There are many things that can reduce the effectiveness of your SOC operations. We are going to look at what we think are the top 7 challenges that have the most impact on the efficient running of your SOC operations.
1. Volume and validity
The flood of daily alerts, many of which are false, can mean that analyst spend too much of their time hunting down information on alerts instead of identifying risk, responding to incidents, identifying incident impact, and reducing breach detection time. A common complaint is also that many SOC tools are not automating enough tasks away (such as identifying and prioritizing alerts) from analysts to free up their time for more valuable tasks.
2. Defences not keeping up with cyber threats
The threat landscape changes daily, and cybersecurity defences inevitably lag behind. The speed of attacks is increasing, and attacks are getting more sophisticated and complex, with the average time from breach to exfiltration decreasing. SOC operations must be constantly updated to detect and defend against attacks at a faster rate to keep pace with cybercriminals. Threat Intelligence is a great addition to the SOC toolkit to enrich the data and assess the full scope and source of any breach.
Identifying the attack is not the final stage, to make sure your defences are as comprehensive as they can be it is crucial to use the data gleaned about the attack to make the necessary changes to firewalls to prevent it from happening again.
3. Is it documented?
Keeping up to date and reconfiguring after an attack is not just about the technology. Security processes and protocols needed to be updated. Portable, adaptable, integrated process and procedure management systems are vital. It might even require the retraining of staff. Don’t become reliant on department ‘superstars’, no matter how good they are. Sharing and documenting information should be a fundamental part of the job description – especially in an industry where staff turnover is high.
4. SOC operations and choice of technology
There are many options for how to run your SOC. In-house or outsourced, or even a combination. What technology should you use? Do you need an MDR (managed detection and response) or EDR (endpoint detection and response)? What SIEM (security information and event management) should you choose? Should you be looking at SOAR (security orchestration, automation and response)? Whichever route you go you need to ensure that you are getting return on your investment. Do they offer the visibility and contextualisation you need? Automation and integration are essential for smooth roll out, improved performance and releasing of staff time for other tasks.
Obviously, it is not just in your SOC that you need to control costs, but the changing nature of today’s security threat landscape creates specific difficulties when budgeting for it. Many IT organizations base budgeting on a percentage of IT spend or some other peer benchmark, when it should be based on risk. Figures for budgets requests should be calculated by measuring probability vs potential damage, and therefore justifying spend on the potential risk that attacks might pose.
And it’s not just about technology, major skill shortages in cybersecurity mean that knowledgeable candidates are in short supply and possibly beyond your budget (or likely to be enticed away by a competitor). Ongoing training of the staff you have is also vital. The choice of both staff and technology is important, and it needs to be worth the investment you make.
6. Staff challenges
As already mentioned, there is shortage of experienced, knowledgeable staff and that deficit looks set to increase. The result of this is staff having to juggle the duties and specialities of many different roles, whilst still ensuring they have all the ongoing training they need to keep up with the constant changes. Add to this the high turnover of SOC staff and the time taken to get new staff up to speed, and staffing is a major challenge for any SOC.
7. Keeping compliant
SOC teams must be aware of all regulations and need to be able to accommodate the best practices and technologies necessary to meet compliance. Often these requirements can make operations even more complex, especially for multinational organizations.
Add to this the need for cloud security, as regulations place the burden of security on the cloud customers rather than the cloud providers. All of this adds to the SOC’s administrative burden.
So how can your SOC deal with the number of alerts received everyday coupled with the lack of context for those alerts? How do you ensure your valuable SOC resources are not spent wasting time and not resolving the problems? Advanced analytics to provide alert analysis and context holds the key to delivering ROI on your SOC team investments.