In our recent blogs, “How to Build a Security Operations Center: Data Tips for MSPs & MSSPs," and “A Business-Aligned Approach to Managing Cybersecurity and Building an Effective SOC Structure,” we discussed ways organizations can bring to life some of the strategies in MITRE’s new book, 11 Strategies of a World-class Cybersecurity Operations Center. Let’s now have a look at the “people problem” highlighted by MITRE Strategy 4.
MITRE Strategy 4: Hire and Grow Quality Staff
CHALLENGE: People are the most important aspect of operating a world-class SOC. Ensuring you have qualified staff — through training and recruitment — is key.
Time is the great equalizer. No one gets more than 24 hours in a day, but many could use more, including SOC analysts. As threats increase in sophistication and the attack surface expands, their jobs are becoming more and more challenging. The question is, what can help?
Hint: It’s not more tools.
Most companies have more than enough tools. The problem is not enough qualified experts to run them. While more tools provide more data, they also produce more noise, which has the knock-on effect of requiring someone to investigate every alert. Plus, each tool must be configured, integrated, and managed in the stack. What a chore, and what a bore.
Talented, well-trained security analysts are in high demand but short supply — and those who understand the tools and your environments aren’t easy to find. If you give them the tedious, stressful, time-consuming job of investigating every alert — which is ultimately, ineffective — you’re going to lose them.
Humans and Machines — Together in Perfect Harmony
MITRE says hire and grow staff. Due to the skills shortage, you’re better off developing existing talent than trying to hire a lot more staff — which isn’t a sustainable business model anyway.
Another way to think about it is using a new approach that automates what is automatable, thus freeing staff from tedium and upleveling their skillset. One that’s not about more tools or more people but instead centers on making people more productive by leveraging the power of more data and using that data effectively and efficiently.
It may sound counter-intuitive at first. Why give SOC analysts or SOC team more to wade through when they’re already overwhelmed? But more data — in fact, the more, the better — provides more context, which drives faster, better decision-making.
The key is in leveraging a platform like Resolution Intelligence Cloud. It applies advanced analytics and machine learning across all security and operations data to enable machines to do what they do best — for example, sift through large volumes of data to find warning signs — and humans to do what they do best — get creative and solve the hard problems.
With Resolution Intelligence Cloud, organizations don’t need to hire more information security experts or train junior staff to perform basic monitoring and triage tasks. Instead, they’ll boost their current team’s effectiveness — and job satisfaction — by using the platform to automate those basic tasks, identify pre-incident situations, see where to focus because the platform ranks ActOns by business risk, cyber threats, and correlate extensive content for proactive resolution.
ActOns are like built-in experience for everyone. They provide all the information teams need in one place, sparing people the time and effort of investigating security incidents to gain situational awareness and vulnerability assessments. ActOns distil data from a wide range of sources, much like Google Maps uses real-time data on traffic patterns, construction delays, speed traps, and more to update routes and offer the quickest, most fuel-efficient option.
In short, the platform makes time for teams to uncover and focus on more complex, covert threats. You know, those hard, mission-critical problems. It also frees time for them to learn new skills or train junior analysts on the skills required to become senior analysts. For hybrid operations, where personnel may be responsible for the ops gamut — NetOps, CloudOps, SecOps — there’s an opportunity to improve security proficiency. Again, the objective is not eliminating jobs, but upleveling them.