For the last two decades, our industry has tried many different solutions to resolve the SOC analyst scarcity problem, including letting the Network Operations Center (NOC) handle security monitoring, which was a complete failure.
Many of us decided the best option was to grow and nurture our own SOC analyst teams. From my own professional standpoint, this is why I conduct a 12-week training program at every SOC I’ve built. Unfortunately, the academic path for the SOC analyst doesn’t exist. An aspiring SOC analyst can’t study security analysis except at new security boot camps like SecureSet. And, there are two major challenges with the ‘grow your own’ approach:
- Significant resources required for training (time, costs, people)
- Risk of short retention due to the dramatic increase in marketability of a trained SOC analyst
To further illustrate the problem, 12 weeks of formal training is required, in addition to 6+ months of on-the-job training to gain a basic SOC analyst skill set. After that, retention risk becomes a real issue because average tenure kicks in a year later and you have to train a new replacement. This means we are faced with a never-ending cycle of recruiting, training and retraining analysts, and it’s a hugely expensive way to solve the problem. More importantly, we are losing our front-line experienced analysts on a regular basis and losing the tribal knowledge that goes with them.
Another solution many have tried is engaging with outsourced service providers or off-shore monitoring services. While this passes the buck (pun intended), the responsibility for detecting a breach cannot be delegated. These providers often have an even harder time finding deep security analysis expertise and they are incented to reduce their costs as low as possible to maintain a decent profit margin. Given the rising criticality and strategic nature of information security to the modern company, this is a discipline that really should be handled in-house by analysts who understand their parent company’s business model and priorities.
One of the most common techniques to deal with the shortage of SOC analysts is to create an “event funnel” to pair the volume of events back to the capacity of the people in the SOC. Even the most mature of SOC’s will look at less than 1% of their total security alarms. SOC teams that are understaffed and highly rotational may only look at .001%. Is it realistic to expect that an organization whose purpose is to put “eyes on” security logs can be effective with such limited visibility?
Effective solutions to deal with the scarcity of skilled, capable analysts has become one of the foremost challenges facing enterprise security.
Chris has over 30 years of experience in defensive information security; 14 years in the defense and intelligence community and 17 years in commercial industry. He has designed, built and managed global security operations centers and incident response teams for eight of the global fortune-50. As he often says, if you have complaints about today’s security operations model, you can partially blame him. It’s from his first-hand experience in learning the limitations of the man vs. data SecOps model that Chris leads product design and strategy for Respond Software.View all posts by Chris Calvert