The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Organizations build a SOC—a dedicated, centralized team of security experts—to effectively detect and respond to advanced threats. However, as SOCs deal with evolving threats and an expanding attack surface, advancements in the stack have not kept pace, causing analysts to feel the pain. According to a Ponemon Institute report sponsored by Devo, Improving the Effectiveness of the Security Operations Center, security analysts consider it painful to work in the SOC due to an increasing workload and long hours. Analysts are stretched thin trying to close the gaps of existing technologies and processes, much like that one friend who holds the whole group together.
What’s really causing burnout?
Analysts are exasperated by a long list of factors, including inadequate support to complete daily tasks, too many alerts to manage, and overly rigorous procedures that result in too much mundane work. In an anthropological study of the SOC published by the USENIX Association, A Human Capital Model for Mitigating Security Analyst Burnout, researchers concluded that a lack of growth, creativity, empowerment, and skill development are causing analyst frustration. Let’s dig a bit deeper into these challenges.
Impacts of burnout on the SOC
Analysts’ frustration with the SOC is manifest in multiple ways, from operational inefficiencies to lack of communication. In the same Ponemon report, only 42 percent of respondents consider their SOC effective, and analyst burnout is prevalent. Sixty-six percent of respondents agreed that the pain factors of the SOC would cause experienced analysts to quit. When analysts reach the burnout stage they become reluctant to complete their daily tasks, much less improve processes or procedures, and start to just go through the motions. I’ve seen tier-one analysts click the “clear” button all day long because they don’t want to deal with the complexity and frustration of handling an incident. This leaves organizations at high risk for a breach.
This reminds me of the behavioral economics concept of “choice architecture,” whereby the environment—design, components, timing—impacts a decision. The decisions made in the SOC are far reaching for an organization, but the burnout rampant in the SOC unquestionably has a negative impact on this decision-making process. Enterprises must actively consider the analysts’ working environment in order to enable decision making that is better aligned with the organization’s goals. So, how do you ensure your analysts have what they need to succeed?
How to tackle burnout head on
I can’t tell you how many times I’ve seen—or still see—the swivel-chair approach in the SOC, where analysts copy data from one interface to another in order to conduct triage and investigation. Security orchestration and automation are critical for actually managing the growing security technology stack and reducing analyst burnout. Other key areas for automation include using filtering to surface the alerts that matter, and using risk scoring and automatic alert enrichment for greater context.
The manual steps of investigating unknown threats are also extremely burdensome. Devo takes automation to the next level with our next-gen cloud SIEM, which we previewed in August. Our SIEM solution automatically enriches investigations with all the context required to make a decision, including threat intelligence and machine learning for behavioral analytics. Ultimately, automation should be used to optimize and significantly reduce analysts’ workloads.
By Jason Mical
Sign up to stay informed with the latest updates from Devo.