Security Operations / By Jason Mical Organizations build a SOC—a dedicated, centralized team of security experts—to effectively detect and respond to advanced threats. However, as SOCs deal with evolving threats and an expanding attack surface, advancements in the stack have not kept pace, causing analysts to feel the pain. According to a Ponemon Institute report sponsored by Devo, Improving the Effectiveness of the Security Operations Center, security analysts consider it painful to work in the SOC due to an increasing workload and long hours. Analysts are stretched thin trying to close the gaps of existing technologies and processes, much like that one friend who holds the whole group together. What’s really causing burnout? Analysts are exasperated by a long list of factors, including inadequate support to complete daily tasks, too many alerts to manage, and overly rigorous procedures that result in too much mundane work. In an anthropological study of the SOC published by the USENIX Association, A Human Capital Model for Mitigating Security Analyst Burnout, researchers concluded that a lack of growth, creativity, empowerment, and skill development are causing analyst frustration. Let’s dig a bit deeper into these challenges. Growth: Security analysts must regularly undergo training to keep pace with dynamic threats, but lack the time to do so because of the significant hours they spend on repetitive work. Creativity: The mundane nature of SOC analyst work leaves little room for out-of-the-box thinking. Empowerment: Many analysts thrive on their ability to impact SOC technologies and processes, from creating detection content, to implementing automation tricks. Cross-functional cooperation empowers analysts to investigate and respond to threats, but a lack of support or liability concerns create barriers to empowerment. Skills: Early stage analysts are still learning the domain, and can quickly grow frustrated with the number of tasks and demands of the job, if they are not properly trained. Impacts of burnout on the SOC Analysts’ frustration with the SOC is manifest in multiple ways, from operational inefficiencies to lack of communication. In the same Ponemon report, only 42 percent of respondents consider their SOC effective, and analyst burnout is prevalent. Sixty-six percent of respondents agreed that the pain factors of the SOC would cause experienced analysts to quit. When analysts reach the burnout stage they become reluctant to complete their daily tasks, much less improve processes or procedures, and start to just go through the motions. I’ve seen tier-one analysts click the “clear” button all day long because they don’t want to deal with the complexity and frustration of handling an incident. This leaves organizations at high risk for a breach. This reminds me of the behavioral economics concept of “choice architecture,” whereby the environment—design, components, timing—impacts a decision. The decisions made in the SOC are far reaching for an organization, but the burnout rampant in the SOC unquestionably has a negative impact on this decision-making process. Enterprises must actively consider the analysts’ working environment in order to enable decision making that is better aligned with the organization’s goals. So, how do you ensure your analysts have what they need to succeed? How to tackle burnout head on I can’t tell you how many times I’ve seen—or still see—the swivel-chair approach in the SOC, where analysts copy data from one interface to another in order to conduct triage and investigation. Security orchestration and automation are critical for actually managing the growing security technology stack and reducing analyst burnout. Other key areas for automation include using filtering to surface the alerts that matter, and using risk scoring and automatic alert enrichment for greater context. The manual steps of investigating unknown threats are also extremely burdensome. Devo takes automation to the next level with our next-gen cloud SIEM, which we previewed in August. Our SIEM solution automatically enriches investigations with all the context required to make a decision, including threat intelligence and machine learning for behavioral analytics. Ultimately, automation should be used to optimize and significantly reduce analysts’ workloads.