The COVID-19 Crisis’s Impact on Security Operations: Automation Comes to the Fore
We’re living through historic times. The current crisis will almost certainly serve as a catalyst for numerous long-term changes in our communities, altering the ways we work, play, socialize, use technology, and benefit from automation.
The global pandemic exposes how many of the things that make us human—our need to be in close proximity with others, our susceptibility to illness, our tendencies towards bias and inconsistent behavior—make our organizations profoundly vulnerable, a weakness that readily extends to the concept of the security operations center (SOC). With so many organizations forced to adapt to remote work—regardless of whether they’re well- or ill-prepared, and whether or not it suits their business model—the advantages of employing automation to accomplish tasks for which people aren’t well-suited are being revealed anew.
In the SOC’s case, turning to automation to perform the most tedious, difficult, and unrewarding portions of the security operations workflow has long carried the benefits of improving analyst job satisfaction and effectiveness, but today it may also be able to reduce the health risks that security analysts face on the job.
The nature of the SOC: a high-risk environment
Recent research on COVID-19 transmission indicates that in the majority of cases, the virus spreads from host to host via respiratory droplets—tiny amounts of fluid from inside the nose or mouth of an infected person that are released into the environment when they breathe, talk, yell, sing, sneeze or cough. The respiratory droplets that carry the largest number of viral particles are those that are biggest and heaviest, and thus are likely to fall to the ground within a narrow radius of the infected person. This is where the magical “social distance” of six feet originated—the idea is that the heaviest of these droplets seldom make it more than six feet.
As epidemiologists remind us, however, it’s not simply the case that contact with a minute amount of the virus is enough to trigger infection. Instead, you need to encounter an adequate number of viral particles. Scientists aren’t yet sure exactly what constitutes an infectious dose of COVID-19, but they do know that the longer you spend in the presence of someone who has the virus, the more likely you are to become infected. They also know that certain activities—like singing—seem to make transmission more likely, as do certain environments—particularly confined indoor spaces with poor airflow.
When considered from this perspective, the SOC is a nightmare. Most security operations centers were designed for physical security, which means limiting accessibility, not improving airflow. Most are interior spaces without windows, with ceilings made of solid material (no drop ceilings), and limited ventilation. ‘Showcase SOCs’ with large-panel visual displays taking up entire walls of the facility and multiple desks amply stocked with monitors are rare outside of the world’s very largest (and most security-focused) enterprises. Instead, most real-world SOCs are in tiny, tightly enclosed spaces.
What’s more, the work performed in the SOC demands close collaboration. Analysts frequently consult their colleagues when performing research, evaluating risks, or assessing the best means of dealing with a threat. A security analyst’s job involves creativity, critical thinking, and decision-making—things that can be improved when they’re discussed with peers or more senior coworkers. Shifts are long, so ordinary SOC operations involve bringing people into close proximity with one another for extended periods of time.
In ordinary circumstances, SOC operations are not readily amenable to the remote work model. In SecOps, speed is vital to success, and collaboration takes place much faster when people converse face-to-face than when they’re using video conferencing software or other collaboration tools to share their ideas.
SecOps is especially vulnerable
Although security operations in general requires extensive collaboration between analysts, in no role is this more critical than that of the Tier 1 Analyst. As the most junior members of the security operations team, Tier 1 Analysts must engage in a great deal of on-the-job training, including numerous whiteboarding sessions. They’re also encouraged to consult with more senior co-workers regularly while they learn more about the nuances of the role.
For all security analysts, there are benefits to in-person interactions; for Tier 1 Analysts, it’s difficult to do the job without them. More senior analysts are able to make more decisions independently and need less face-to-face contact for education and training.
When an intelligent automated decision engine like that of the Respond Analyst is called in to perform cybersecurity monitoring, security operations programs are able to shift the composition of their teams, employing more Tier 2 and Tier 3 security analysts, and relying on software to perform the bulk of Tier 1 analysts’ functions. No matter the circumstances, this has the potential to make the security analyst role more fulfilling and rewarding, increasing job satisfaction and reducing turnover. It will also increase teams’ effectiveness and efficiency, enabling them to review far more events than would ever be possible manually.
But today, in the face of a global pandemic that’s far from over, introducing automation into the security operations workflow comes with one additional benefit: by reducing the number of personnel needed to staff the SOC, and particularly the number of Tier 1 analysts, it can lessen the health risks of working in security operations—and thus save lives.
A golden opportunity to increase automation’s usefulness
There’s no way around it: SOCs cannot easily be remade so that they’re amenable to social distancing. And the activities performed within them remain critical for mitigating organizational risks—risks that may only be amplified as many companies navigate a rapid transition to remote work. Even senior security analysts are able to work more quickly and effectively in person than they can when telecommuting.
Implementing intelligent automated solutions like the Respond Analyst doesn’t solve all the problems in security operations. Nor does it remove all the risks that come with working in a SOC during a global pandemic. But it does point the way forward to a new paradigm. In the future, automation can be called upon to perform many of the repetitive and mundane tasks that are done by humans today. This will not only save time, money, and frustration for workers, but it will also remove significant vulnerabilities from our operational processes and supply chains.