Moving to the Work From Home SOC

Written by

The current pandemic has forced us all to start working from home; however, the attacks by cyber-criminals have not stopped. If anything, malicious activity has increased as bad actors try to take advantage of workers who have escaped the secure embrace of corporate networks and are now on their home Wi-Fi.

Security operations are not immune to the shelter-in-place orders. Security Operations Centers (SOCs) are still running, but running remotely, while seeking greater automation and less reliance on people. The question is whether this is the new normal and remote security analysts will be a regular occurrence going forward, or will organizations return to centralized offices? Moving forward, it’s likely that businesses will have far more success with a combination of traditional SecOps and the right application of automation.

Remote SecOps – good in a pinch

It’s hard for security operations to operate remotely. It’s OK in a pinch, it’s OK in a time of crisis, but it’s not business-as-usual. Many companies have successfully transitioned to this strategy out of necessity and are functioning sufficiently in the “new normal”.

However, incident response requires collaboration. It requires teams working together to reach agreement on a solution and then executing it. Working remotely, even with the latest collaboration tools isn’t as fast as being able to walk into someone’s office or cubicle.

WFH doesn’t ‘work’ for everyone

One area that’s often underestimated is the amount of guidance new security analysts require. New analysts will have trouble working home alone. They learn and grow typically by working with more senior analysts, in the SOC, side-by-side.

In addition, for an IT organization that suddenly needs to support employees working from home, it can be a challenge to provide the necessary equipment and access needed. Can the SOC console where alerts are processed and viewed be accessed by remote employees? How about incident response ticketing systems, shift turnover logs, investigation notes and more? Troubleshooting is harder when remote. It’s a lot easier when the person you need to help make a change is in the building.

The case for automation

Working from home is at best a distraction for security analysts, but with this pandemic, it also can cause a shortage of available personnel. Automation, which has long been a project for most SOC leaders, is taking a higher precedent.

Even before this crisis, the gap between the number of security alerts (most of which are false positives) flooding into SOCs and the people who can review and address them is getting larger and larger.

The SOC hierarchy is built on the premise that junior analysts escalate alerts to senior analysts. If an untrained worker is escalating too many alerts, your top-tier manpower will be consumed with work that add little value.

Like all forms of truly radical change, adopting technologies that are truly new and different requires that people and processes evolve as well. Analyst roles will change based on appropriate automation, as human security analysts will never get better at monitoring enormous amounts of log data streaming across their consoles.

The benefits are obvious. Automating Level 1 security analysts can reduce manpower and free up time for more in-depth, challenging work. The new SOC configuration will be agile and informal, with processes that are constantly shifting and adapting as attackers alter their tactics. Fewer humans will work on the front lines, but those who do will have more important and interesting roles to play. They’ll work in close collaboration with one another and their colleagues in IT, rather than in isolation or within departmental silos.

Crises tend to accelerate change, and security operations is not immune. Expect more automation, machine learning and self-healing networks, as we get the time to take a breath and build our strategies for the future.

What’s hot on Infosecurity Magazine?