How security operations centers can beat 'alert overload' and reach maturity [Q&A]
Security operations centers are on the front-line of any organization's battle to protect itself from threats. But many of the teams in these vital facilities are working without the time, staff and resources they need to operate at peak capacity. One of the major problems facing SOCs is 'alert overload', a phrase which describes the difficulty in dealing with the avalanche of alerts generated every day of the week.
To find out how SOCs can beat this problem and achieve operational maturity, we spoke to Faiz Shuja, co-founder and CEO atrisk-based security specialist SIRP.
BN: How does alert overload affect the productivity of Security Operation Centres?
FS: Alert overload is a human problem which directly impacts SOC analysts as well as the systems they use. Our research suggests that an average SOC team receives 840 alerts each day, ranging from simple password guessing attempts to notifications of major breaches or cyberattacks. Many of these will be missed by teams who are working manually, who can become overloaded by the sheer number of alerts. This is a major worry for CISOs, our survey also suggested, with roughly one in three telling us that missing alerts is a substantial problem.
If this problem is not addressed, organizations risk losing security professionals, who may become fed up with constantly fighting fires rather than engaging in challenging, high-level work. More than half of analysts told us that dealing with mundane tasks such as alerts is the biggest frustration they deal with at work. This problem has only become worse during the pandemic, which has caused a drop in staff levels and therefore forced teams to spend more time dealing with routine tasks. The day-to-day job satisfaction of security professionals should be a major concern for organizations, because losing an experienced analyst is a major blow and the cyber skills shortage means they can be extremely difficult to replace.
BN: What are the other operational problems facing SOCs?
FS: One major challenge facing security staff is a lack of tool integration. The average SOC uses roughly 18 different security solutions to keep organization safe from attacks. This can prevent analysts from having a unified view of the threat landscape. They also waste time pivoting from one UI to the next without having a simple way of comparing data generated by the various solutions. If analysts can't quickly compare data, they face an increased risk of failing to notice vulnerabilities and security issues.
One of the other problems that hampers the performance of SOCs is a lack of documentation governing how they should properly respond to risk. Documents called playbooks can be fundamentally important in running an effective SOC, offering teams the ability to mount consistent responses. Let's take a simple, everyday problem: the end of shifts. If an analyst hands over an issue to a colleague and then clocks off, the analyst who's just logged on will have to waste time working out what’s happened and what needs to be done before taking action. With a playbook, there is less need for a lengthy handover. And this lesson can be applied to many situations. If there is a process to follow, problems can be solved more effectively.
Playbooks are built on the knowledge and experience of analysts. There should be playbooks in place to govern responses to each threat an organization might face, such as phishing, breaches or ransomware infections. Ideally, these should contain enough detail to eventually drive the automation of threat responses, a process which further liberates SOC staff from mundane, routine work and leaves them free to focus on high level tasks.
BN: How do you build a mature SOC?
FS: The first challenge in building a mature SOC lies in making sure teams can respond quickly and effectively to any threats that arise. Part of this problem can be solved by implementing dashboards which collect the data and alerts produced by different security solutions used by an organization, allowing situational assessment to be carried out quickly and effectively. This capability allows a SOC to immediately see which solutions have detected vulnerabilities or threats and then correlate this information with data collected by other tools in order to provide a holistic view of the organization's security status.
Security information and event management (SIEM) platforms can also help a SOC reach maturity, allowing them to collect, aggregate, categorize and analyze events to reveal patterns that could indicate a security breach or cyberattack. In fact, I'd say it is difficult if not impossible for a SOC to reach maturity without a SIEM platform.
But once SIEM is in place, the job is not over. It still requires regular tuning and maintenance in order to ensure accuracy, so analysts need to engage in manual work to maintain the system. They may also have to check each alert to work out if it’s a genuine threat or a false positive. SOCs also need to deploy Security Orchestration, Automation and Response (SOAR) platform which takes the alerts produced by the SIEM and then triage, respond, and remediate security threats where necessary, drawing on the processes set out in playbooks.
But to achieve true SOC maturity, organizations should use automation in conjunction with processes integration and continuous innovation as well as people, process and technology. This will liberate analysts from mundane work and keep them happy at work. Few companies can afford to lose experienced security analysts, so their job satisfaction should be seriously considered by every boss. It's a huge blow to lose the knowledge and experience possessed by humans who work in SOCs, but technology can help to ensure they don’t feel swamped by alert overload. When it reaches maturity, a SOC can become a center of strategic value to an organization that is focused on reducing risk and tackling serious threats, rather than a department dedicated to tackling mundane issues.