Reinventing the Role of the Tier 1 SOC Analyst

The role of the Tier 1 Security Operations Center (SOC) Analyst varies across organizations, but almost always includes activities such as monitoring security dashboards and logs to triage [CS1] events and alerts of potential threats, intrusions and indicators of compromise. The Tier 1 analyst also typically performs initial analysis and investigation into potentially malicious activity. 

This is a tedious job since as a Demisto survey reveals: “Alerts are on the rise leaving today’s security teams bombarded with an average of 174,000 per week” and that “45% of respondents stated that their security tools generated too many alerts.” This sense of being overwhelmed by the sheer volume of alerts contributes to alert fatigue, loss of morale, and ultimately turnover.

In a CRITICALSTART survey of more than 50 SOC professionals across enterprises, more than a third had lost a quarter or more of their SOC analysts in less than 12 months

Because of Managed Security Services Providers and Managed Detection and Response providers, more than a third of SOC professionals had lost a quarter or more of their SOC analysts in less than 12 months, according to the “Voice of the Analyst” study.

This turnover is happening amidst a global gap of nearly four million cybersecurity positions according to (ISC)2. Given the enormous security talent shortage, constantly trying to replace SOC analysts isn’t sustainable and is bound to force change. Rather, organizations are leaning on cutting-edge technology that can improve the productivity of security analysts, whether they're outsourcing some of the work or managing it all in-house.

For example, Network Detection and Response (NDR) is an emerging technology that can help automate many of the time-consuming aspects of Tier 1 SOC Analysts’ work. Some NDR solutions make it possible to stop the avalanche of false positives that overwhelm and demoralize the Tier 1 SOC analyst These solutions use unsupervised machine learning to figure out what is normal and what’s anomalous.

Simply identifying something as anomalous does not mean it’s malicious. NDR can also understand what malicious behavior looks like using supervised ML to distinguish between benign and malicious anomalies. This dramatically minimizes false positives and improves the detection of high-risk activity.

Going one step further, some NDR solutions use a correlation engine to identify events that are connected as part of a single intrusion. By pulling security events together, NDR can provide a complete picture of the threat instead of isolated alerts.

For example, the NDR solution would understand that something was downloaded which, in turn, led to an infection, and then initiated a connection out to a botnet for command and control. After correlation, the analyst only sees intrusions that are highly likely to be real threats.  

Going a step further, organizations can use NDR or take advantage of NDR’s integration with firewalls, security orchestration, automation and remediation (SOAR) and other in-line security controls to execute automated response.  NDR provides these with accurate threat detection and relevant context to make these tools even more effective.  

With NDR, analysts can start to function more like Tier 2 analysts, focusing their time on solving incidents and protecting their organization. They can rely on NDR’s high-fidelity insights to eliminate time-consuming manual investigations of unknown objects and anomalous activity and to automate response.

What’s Hot on Infosecurity Magazine?