SOC team members battle with burnout, overload and chaos

While some organizations have increased security operations center (SOC) funding, the overall gains have been meager, and the most significant issues have not only persisted, but worsened, according to Devo Technology.

SOC team burnout

SOC team overload and burnout

The report, based on a survey conducted by Ponemon Institute, examines many of the same issues as last year, and found 60% of SOC team members are still considering changing careers or leaving their jobs due to burnout. The survey, conducted in March and April 2020, queried IT and IT security practitioners in organizations that have a SOC.

On the positive side, the importance of investing in a SOC remains high, with 72% of respondents categorizing the SOC as “essential” or “very important” to their organization’s overall cybersecurity strategy, up 5% year-over-year.

Additionally, the average annual cybersecurity budget for organizations rose $6 million to $31 million, with the SOC representing more than one-third of that total.

For respondents whose organizations have invested in people, process, and technology, the performance differences are stark. Strong business alignment (73%) and extensive training (67%) help high-performing SOCs more than double the effectiveness of their lower-performing brethren.

SOC team members continue to face barriers

However, the pain and barriers facing SOC teams are universal and worsening, with higher performers citing 10% more pain at an extreme level (9-10 on a 10-point scale), and virtually no difference in the level below that (7-8).

The major areas of pain and resistance include:

  • 70% suffer a lack of visibility into the IT infrastructure (up from 65%)
  • 64% combat turf or silo issues between IT and the SOC (up from 57%)
  • 71% need greater automation (up from 67%), especially as they continue to spend substantial manual cycles on tasks such as alert management (47%), evidence gathering (50%), and malware protection and defense (50%)
  • Environmental factors are driving substantially higher pain, including information overload (67%, up from 62%), burnout from increased workloads (75%, up from 73%) and “complexity and chaos” in the SOC (53%, up from 49%)

The perennial issue of a skills shortage

Not surprisingly, the perennial issue of a skills shortage (seen by more than 50% of respondents) is close to the heart of the issue. But digging deeper, it’s quickly apparent that across the board people, process, and technology are misaligned and inefficient:

  • Organizations have too many tools (nearly 40%), and more than half don’t have all the data necessary, nor the ability to capture actionable intelligence
  • While 76% say training/retention is highly important, more than 50% have no formal programs in place, and more than 50% cite the lack of skilled personnel as a major factor in SOC inefficiency
  • Mean time to response (MTTR) remains unacceptably high, with 39% saying their average time to resolve an incident is “months or even years”

“At first blush, the data from the survey made it appear that SOCs are advancing, but it turns out the budget growth and successes hide substantial pain—and to achieve even these modest successes consumes considerable resources,” said Julian Waits, general manager, cybersecurity at Devo.

“While the focus and efforts of high-performing SOCs are driving them to be successful in spite of increasing barriers, that success comes at an unacceptable human cost. Seventy-eight percent of respondents say working in the SOC is very painful.

“Even more troubling, 69% say that experienced analysts would quit the SOC because of stress. It’s clear that significant reforms must be made to achieve greater SOC efficiency and engagement—with less analyst stress—especially in the face of a new economic normal that will likely constrain investments for some time to come.”

SOC team burnout

Alleviating SOC team pain

For all the friction and pain, high-performing teams are continuing to advance the benefits SOCs provide organizations and should be commended for their efforts. Most importantly, high-performing teams have driven strong business consensus, with 73% of SOC objectives aligned with business objectives, versus low performers for whom 63% have no alignment at all.

Among the lessons that can be learned from the findings, the top three actions cited to demonstrably alleviate SOC analyst pain are greater workflow automation (71%), implementing advanced analytics/machine learning (63%), and access to more out-of-the-box content (55%).

New infosec products of the week: February 14, 2020

RSA Archer SaaS: An integrated approach to managing risk

RSA Archer SaaS can help reduce the time and resources dedicated to on-premise platform upgrades, patches, and maintenance activities, as well as enable customers to focus on maturing and expanding their integrated risk management programs.

infosec products February 2020

Farsight Security enhances its Security Information Exchange data-sharing platform

Farsight Security announced enhancements to its Security Information Exchange data-sharing platform to help security professionals measurably improve the prevention, detection and response of the latest cyberattacks.

infosec products February 2020

Tufin SecureCloud: Providing unified security policy management for the hybrid cloud

Tufin SecureCloud is a security policy automation service for enterprises needing to gain visibility and control of the security posture of their cloud-native and hybrid cloud environments.

infosec products February 2020

ZeroFOX launches AI-powered Advanced Email Protection for Google and Microsoft platforms

The ZeroFOX Advanced Email Protection suite includes capabilities that address Business Email Compromise Protection for Google’s G Suite and Microsoft’s Office 365 platforms, which identifies impersonation-based attacks targeting employees.

