We are in the middle of a security alerts storm. Based on multiple sources, the information security market will grow at a CAGR of roughly 8% through 2020 to about $170 billion. This is mostly the result of enterprises deploying more security products than ever before and each of those products have their own alerts, interfaces and workflows.
Not only have enterprises bought more products, but they also have tried to hire more security analysts to deal with alerts.
However, they could not find enough analysts (with the problem being a lack of security skills). According to Bureau of labor statistics, the outlook through 2024 shows a growth of 18% in the job postings for information security analysts annually.
So now what? Most of the vendors and experts are proposing “automation” as the solution to both of the above problems. Automation will definitely help but has anybody asked how much and how? Automation can definitely help reduce the work that the analysts have to perform but “automation” cannot help make a junior analyst learn the tricks of the trade easily. So the “skillset” gap in our industry is not really a “lack of automation” problem.
Let us analyze some parallel industries like IT operations and Sales & Marketing and see what those industries did to alleviate skillset gaps. It is time for security operations to do the same and change!
- Collaboration and knowledge sharing - If you look at the sales and marketing tools, they have focused on collaboration over the last five years. Pick up any successful sales operations tool – it gives you complete transparency on the information that is collected about the customer and their actions. In addition, each user of the system can share and learn from each other. Every SOC must seek to build the learning from peer analysts and into the SOC operations workflow. Building the collaboration as part of your SOC workflow enables detecting duplicate incidents being investigated, and educating junior analysts to learn from senior analysts.
- Guided playbooks and training - Another way to assist with the skillset gap is to create playbooks which can help analysts follow a prescribed process to the extent they can. Sales and marketing tools make the sales person’s work all the more productive by constantly reminding them what their next step is, when they need to involve others, etc. This needs to be done in the SOC in a way as to not hamper the expert analyst in their work. The playbook should aim to promote following best practices that have been developed over time. Special attention should be given to the fact that these playbooks are not static documents sitting somewhere in your document repository but are live tracking documents. These trackable and automated playbooks not only improve analyst productivity but also give the ability to track and improve processes over time.
- Automation - Automation is much needed when there are tasks that are repeated and do not require human intervention. This happens a lot in the sales process (e.g. sending e-mail reminders). In Security Operations there are lots of such tasks that currently take unnecessary time. Today we hear that a large number of events go uninvestigated because the volume of alerts much surpasses the number of personnel in the team to handle them. If we can automate complicated tasks like driving a car by building self-driving cars, we can absolutely automate checking the reputation of entities, query endpoint products, search for information in multiple places and more.
- Historical search and learning - The historical data collected about past security incidents can help the analyst make decisions quicker and smarter. This data needs to go beyond the log data that is collected and should include deeper analysis of the incident at hand. An analogy from the consumer world is “Google Now”. Google alerts you when it is time to leave for a meeting based on traffic condition and distance from your destination. For security operations, you don’t need sophisticated machine learning techniques, merely making the user aware of duplicate information from other investigations proactively is a huge step forward.
- Closed loop tracking of incident process - Sales and marketing managers will tell you that life before modern sales tools was chaotic because it was impossible to measure how well sales were doing until it was too late. Security is exactly the same. If you are able to measure the entire incident response process for metrics like types of incidents, analyst workload, skill required to solve the incidents, level of automation etc, then you can use these metrics to improve overall security posture of the organization. As an example, if collected data shows “phishing” incidents to be the most prevalent incidents, then organization can drive education about phishing, build better controls to protect in future and also respond faster.
If you look at the above security operations best practices, they enhance the analyst productivity, are able to foster healthy knowledge sharing and collaboration and able to help resolve incidents faster. Over time, there is also value in measuring how well this entire process and steps are working as well. So consider measuring overall SOC efficiencies like incidents handled per analyst. It is time we treat Security Operations with the same rigor as we have treated operations in other industries if we want to win in this cat and mouse race.
Listen to our webinar on 5 May about "Planning for SOC 3.0", where we will examine the challenges in managing security operations in a multi-national corporate of over 10,000 employees, here