You Don’t Have SOC Analysts, You Have SOC Synthesists

For all my nearly 20 years in the Security Operations field being a “SOC Analyst”, building and helping with SOC design, evolving SOCs and everything in between, I’ve been calling my team members by the wrong title. Worse yet, none of my colleagues ever corrected me, mostly because they didn’t know. Hard to believe, but I suspect it’s because we all never really thought much about what the “SOC Analyst” really does for a living.

The word “analyst” means a person who conducts an analysis. “Analysis” has its roots in the Greek word “analyein” which translates “to break up”. This implies breaking the problem into pieces.

It begins…

“SOC Analysts” typically come into work at the start of their long shifts and sit down in front of a console to look at alerts of some kind.  These alerts have data points from a single security product telemetry like an IDS sensor. These alerts do not usually have enough information alone to make a decision on whether they are dealing with a security incident or threat.

Now what?

The “SOC Analyst” would then want to know more information so they go collect data points from other sources to piece together (combine corroborating pieces of evidence) to form an as complete a picture as possible regarding what is going on in their environment, and what is the likelihood it is malicious.

Then what?

Now it’s decision time.  Does the picture paint a portrait of something nefarious going on and we need to get Security Incident Responders engaged or is it just a misconfigured company application running amok and should they need to notify a server admin?

Finally.

The decision is made and it’s on to the next alert.  Wash, rinse, repeat for the next 11+ hours.

What we just walked through was an individual taking one piece of evidence and trying to add more evidence to create a whole picture.  So let’s look at the definition of “analysis” below from dictionary.com:

Analysis

noun, plural a·nal·y·ses [uhnaluh-seez].

1. The separating of any material or abstract entity into its constituent elements (as opposed to synthesis).

2. This process as a method of studying the nature of something or of determining its essential features and their relations.

“The separating”?  Wait, what now? We just walked through how a Security Analysts is combining things, not breaking them apart!

Now let’s look at the definition of the word Synthesis, again from dictionary.com:

Synthesis

noun, plural syn·the·ses [sin-thuh-seez].

1. The combining of the constituent elements of separate material or abstract entities into a single or unified entity (opposed to analysis).

2. A complex whole formed by combining.

This definition fits what our “SOC Analysts” do every day much better than analysis now doesn’t it?

Wouldn’t it be great if your “SOC Analysts” had the time to synthesize all the contextual evidence they could collect around an initial alert to formulate a hypothesis?  THEN had even more time to turn around and breakdown all the possible permutations of the evidence to test the hypothesis and reaffirm or change their mind on each decision they made?  Yes, that would be awesome to have the time to do both!

Wouldn’t you rather synthesize AND analyze before making a decision to alert your incident responders, or just let them sleep another hour……

 

 

What Would Ali Say About Being #124 on the Cybersecurity 500 List?

Respond-Software is #124 on the Cybersecurity Ventures annual ranking of the hottest and most innovative cybersecurity companies aka Cybersecurity 500 2018: The Official list. So here goes, “wow”, barely nine months after shipping our first product!?! What would Muhammad Ali say: “It’s not bragging if you can back it up.”

It’s so refreshing to have a product work and that actually gets to the core of a real security challenge, then do it in an innovative way. It’s humbling in fact. Much of the time, and often in the early days of a tech company, marketing is charged with putting lipstick on a pig.

But I’ve come to learn, in my short time here, that Respond Software solves a real-world problem, analyzing with the ever-growing pile security data, with a whole product solution, The Respond Anaylst. And customers are loving that we solve a giant headache for them, all without creating more headaches in managing the solution. Cybersecurity analysts have plenty of headaches already.  

Plus the coolest thing for me is watching the engineering team, from young 20-somethings to older-than-50-somethings working side by side, making a great product and making my marketing job easy. Hats off to the product team….I’ll take #124.

 

Join our growing community! Subscribe to our newsletter, the "First Responder Notebook," delivered straight to your inbox.