infosec products February 2020

Devo Security Operations: Transforming the SOC and scaling security analyst effectiveness

Devo Security Operations is the first security operations solution to combine critical security capabilities together with auto enrichment, threat intelligence community collaboration, a central evidence locker, and a streamlined analyst workflow.

infosec products February 2020

esCLOUD extends managed detection and response to cloud platforms

esCLOUD constantly monitors customer cloud environments to detect improper configurations and vulnerabilities that could lead to data loss and compromise. Automated policy enforcement, combined with response and remediation from eSentire’s expert security analysts, ensures that customers can operate in the cloud with confidence.

infosec products February 2020

Devo Security Operations: Transforming the SOC and scaling security analyst effectiveness

Devo Technology announced Devo Security Operations, the first security operations solution to combine critical security capabilities together with auto enrichment, threat intelligence community collaboration, a central evidence locker, and a streamlined analyst workflow.

Devo Security Operations

This powerful combination transforms the security operations center (SOC) and scales security analyst effectiveness. Analysts no longer must rely on multiple tools to manually assemble the data, context, and intelligence required to identify and investigate the threats that matter most to their business.

Devo Security Operations puts this information at analysts’ fingertips across the entire threat lifecycle.

With a rapidly expanding attack surface and increasingly sophisticated adversaries who can progress from initial access to lateral movement in minutes, legacy SIEMs are failing to meet the needs of analysts and SOCs.

According to recent Ponemon Institute research, 53 percent of IT security practitioners believe their SOC is unable to gather evidence, investigate, and find the source of threats. Analysts must attempt to manually close the gap between detection and response, fueling the growing epidemic of analyst burnout and putting enterprises at risk.

Delivered on the powerful Devo Data Analytics Platform, Devo Security Operations reduces analysts’ workflow from hours to minutes, keeping SOCs ahead of even the most sophisticated adversaries.

“With traditional SIEM solutions, SOC teams struggle with too many false-positive alerts, and broken workflows, as well as speed, scale and performance issues that hinder analysts’ effectiveness,” said Julian Waits, general manager, cyber, Devo.

“We’re reinventing the category by leveraging powerful data analytics, automating incident workflow, and designing technology with a security practitioner’s mindset. Devo Security Operations arms analysts with new weapons and tactics for context-rich investigations, slashing the time from detection to response and significantly reducing or eliminating damage from an attack.”

An analyst’s perspective

“There is a need for a solution that incorporates new technologies to extend the capabilities of often-overtaxed security teams. Too often, these technologies are fragmented and poorly integrated,” said Scott Crawford, research vice president, information security, 451 Research.

“Devo Security Operations fills this need by combining key functionalities—including entity analytics, automation and hunting—into a single integrated platform.”

Devo Security Operations empowers SOC analysts to:

  • Reduce noise, amplify signal with entity analytics – More reliably identify and investigate high-impact threats by shifting focus to entities. Classify, model and associate entities as the foundation for detection and investigation to deeply understand the organization’s environment and the behaviors of the business.
  • Accelerate investigations and simplify workflow with auto enrichment – Gain a context-rich picture of entities, alerts and investigations without having to manually collect or query data, speeding the investigation process. Bring enrichment in earlier by automatically populating events with actionable, real-time data and context, including indicators from the Devo Threat Data Service, the community, and partners.
  • Hunt more easily across all data and context – Run queries across any volume of data, any number of sources, and any time horizon to proactively identify threats. Powered by the Devo Data Analytics Platform, Devo Security Operations aggregates an organization’s diverse data for complete visibility at unprecedented speed, scale and performance.
  • Operationalize the knowledge of the global security community – The Devo Threat Data Service enriches alerts with attributes and indicators ranging from IP addresses, emails, and files to hashes and domains. Organizations can consume indicators from, and collaborate with, the global MISP community and other internal or third-party sources, significantly expanding their scope and use of threat knowledge.
  • Triage centralized evidence and analyze it for DFIR – The Devo Security Operations Evidence Toolkit for digital forensics and incident response (DFIR) provides an end-to-end workflow for centralizing and analyzing forensic evidence—PCAPs, memory dumps, PDFs, images and context—even enabling analysts to submit files to multiple sandboxes, all from a single location. Speed investigations and improve response time by providing analysts with access to the right evidence at the right time.

Devo Security Operations combines these capabilities in an integrated workflow, accelerating detection and response with auto enrichment. This enables analysts to operate more quickly and efficiently, drastically cutting response time.

Devo transforms the SOC to effectively address key security use cases, including threat hunting, threat detection, triage and investigation, and digital forensics. Devo Security Operations is available now worldwide.