Best Practices for the SOC Team – Where to Automate, Where to Think

Written by

The shortage of skilled cybersecurity professionals has become a serious problem and it’s getting worse. According to ESG, nearly half of organizations claim they have a “problematic shortage” of cybersecurity skills in 2016, compared to 28% in 2015.

Security Operations Centers (SOC) teams in organizations are finding it especially difficult to build teams with the right balance of skills and experience. Organizations are being forced to hire Tier 1 analysts with little or no experience, and spread their Tier 2 analysts too thin. The vast majority of organizations outsource their Tier 3 analysts to consulting firms that charge very large sums just to ensure availability if a breach occurs.

Therefore, it’s more important than ever to employ best practices that maximize the professional capabilities and each member of the SOC team, according to skill level. At every tier, technology can be used to automate routine tasks such as information gathering and presentation and data analysis in the right place at the right time. Let’s take a look at some of the ways this can work.

Tier 1 Analysts: Use Their Skills - or Use a Machine

Companies should look for Tier 1 analysts with an IT background, even if they have not worked in security. In many SOCs, Tier 1 analysts spend most of their time gathering information. This is something that automation and orchestration technologies can do just as well as a human, if not better, and is far more scalable. At this point, Tier 1 analysts should have the skills required to implement defined procedures for remediation, or make an informed decision to escalate. In other words, if there is no judgment to be made, you don’t need a human analyst – you need to automate.

Tier 2 Analysts: Reduce Dependence on IT     

One way to help skilled Tier 2 analysts be more effective and productive is to reduce their dependence on IT during incident investigation. Analysts should be equipped with tools that can help them automatically investigate incidents on every device in the organization (mobile, server, endpoint), without having to involve the IT organization, which often involves coordination, procedures and delays.

Apart from the organizational issue, endpoints are often inaccessible or off site. Analysts need investigation tools that provide complete visibility and access to all endpoints and servers, along with the ability to investigate them in a way that doesn’t cut off or shut down the endpoint.

Last but not least, the first stages of incident investigation can now be automated. Advanced analytics technology is able to synthesize alerts along with data from endpoints and servers to create a forensic timeline of any incident. This kind of “virtual analyst” dramatically simplifies and shortens the investigation process, and puts it within reach of a wider range of analysts.

Contain Threats, Cut the Red Tape

In most organizations, making the changes required to block and remediate threats is the job of the IT team rather than the security team. Without debating as to the relative merits of either approach, the ability for an entire organization to contain a threat immediately, until IT can take further action, is crucial. Here too, technology can be used to automatically freeze a process, for example, or remove a computer from the network, as well as automatically secure approval from IT.

Don’t Erase the Evidence

When resources are limited, organizations tend to believe that the quickest way to eradicate an infection is simply to re-image the endpoint or server. This approach, however, can actually generate more work, rather than less, in the long run. As it is very likely that in addition to the original infection, other actions were taken that signify a broader incident, such as credential theft, lateral movement or data exfiltration, the endpoint should not be erased until a thorough investigation is completed.

Analysts must be able to recreate the history of the incident in order to complete a full forensic investigation. Knowing whether an incident is true or false is only the beginning – the role of the security analysts is to understand what happened and then to perform a full damage assessment.

Tier 3 Analysts: Control Consulting Costs with Proactive Forensics

Tier 3 analysts are both expensive and hard to find, forcing many organizations to outsource complex incident response work. In order to minimize expenditures and no less important – to reduce dwell time when a breach occurs – organizations can gather the information required for a rapid and accurate investigation and forensic analysis proactively.

By continuously collecting endpoint and server activity data and storing it centrally for at least 90 days, organizations can save precious days and weeks when the experts are called in, and in many cases, a response can be provided remotely.

The real key to a good SOC team is striking the right balance between human skills and having the right security tools in place. Delegating responsibilities and empowering the existing SOC team will make for a stronger defense. Furthermore, utilizing technology to automate data collection and to perform analysis will enable SOC teams to effectively focus on the tasks where humans are essential. These two elements will make for an improved incident response process.

The combination of an increased demand for skilled cybersecurity professionals (and the lack thereof) along with a rise in the frequency of cyber-attacks on organizations will result in an unsustainable situation. While organizations strategize on how to overcome this challenge, CISOs can turn to technology to optimize SOC teams in order to maintain acceptable security standards.

What’s hot on Infosecurity Magazine?