The Evolving Role of the SOC Analyst
Originally published by LogicHub here.
Written by Willy Leichter, Chief Marketing Officer, LogicHub.
- As the cyber threat landscape evolves, so does the role of the security operations center (SOC) analyst.
- Cybersecurity industry veteran and OneTrust VP of Security, Colin Henderson, says organizations must avoid hiring armies of specialists for repetitive tasks.
- Changing modern SOC teams require analysts to embrace new approaches even if their jobs remain the same. Despite increasing threat levels, automation is the key to efficiency improvements and security analyst job satisfaction.
I sat down with Cybersecurity industry veteran and OneTrust VP of Security, Colin Henderson, to talk about how the SOC analyst role has evolved within cybersecurity. Colin’s career began at the National Security Agency (NSA) before he put his security skills to work for manufacturing, financial services, and SaaS companies.
Colin is no stranger to change, and he knows one thing to be true: As the threat landscape continues to evolve, so does the role of the security operations center (SOC) analyst.
These security specialist roles aren’t getting easier. In recent years, he has seen a persistent increase in threat levels, false positives, and alert fatigue. Burnout for analysts can happen within just 18 to 24 months. There’s a temptation to simply hire more specialists to deal with the ever-growing number of repetitive tasks in what amounts to a “churn-and-burn” strategy. But Colin posits that managing the noise effectively is key to dealing with the problem in a smart way.
Changing SOC requirements create pressure on security teams to adapt quickly in this intensely challenging environment — but they need the right tools. Automation is the answer to cutting through the noise of near-constant alerts. It plays a critical role in improving the efficiency, effectiveness, and job satisfaction of security analysts.
Automation is the answer to cutting through the noise of near-constant alerts.
An Evolution in Detection and Response
Colin entered the workforce immediately after the dot-com bubble burst in the late ‘90s. His best options were either working for the government or the military, so he joined the NSA. This spring boarded him into the private sector, where he worked with manufacturing, financial services, and SaaS companies.
This work formed the backbone of his expertise building SOCs for organizations around the globe. Security has always been more interesting to Colin than writing code. Right now, he’s responsible for the entire security program at Bakkt, a crypto wallet startup. His journey gives him insight into how exactly threat detection and response have evolved over the last twenty years or so.
It’s a Brave New World for Cybersecurity
Just a few years ago, the world of security looked very different than it does now.
Rapid change and the increasing volume of data and threats demands that organizations do more with less, whether that means staff or other resources. That will not change anytime soon.
Twenty years ago, SOC analysts had very different roles. Cloud infrastructure seemed like sci-fi: Infrastructure as Code (IaC), DevSecOps, and Continuous Integration and Continuous Delivery (CI/CD) pipelines didn’t exist. Now they’re all crucial elements of any technology-driven company (hint: all companies are).
Another factor security analysts must consider is the pace of change. Once upon a time, understanding networks, systems, and infrastructure was simple from an administrative perspective: It was a case of establishing what “normal” and “bad” were.
But even within the last decade, the baseline knowledge expected of analysts increased exponentially. Analysts have always had to know a lot about a little (rather than a little about a lot). But detection and response experts cover many more areas than they did in the past.
The Noise Keeps Growing
Against this rapidly evolving backdrop, every organization works within a number of resource-based constraints. We need smarter strategies to deal with the growing noise, and just as importantly, we need tools that effectively separate the signal from the noise.
The problem is that there’s been no real progress since the advent of the SIEM.
Companies still need as much visibility into their systems as possible, but a staff is not an infinite resource. Hiring the right people is a major concern for companies of all kinds, and trained security specialists are even tougher to find.
Manage the Team — and Let the Team Handle It
To build an effective SOC team that can deal with threats appropriately, ask:
- How do we find the right talent?
- How do we train talent (focusing on both the operational environment and the industry in general)?
- How do we retain and engage talent?
OneTrust scaled its security team with these questions in mind. Just a year ago, they had a small footprint, but not every organization can build and grow infinitely. Our approach to these problems needs to shift.
Fifteen years ago, building a SOC was tough on analysts, who tended to burn out after just 18 to 24 months. Fast-forward to the present and nothing has changed. But as the security landscape evolves, it naturally lends itself to engagement. The problem is not that the work is uninteresting. The problem is that SOC analyst roles are early-career positions with no clear path for advancement
Your answers to these questions will likely shift, as this is a dynamic process, but it is clear we need help from multiple sources. The most efficient and accurate approach to data security necessitates a truce. Man and machine must shake hands and own the parts of the process they each do best.
Things SIEM Different
Data volumes grow with no signs of a slowdown and SIEMs go on collecting data. But does it make sense to collect this data in such a primitive - or to put it more nicely - unsophisticated way? Enterprise SIEMs are notoriously missing detections for 80% of all MITRE ATT&CK techniques. Yikes!
Many companies have already moved from on-prem to hybrid infrastructure models seeking more distributed, decentralized ways of doing business. Some are even fully cloud-based. If it is possible and desirable to centralize data, it’s a goal most organizations won’t likely achieve in the near future.
But this doesn’t mean today’s analysts should suffer and go without rapid access to the right capabilities.
Analysts should have tools at their fingertips to detect, analyze, and respond to alerts. These tools don’t have to be all in the same place, but they should be readily available.
Need-to-Knows: Addressing Alerts and Thwarting Threats
The mission for security teams now is to cut through the noise to find critical threats. Often, that means not just sifting through alerts, but also investigating and locating relevant information.
Being well-informed and educated is a given to adequately assess and understand alerts and cases. However, context is just as critical.
Many organizations falter when analysts look at alerts, but don’t understand how infrastructure and systems interact. Leaders need to educate analysts about their organizations’ environments. The human touch — understanding and identifying whether something is benign or malicious — should always be at the heart of security.
About the Author
Willy Leichter is LogicHub’s Chief Marketing Officer. Willy has extensive experience in application security, network security, global data privacy laws, data loss prevention, access control, email security and cloud applications. He has held marketing leadership positions at Virsec, CipherCloud, Axway, Websense, Tumbleweed Communications, and Secure Computing (now McAfee).
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.