The new Devo eBook, Building the Modern SOC, presents four evolutionary steps for creating a highly automated and efficient security operations center (SOC) that empowers analysts. This is the third in a series of posts highlighting the most important elements of the four steps. Previous posts covered Step 1, establishing a foundation of centralized, scalable visibility, and Step 2, extracting intelligent insights from your data. This post excerpts Step 3, supercharging your analysts with the power of automation.
The Four Steps, which Devo recommends you implement in order, are:
- Establish a foundation of centralized, scalable visibility.
- Extract intelligent insights from your data.
- Supercharge your analysts with the power of automation.
- Streamline processes and achieve higher SOC productivity.
With the first two steps completed, you now have full visibility into your data and can garner valuable insights from it.
But how do you ensure your analysts can use this rich context without spending an excessive amount of time on manual searches as part of their investigations? By automatically feeding those insights into your investigations, so they are right at analysts’ fingertips.
Skilled, talented SOC analysts are a finite commodity. You need to maximize the depth and breadth of your analyst team as much as possible. One way to improve the effectiveness of your analysts is by reducing their investigation workload.
Being a SOC analyst is a tough job, especially for Tier-1 analysts, your first line of defense, who have an unacceptably high burnout rate due to the stress caused in part by alert overload and time- consuming, manual information gathering. But stress and burnout are not limited to Tier-1 analysts. In the 2020 Devo SOC Performance Report, 69% of respondents say it is “very likely” or “likely” that experienced security analysts would quit the SOC because of stress. That was up three percentage points from the prior year. By deploying automation to reduce the number of alerts that cross their screens, analysts can work faster and more efficiently because they can focus on the threats that pose the greatest risks to your organization.
Now, when SOC analysts and managers hear the word “automation,” they might jump to the conclusion that it’s code for eliminating jobs. However, the SANS 2020 Automation and Integration Survey doesn’t support that thinking: “[M]any respondents advised that they expected staffing to increase [after deploying automation]. For them, the objective is to apply the added staff to more specialized tasks.”
Automating elements of the SOC workflow significantly reduces the noise created by too many alerts and frees analysts to apply their skills and experience to actively investigate and hunt threats. It also helps reduce burnout by relieving analysts of tedious, repetitive work. Auto enrichment of events, as described in Step Two, provides analysts with real-time, actionable data and rich context, enabling them to investigate and threat hunt more effectively and efficiently.
Going from a reactive to an active posture—such as enabling threat intelligence to automatically trigger searches across data sets—generates investigations that include the necessary detail and context analysts require. The days of waiting to act against a threat until all the evidence had been gathered manually should be history.
Providing analysts with a next-gen SIEM that enables them to quickly test investigation hypotheses delivers key benefits. For example, if an alert fires and an analyst sees that a bad domain was accessed, with a single click the analyst immediately becomes a threat hunter and can search for that IOC across all of your data sources. The analyst then can automatically integrate their findings into the investigation. This streamlined workflow boosts analyst productivity, makes their work experience more fulfilling, and dramatically reduces mean time to resolution (MTTR).
Finally, you can leverage the capabilities of a security orchestration, automation, and response (SOAR) solution to further automate management of and response to threats. To ensure you get the maximum benefit from your SOAR, it’s important to select a next-gen SIEM solution that fully integrates with the range of tools on which your analyst team relies.
The 2020 Devo SOC Performance Report found that 69% of respondents still feel there are “too many alerts to chase.” The best way to change this in your organization is to deploy a next-generation SIEM that provides the foundation of a scalable data platform and includes the analytics and automation capabilities critical for success. This will make your security analytics and triage efforts faster and more productive while helping to reduce analyst burnout. The bottom line is to use automation to sift out the noise so your analysts can focus on the threats that matter most to your business, while also helping to alleviate analyst burnout.
The final post in this series will cover Step 4, which examines streamlining processes to achieve higher SOC productivity. But if you can’t wait, go ahead and download the full eBook Building the Modern SOC.