SOC Automation | More Threat Hunting, Less Screen Time
The average human spends 26 years sleeping, 4 ½ years eating and almost 11 ½ years looking at a screen.1 If you consider the average security analyst, how does that screen time skew? I don’t know the answer to that specific question, but I do know they are not staying in their position for very long, perhaps because of screen time fatigue. According to Respond Software’s recent Ponemon Survey – “The Economics of Security Operations Centers,” the average security analyst stays in their role for 1.3 years.2 Why are we seeing this? What is causing this attrition and more importantly, how do we change this dynamic?
Inefficiency and burnout can go hand-in-hand
The aforementioned Ponemon Survey examined the attitudes of security leaders including their satisfaction with the SOC and whether they’ve chosen to build from within or outsource to a vendor. The sad truth is that 70% of respondents agreed that their SOC analysts burn out quickly because of the high-pressure environment and workload. This workload equates to looking at a screen for a majority of the day, watching an endless stream of alerts filter through, all while trying to make heads or tails of the data to understand if a real threat needs to be investigated or if it’s simply a false positive.
Eliminating mundane tasks
The consequences of looking at a screen all day can be far worse than just an individual’s level of boredom. Spending time on mundane tracking is actually preventing organizations from experiencing an improved security posture or simply keeping their environment and data secure. Unfortunately, the volume and complexity of alerts have outstripped the traditional approach’s ability to analyze them all. Perhaps that means we need to change the approach to security operations altogether.
The vast majority of security operations address this problem manually, throwing people at the alert tidal wave and hoping they are skilled enough to do a good job. This puts many security organizations behind the eight ball because people, while good at cognitive tasks, are expensive (whether insourced or outsourced) and not good at repetitive, high-volume activities.
Using automation to help address this
Machines, on the other hand, are great at repetitive, high-volume tasks. And humans are better at hunting for real attacks and chasing down the attackers. So, it makes sense to put each type of “employee” to work at what they do best. With our Respond Analyst, for instance, the analysis and triage of security data is automated with a level of depth and consistency unmatched by human analysis. Its intelligent decision engine provides built-in reasoning and judgement to make better decisions, more rapidly.
By implementing this kind of automation, SOC analysts are freed up to work on more interesting and engaging work, which can go a long way towards reducing time spent looking at screens and the level of burnout mentioned above. The fact is, pure alert triage can be boring and tedious work, and if your SOC analysts feel like they’re stuck in a monotonous cycle not only are they more apt to leave the company, but it also increases the chance of errors.
Fortunately, it doesn’t have to be this way. New and emerging technologies make it possible to shift resources so that your valuable human employees can do their best and most fulfilling work – and perhaps, longer terms of employment.
Want to learn more?
1Huffington Post, "We've Broken Down Your Entire Life into Years Spent Doing Tasks," Leigh Campbell, October, 2017
2Ponemon, "The Economics of Security Operations Centers," January 2020