Improving Analyst-to-Customer Ratio with Next-Generation SOAR

Automate business and industry to increase productivity and improve reliability. Consultant implementing Robotic Process Automation. Concept with hand turning a knob. Management strategy.

It's a story you're bound to have heard before. There aren't enough cybersecurity professionals to fill the open job positions at businesses.

While it continues to be a major growth driver, MSSPs are not immune to the effects of the cybersecurity talent gap, as they must vie for the same talent pool as everyone else. The workflow and resource constraints that cause SOC teams to be understaffed, overworked, and constantly stressed-out affect MSSPs as well. It’s not contentious to say that the skill requirements to work in a SOC at an MSSP are even higher than in enterprises.

SOC analysts at MSSPs must be able to handle the same types of incidents, but for multiple clients and with a larger workload. While some might attribute the talent shortage to market hype, there’s an abundance of research data from reputable sources that paint an accurate picture of the cybersecurity talent crunch.

According to a NIST-sponsored (National Institute of Standards and Technology) project, there are currently over half a million jobs in the US that require cybersecurity-related skills. As of 2021, there was a shortage of 2.72 million cybersecurity professionals globally, compared to 3.1 million in 2020. This is according to (ISC)², the non-profit that’s best known for offering the much sought-after CISSP certification. That figure tells us that the gap is shrinking, but it still has a long way to go.

MSSPs may try to improve their analyst-to-customer ratio by making their analysts work long hours, but this is not a sustainable solution. SOC analysts face a high degree of stress, and adding a crushing workload to it will only increase the rate of burnout and turnover. An average SOC team member lasts just 26.1 months, according to a 2021 study by Ponemon Institute.

MSSPs must also contend with the fact that their staff is more likely to be poached by an enterprise that can offer a higher salary and more perks. There’s a constant need to hire new security analysts, which puts an additional burden on SOC leaders. Screening and interviewing applicants is not an easy task. The process can take days or even weeks or months.

So, what's an MSSP to do? Automation is one way to help mitigate the impact of the talent shortage. SOAR (security orchestration, automation and response) is a category of tools that help analysts automate incident response workflows. These tools help to take some of the manual, repetitive work off analysts' plates so that they can focus on more high-level tasks.

SOAR tools can automate many of the tasks that are part of an incident response workflow, such as gathering and analyzing data from multiple sources, alert enrichment, running malware analysis, containment and remediation, and generating reports. SOAR tools can also help with threat intelligence and hunting, as they can automate tasks such as searching through log files and analyzing network traffic.

While SOAR tools can't completely replace the need for human analysts, they can help to make SOC teams happier and more effective. If you're an MSSP looking to stay ahead of the curve, here are some reasons why investing in the new generation of SOAR technology is an excellent place to start.

Boost SOC Efficiency

MSSPs have high productivity expectations from their clients and need to quickly resolve incidents with little margin for error. The stakes are high and the pressure is on for MSSPs to perform. Dealing with a high alert volume is a fact of life for any MSSP and one of the biggest challenges for its SOC team.

Next Generation SOAR automates the triaging and alert enrichment process by filtering out, auto-closing, and consolidating the vast majority of alerts. This ensures that the most relevant break-glass alerts are escalated for analysis first. By automating traditional Tier 1 work, your analysts can spend more time on more challenging and rewarding tasks, like threat hunting and investigations.

High alert volume can also cause SOC teams to miss out on important threats. Next Generation SOAR uses a blend of ATT&CK TTPs, threat intelligence data, and IOC data to prioritize incidents and alerts by severity. This reduces the alert load and increases analyst focus, which increases the effectiveness of SOC teams.

Upskill Resources With SOAR Playbooks

SOAR playbooks help operationalize incident response SOPs so analysts can confidently respond to more sophisticated threats. They provide clear and consistent steps an analyst should take when responding to an incident or alert, so they can respond in the best way for their business unit. SOAR playbooks ensure the operationalization of institutional knowledge. They also reduce stress, because analysts don't have to worry about making mistakes, and they increase training effectiveness by ensuring policy violations rarely occur.

Support Collaboration Between Distributed SOC Teams

The global cybersecurity talent pool is vast, but it's not easy for SOCs to access it. With Next Generation SOAR, cybersecurity practitioners from around the world can be virtually present in a single unified incident response platform. It offers the flexibility to support diverse SOC models, including a managed SOC and a globally distributed incident response team.

Analysts can work in tandem on investigations, submit notes, interviews, and other time-stamped artifacts to document and manage a case as its scope grows and evolves. Each artifact is tracked every step of the way in a chain-of-custody component.

Next Generation SOAR also provides a secure and flexible instant messaging and email interface so that SOC resources don’t have switch tabs and windows, and instead work on a single pane of glass. It offers built-in integrations with leading messaging and IT service platforms. All of this ensures that you can work together, whether they’re at work, at home, or on a beach resort, the SOC is always running at peak efficiency

Track and Report SOC Performance

With SOAR, security analysts and managers can automatically generate reports with customized metric groupings, making it easy to analyze and compare different factors across various layers of the SOC. Reports can be customized to provide a clear picture of security operations by comparing data against predetermined metrics like MTTR, MTTD, and the number of incidents by type. Report generation can be completely automated, freeing up your analysts from tedious, repetitive data entry.

SOAR That’s Purpose Built for MSSPs

D3 Security has helped MSSPs in every corner of the globe optimize SOC productivity and happiness. We help you work smarter by managing multiple customers in a single multitenant platform. Data segregation and configurable access controls allow you to easily manage and report across all customers. We're vendor-neutral, so no matter what tools your clients use, we'll always have an integration to help them achieve success. Gain more capacity and up to 10x ROI with D3 Chronos, our new offering for MSSPs.

Blog courtesy of D3 Security. Read more D3 Security guest blogs hereRegularly contributed guest blogs are part of MSSP Alert’s sponsorship program.