The state of SOCs in a post-COVID world [Q&A]
The past year and the rapid changes it has brought have placed a good deal of pressure on security analysts and made their work vitally important.
We spoke to Chris Triolo, vice president at Respond Software, to find out more about the report and get his views on how organizations can make the most of their SOCs.
BN: What effect has COVID-19 had on SOC workloads?
CT: Prior to COVID-19, we were seeing very high SOC workloads with overworked, overloaded and burned-out analysts. From our latest research report, it’s evident that this trend has continued in the midst of the pandemic at an even larger scale. In fact, 85 percent of the survey respondents rate the pain of working in their organization’s SOC as painful or very painful, and 80 percent of these respondents cite that the primary reason for the pain is that they experience burnout from an increasing workload. Typically, this burnout stems from the high volume of security events that need to be investigated and waded through daily. When the pandemic hit, everybody had to scramble to figure out how to work from home in an effective way. In our report, we have seen that an average of 34 percent of organizations' SOCs have been transitioned to virtual/remote work conditions. This was a completely new experience for most, if not all, as these analysts do not typically work remotely as SOCs are most effective as in-person entities due to the heavy reliance on collaboration and the sensitive nature of investigating security incidents. With the pandemic, collaboration has moved from in-person where situations can be discussed live and ideas whiteboarded, to individuals in their homes trying to share these same ideas and collaborate via video conferencing, phone calls and chat where communication can have its barriers leading to a slowdown in operations, which in turn creates back log.
Additionally, it is important to discuss the value of a sensor grid to the SOC. Security teams deploy sensors to look for security alerts that require further investigation. These sensor grids are not always designed to monitor remote employees, VPN logs, remote connections and endpoints outside of your organization. This has a two-fold impact -- this may reduce the workload on the SOC initially, which is ironic, but the reason is that the traditional sensors are quieter now since the employees are not in the office, and these sensors aren't set up to monitor remote employees. Security teams are then forced to rush to get visibility by deploying new sensors and update monitoring and investigation procedures for remote workers, which can dramatically increase the workload.
BN: How has this impacted staff morale and turnover?
CT: Morale and turnover were both big issues in the SOC pre-COVID-19 and to be honest, not much has changed there. In our experience, we've seen that there hasn’t been a lot of turnover right now, since we are in such uncertain times and people are staying with their current employers as such. The pandemic is helping to keep things more stable in terms of turnover right now, but we believe there may be a change in this as the world begins to get back to 'normal' and people feel more comfortable leaving their jobs if they are not satisfied.
From our experience and research, most analysts do not typically hold tenure at their job for very long. According to our report, an average of five analysts are expected to be hired in 2021, yet three analysts will be fired or resign in one year. We have seen that the usual length of stay at their organizations is short, about a little more than two years.
BN: Remote working is likely here to stay even after the pandemic. What challenges does this pose for SOCs?
CT: We believe the SOC is most successful in-person. As I mentioned earlier, collaboration, on-the-job training, mentoring and many others are compelling reasons to have the SOC back in-person in the office setting. These analysts are dealing with sensitive security issues and confidential information and they need one place where they can safely congregate to discuss and resolve these matters. The current work from home model does not allow for that. The in-person SOC is the status quo and has been for years -- it just works better and more efficiently.
We have found that more than one-third of SOCs in our research study have changed to a remote work environment, and 51 percent of these respondents have stated their work performance has been impacted as a result. With so many new distractions at home including family members, roommates, pets, daily home chores, etc., it can be hard for some to work past those after working in such a confined and focused environment for so long.
BN: Do enterprises need to change their perception of what SOCs can deliver and how they operate?
CT: As I've mentioned, most industry professionals will agree that the SOC needs to be an in-person entity. However, it's also safe to say that nobody was planning for a pandemic and needing to go remote. Now, this is a situation that is going to be top of mind as organizations create their emergency preparation plans for their SOCs. It's not just planning for a fire or flood but planning for a situation where your security analysts can’t be in the same room together at any location like in this current pandemic and still have effective and efficient security processes.
For example, the shift turnover process in a SOC is a very important and critical process that occurs once or twice a day. But now, how do we do this process effectively and remotely?
If you're willing to retool processes, it may be possible to have these processes occur remotely and I believe organizations will be able to do this in some way with more in-depth business continuity and disaster recover plans for the SOC. In light of the pandemic, this will likely now be part of the standard planning procedures as this is already done for natural disasters, which are usually short in duration and include things like a backup site. However, it is different in a pandemic when you literally can’t put people together in the same room safely.
BN: What can businesses do to make the most of their investment in SOCs?
CT: It is imperative that SOCs retool and automate. Analyst teams are overwhelmed with alerts and as such, are not able to find the bad actors as speedily and efficiently as needed. Currently, we are burning out our analysts and spending too much time on false positives. In fact, our report findings show that SOC stress is increasing and one of the main reasons for a high turnover rate. Approximately 75 percent of respondents agreed that SOC analysts burn out quickly because of the high-pressure environment and workload.
To help combat this burnout, SOC analysts need tools to help them improve and make their lives easier -- tools to help them automate level one monitoring and triage to take a first look at alerts that come in and prioritize. As SOCs become resource challenged, this becomes even more important.
The role of humans in doing security monitoring across all industries is changing -- you cannot scale your organization with humans alone anymore. You need to start utilizing machines and automation to help reduce workloads for SOCs.
The irony of it all is that machines don't get sick and are not subject to biological viruses. Humans are unable to work because they need to be at home due to situations like the current pandemic or other personal issues while machines can continue coming to work.
It's becoming more important than ever for organizations to have less reliance on humans to do this job. Still, humans are still extremely important and necessary. We should be applying humans to things that machines can’t do that involve higher creativity and coordination to manage security incidents. But if humans are bogged down with alerts, they can't manage these incidents.
The full report is available on the Respond Software site.