Welcome to the latest installment in our blog series detailing the case for change and best practices for creating and maintaining Security Operations Centers (SOCs). Catch up by reading last week’s post on the right questions to ask when assessing whether to create a SOC in-house or outsource it to a managed security services provider.
According to a recent study from the ISACA, cybersecurity professionals are in dreadfully low supply. With cyberthreats increasing in size and scope every day, time is of the essence when safeguarding your company from hackers.
Threat hunting analysts are a prime example. All security technologies, including those in a SOC, generate huge logs. Those logs contain the subtle indications of system compromise, but at times it requires analysts to look for a needle in a haystack of false positives. The ISACA study found that the majority of companies surveyed want experienced cybersecurity professionals to handle these delicate issues.
Unfortunately, many of these analysts enter the marketplace without practical experience. Employers are simply demanding the impossible: anybody already possessing both qualifications and experience gained it though being employed in a threat analyst role. It becomes a question of poaching rather than recruiting, with the inevitable result that skills move upwards toward large, well-financed enterprises – leaving small and midsized companies in the lurch.
So what can you do with your SOC staff to mitigate this issue? Define repeatable incident triage and investigation processes that standardizes the actions a SOC analyst takes, ensuring no important alerts fall through the cracks.
By creating repeatable incident management workflow, you can clearly define team members’ responsibilities and actions from the creation of an alert through to initial evaluation and escalation.
Based on the workflow you create, resources can be effectively allocated. We recommend you employ either the DOE/CIAC model or the NIST SP800-61 Revision 2 Computer Security Incident Handling Guide, which consists of four stages:
- Preparation: Attempt to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
- Detection & Analysis: Alert the organization whenever incidents occur.
- Containment, Eradication & Recovery: Mitigate the impact of the incident by containing it and ultimately recovering from it.
- Post-Incident Activity: Issue a report that details the cause and cost of the incident, as well as steps the organization can take to prevent future incidents.
To achieve efficient incident handling, the SOC must avoid bottlenecks moving incidents through Tier 1 into Tier 2 and Tier 3 resources. Bottlenecks can occur due to information overload, including false positives and alerts that do not pose a significant threat to the business. Information overload often leads to analyst fatigue. Fatigue causes analysts to lose focus, potentially allowing larger issues to go unnoticed amidst all the white noise of false positives.
This alert fatigue phenomenon is a common experience among responders. When choosing an enterprise security monitoring tool, look for such features as alert threshold customization and the ability to combine many alerts into a single incident. Incidents should also come with additional context, so that analysts can handle them faster and reduce layers of evaluation that generally take place before issues are confirmed and mitigated.
Come back next week as we dig deeper into the right technology tools to implement in your SOC. Can’t wait until then? Visit our website to learn how US Cyber Vault’s managed security services deliver security operations center, analyst, intelligence and incident response capabilities rapidly, enabling companies to save up to 90 percent on traditional cybersecurity costs.