build an effective SOC team that can handle threats appropriately, ask:

  • How to find the right talent?
  • How do we train talent (focusing on both the operating environment and the industry in general)?
  • How to retain and engage talent?

White Paper: Power to the People – Democratizing AI-Based Automation and Security

OneTrust has sized its security team with these issues in mind. Just a year ago they had a small footprint, but not every organization can build and grow endlessly. Our approach to these issues must change.

Fifteen years ago, building a SOC was difficult for analysts, who tended to burn out after just 18-24 months. Fast forward to the present and nothing has changed. But as the security landscape evolves, it naturally lends itself to engagement. The problem is not that the work is uninteresting. The problem is that SOC analyst roles are entry-level positions with no clear path to advancement.

Your answers to these questions will likely change as this is a dynamic process, but clearly we need help from many sources. The most effective and accurate approach to data security requires a truce. Man and machine must shake hands and take ownership of the parts of the process that they know best.

The Definitive MDR Buyer’s Guide: Everything You Need to Know to Choose the Right Managed Detection and Response Service

Different SIEM things

Data volumes are growing with no signs of slowing down, and SIEMs continue to collect data. But does it make sense to collect this data in such a primitive – or better said – unsophisticated way? Enterprise SIEMs notoriously lack detections for 80% of all MITER ATT&CK techniques. Ouch!

Many companies have already moved from on-premises infrastructure models to hybrid infrastructure models in search of more distributed and decentralized ways of working. Some are even completely cloud-based. While it is possible and desirable to centralize data, it is a goal that most organizations are unlikely to achieve in the near future.

eBook: Five Easy Steps to Replacing Your SIEM

But that doesn’t mean today’s analysts should suffer and do without quick access to the right capabilities.

Analysts need to have tools at their fingertips to detect, analyze, and respond to alerts. These tools don’t have to be all in one place, but they should be readily available.

What you need to know: dealing with alerts and thwarting threats

The mission of security teams is now to reduce the noise to find critical threats. Often this means not only sifting through alerts, but also finding and locating relevant information.

Being well informed and educated is a given to adequately assess and understand alerts and cases. However, the context is just as critical.

Many organizations fail when analysts look at alerts but don’t understand how infrastructure and systems interact. Leaders must educate analysts about the environments of their organizations. The human touch – understanding and identifying whether something is benign or malicious – should always be at the heart of security.

Manage your threat detection and response intelligently.
Request a demo to learn more and get started today.

LogicHub harnesses the power of AI and automation for superior detection and response at a fraction of the cost. Of small teams with security challengesat large teams automating SOCsLogicHub makes advanced detection and response simple and effective for everyone.

*** This is a syndicated blog from the Security Bloggers Network of Blog | LogicHub® written by Willy Leichter. Read the original post at:

Source link