As someone who began working in security operations centers (SOC) more than 30 years ago, back when we were known as computer incident response teams (CIRT), I am acutely aware of just how challenging it is to make a living as a SOC analyst. That’s why I’m so enthusiastic about the new Devo Security Operations Platform we launched recently.
I’m not going to reiterate all of the cutting-edge capabilities of the platform, which you can read about elsewhere on our website. Instead, I want to dig a little deeper into the aspect of this new solution that resonates most for me: how Devo Security Operations helps SOC analysts work more efficiently and productively so they can use their expertise to focus on the threats that matter most to their business.
Let’s begin by stating the obvious—SOC analysts have a tough job. They must quickly validate threats, gather evidence, understand adversarial behaviors, and determine an appropriate response. That can be overwhelming in today’s complex, multi-tool SOC. Tier 1 analysts, those at the more junior end of the spectrum, have it especially tough. They spend most of their time sorting through alerts—a lot of alerts—all day, every day, to identify which ones are real from the many, many false positives they see. That’s why they call it alert fatigue, and why analyst burnout is a big problem for SOC analysts.
Devo collaborated with the Ponemon Institute on a survey that found 53 percent of IT security practitioners believe their SOC is unable to gather evidence, investigate, and find the source of threats. That’s because, until now, analysts had to manually try to close the gap between detection and response. This has been a huge contributor to analyst burnout, and also has put enterprises and their data at risk.
As the Devo product development and cyber teams worked to bring Security Operations to market, we focused on delivering a platform that would make life easier for SOC analysts. I’m proud to say we accomplished that goal. A key differentiator of the Devo platform is how it reduces the time analysts spend triaging false positives so they can focus on the alerts that matter. This reduces alert fatigue, and, ultimately, mean time to resolution (MTTR). We use multiple methods to trigger high-signal alerts, including:
- Analytics based on practitioner experience
- Models derived from machine learning
- Observations from entity-behavior analytics
- Detections leveraging known threat activity
The words “practitioner experience” are really important. Most of the SOC analysts I’ve worked with, managed, and now engage with as Devo customers, are really good at what they do. They work hard and are rightfully proud of the skills they have developed. One of the things I really like about the Devo approach is the way we empower analysts to use their expertise to identify, investigate and hunt the threats that matter. Devo arms analysts with the weapons they need so they can use their forensics skills to quickly analyze data and gain a deep understanding of threats. This not only improves the security posture of businesses, it also makes analysts less likely to want to find other jobs.
Devo puts the information analysts need right at their fingertips, across the entire threat lifecycle. The thought of having a powerful tool like Devo Security Operations almost makes me want to go back to work as a SOC analyst… almost. But I do take a lot of satisfaction in knowing that thanks to Devo, analysts no longer have to perform all of that tedious, manual work to do their jobs well.