How automation can help create the 'super SOC'
A panel discusses analyst fatigue, false positives and how SOAR playbooks can relieve the stress on security professionals
Good SOC analysts are hard to find, and with the advent of remote working, even harder to retain. Amid ever rising data volumes and a proliferation of sensors, platforms and sources, all of which should ideally be monitored, automation is a must: there is simply no way that analysts - be they on site or working for a managed service provider - can keep up.
But what kind of automation should IT leaders be looking at, how do they make sure the security operations centre (SOC) is not overwhelmed by false positives, and how do they avoid dumbing down their operation, losing vital domain knowledge and experience in the rush to standardise?
These topics were discussed by a select group of IT leaders from sectors including finance, energy, healthcare, technology and distribution at a roundtable event hosted by Sumo Logic. The event was conducted under Chatham House rules.
A number of delegates were wary about putting too much faith in automation.
"It's those false positives," said an information security manager at a technology company, explaining that every system update is inevitably accompanied by a deluge of alerts simply because things have changed. The company uses a managed SOC service but retains expertise on the ground too using the same alerting system.
The MSP looks at the generics, but doesn't necessarily understand what's going on
"The MSP looks at the generics, but doesn't necessarily understand what's going on. Whereas someone internally might see an unusual login at an unusual time and go ‘Oh I know who that is. No need to worry about that one'."
A CISO at a technology firm said that while external services can be helpful, building a quality team in house team is the most important element.
"I'm more interested in creating a team that understands the internal environment intimately, and therefore has a better chance of responding to things, which we then question," the CISO said. "To have that on site, internal knowledge, I think, is a critical first step to be able to respond effectively. And that's why I'm driving for an internal team as well."
The task of building a SOC team has been made more difficult by the rise in home working. While in many ways SOC operations are ideally suited to remote work, at the same time that makes the casual passing of knowledge more difficult, and it also means that skilled professionals are more likely to be poached, since they can work from anywhere.
Working from home may also exacerbate ‘analyst fatigue' or burnout. Security is a high pressure job, after all. This is where support is vital said an IT leader at a large service provider, noting there is often pressure, internal or otherwise, for security professionals to be superheroes.
"If we're thinking of the SOC analyst as a superhero, first of all we have to make sure that those people have got the right support around them that organisations are supporting their SOC workers from a mental from a mental point of view."
This is where automation can come into its own, this IT leader continued, because it can augment human capabilities.
If you think about the augmentation of automation with the human, that is one way where we can then start to create the 'super analyst' or the 'super SOC'
"If you think about the augmentation of automation with the human, that is one way where we can then start to create the super analyst or the super SOC. So actually, they're not doing it all by themselves, they are learning and the bots or the AI working alongside them is learning too."
Claudia Pollio, regional sales manager SOAR at Sumo logic described security operations, automation and response tools as a "force multiplier" for the SOC team, which can use the SOAR's playbooks and standardised responses to deal with incidents. These playbooks can also help onboard new analysts, and hopefully reduce the number of overstressed professionals seeking work elsewhere.
We say we want to look at everything, but that's not a human-resolvable problem any more
"We say we want to look at everything, but that's not a human-resolvable problem any more. At the end of the day, it's looking for a needle in a haystack," she said.
"I think automation also means that as you learn, you teach [the tools] how your organisation works. So when you have new analysts coming on board you can leverage those workflow playbooks that the SOAR can provide, or other tools in other parts of the incident phase, and as part of detection, you can guide them into learning how your organisation works, and that helps with retention, as it gives you clear process in place to keep the analysts that you have."
It also has a key part to play in reducing the drudgery that may have analysts eying the exit door, said Andrea Fumagalli, senior director, customer engineering - orchestration and automation at Sumo Logic.
"Often you have analysts, clever people, doing monkey jobs in reading the logs, checking the source IP checking the destination, IP geolocating, and so on. These are boring tasks. That's why we're always looking to innovate technology that helps to automate these concepts."