SOC burnout is real: 3 preventative steps every CISO must take
Consider this scenario: Morgan, a level 3 security analyst, arrives to a twelve-hour security operations center (SOC) shift and finds a message that a network sensor is offline. Morgan’s first hour is spent troubleshooting the sensor and bringing it back online before even beginning the workday. The next four hours of the shift is spent repeating a task Morgan has done each day for the last three weeks: tuning their new behavioral-based security solution so that it doesn’t generate countless inaccurate alerts.
The next five hours Morgan triages complex security events escalated from Level 1 and 2 security analysts, all of which require the team to perform the difficult collection of data just to prove the events are either false positives or they don’t have the data necessary to confirm or deny the alert. Before being done for the day, Morgan’s last planned task is to work with a vendor on a software update to their solution that will require two hours of downtime.
Worn out, Morgan gets a Slack message from a colleague that they just confirmed a vulnerability announced 4 hours ago may impact the enterprise. The team is scrambling to understand the implications of the event, looking for indicators in the environment, and communicating to the rest of the organization that they may have a problem. Clearly, the software update will have to wait. Morgan and the already taxed team continue to work on the problem, seeking relevant information, and feeling the pressure.
SOC burnout
For those that spend every day as a security professional and for anyone who truly appreciates the demands applied to these essential security team members, burnout is a harsh reality.
The root causes go far beyond the pressures imposed by cyber adversaries. According to the Ponemon Institute, 70% of SOC/IR analysts agree quick burnout is due to the high-pressure environment of their jobs. The leading causes making working in a SOC/IR painful are:
- Increasing workload: 75%
- Being on call 24/7/365: 69%
- Lack of network & IT visibility: 68%
- Too many alerts to chase: 65%
Perhaps the most sobering stat identified by the Ponemon Institute is that 84% of SOC analysts report “minimization of false positives” as the most important SOC activity. While false positives come with the job, the responsibility should not solely reside with the SOC. As security vendors, we must look at our entire offering and focus on addressing the true issues leading to ineffectiveness and burnout.
But what are some steps CISOs can take to shift the balance in their favor? How can CISOs address the root problems to drive efficiency and effectiveness to their SOC while relieving the causes of burnout?
Proactive steps for every CISO
Successful CISOs have a few things in common:
- The CISO makes it clear that the SOC/IR team is empowered to focus on identifying and dismantling adversaries, full stop
- The CISO selects security solutions not only based on technology, but also by how the vendor understands his or her challenges and will partner with them
- The CISO ensures the SOC/IR team has access to experts when it counts
To elaborate, below are some real-world steps each CISO can take:
1. Remove distractions
Investigate the team’s workload and eliminate distractions. A SOC/IR team’s primary focus should be identifying and responding to active adversary threats – everything else is secondary or should be eliminated. One approach for accomplishing this is to institute a SOC philosophy that follows a decision matrix made famous by Dwight Eisenhower:
In the scenario above, as a level 3 analyst Morgan faced three to five hours of distractions bringing technology back online and performing software updates along with more time spent dealing with false positives. If the Eisenhower matrix had been in place, Morgan’s team wouldn’t have been burdened with non-urgent or non-important tasks and been on top of the adversary immediately.
2. When acquiring SOC tools measure twice, cut once
While most technology solutions aim to make the SOC/IR more efficient and effective, all too often organizations take one step forward and two steps back if the solution creates ancillary workloads for the team. The first measurement of a security tool is if it addresses the pain or gap that the organization needs to fill. The second measurement is if the tool is purpose-built by experts who understand the day-to-day responsibilities of the SOC/IR team and consider those as requirements in the design of their solution.
As an example, there is a trend in the network detection and response (NDR) market to hail the benefits of machine learning (ML). Yes, ML helps to identify adversary behavior faster than manual threat hunting, but at what cost? Most anomaly-based ML NDR solutions require staff to perform in-depth “detection training” for four weeks plus tedious ongoing training to attempt to make the number of false positives “manageable.”
Some security vendors are redefining their software as a service (SaaS) offering as Guided-SaaS. Guided-SaaS security allows teams to focus on what matters – adversary detection and response. Using NDR as an example, the Guided-SaaS NDR vendor won’t add tasks to the SOC/IR team’s workload such as “detection training.” Guided-SaaS vendors deliver detection engines that are pre-tuned and perform any ongoing tuning necessary. Further, a Guided-SaaS NDR vendor solution includes expert assistance with deployment, ongoing visibility and health checks, solution configuration, and all software updates. According to the Eisenhower Decision Matrix, tasks that the SOC/IR performs but aren’t “important” and “urgent” are delegated to the Guided-SaaS vendor, decreasing the workload and distractions on the team.
In the scenario above, a Guided-SaaS NDR solution would have given Morgan between five to seven hours back to focus on adversary hunting and response.
3. Demand expertise from vendors
In high-pressure situations with high-risk outcomes, people often turn to experts for guidance (e.g., tax advisor, a doctor, a life coach). The same is true during security incidents. CISOs should make sure their team of security analysts and incident responders have access to expertise that can provide timely guidance.
Guided-SaaS security vendors can also help here. True Guided-SaaS security vendors employ expert security analysts and incident responders on their customer success teams to build a partnership with their customers. It goes without saying, if a vendor staffs its customer success team with security experts there will be a level of understanding and empathy for the SOC/IR staff, facilitating a strong relationship. And during high-pressure events, teams will have someone they trust to turn for guidance.
Guided-SaaS security vendors can provide teams with expert knowledge about a particular threat actor’s intentions, tactics, traits, and procedures as well as best-practice guidance on incident response. Guided-SaaS provides teams with access to this source of knowledge and turns high-pressure situations into manageable scenarios, increasing effectiveness and reducing burnout.
In the scenario above, Morgan would call their Guided-SaaS vendor to understand more about the vulnerability, its indicators, and how best to investigate. The guidance that reduces the scrambling, increases the relevant information, and removes a bit of the pressure knowing they aren’t fighting this alone.
It is no surprise that the recommendations to relieve pressures on SOC/IR teams illustrate that technology alone is not the savior. CISOs that empower their teams and choose vendors who are focused on removing distractions and providing guidance to their customers are at the heart of improving SOC effectiveness and addressing SOC burnout.