Tips for Running a Tight Security Operations Center

No one ever said running a security operations center (SOC) would be easy. The industry’s facing a talent shortage that makes hiring risky (or almost impossible in some regions). With these jobs placed faster than we can fill them, MSSPs (and in-house security teams, for that matter) can have a hard time retaining that top talent.

Beyond that, cyberthreats shift and change. Keeping ahead of the bad guys requires constant vigilance. To top it off, you still need to keep an eye on both efficiency and quality to keep your business successful. Today, we want to discuss some major hurdles facing SOC teams —and what you can do to address these challenges.

1. Dealing with the talent shortage

As mentioned before, we face a severe talent drought. Cybersecurity Ventures has forecasted that we’ll see 3.5 million vacant cybersecurity positions in 2021. One reason for this certainly comes from the relative newness of the field. However, some of this could come from expectations that are set too high. Think creatively about who you hire. While ten years of experience and extensive certifications may be prerequisites for leadership positions or security architects, there’s no reason to apply similar rigor to those applying for an entry-level SOC analyst role. They certainly need some IT knowledge and some basic security know-how, but the main asset to look for is someone with an analytical mind. If they have this and show an aptitude for learning, you can fill the position and train them up while they develop their security sea legs.

2. Helping your team avoid burnout

Most SOC analysts turnover frequently (with roughly one-third looking at any given time, according to Dark Reading). It makes sense—it’s a stressful, challenging position. They often do the same things day in and out and often follow predefined rules to respond to incidents.

If you want to keep analysts past the two-year mark, you must break up the monotony. Whether it’s offering educational opportunities like a conference or a course, giving them additional oversight responsibilities, or working on a special project that lets them think creatively, taking analysts off the queue every so often can make a world of different in their mindset. People aren’t machines—neither are your analysts.

3. Getting a strong SIEM

Your team’s morale and effectiveness depend on having the right technology in place. In particular, the choice you make on your security information and event management (SIEM) tool could make or break your team.

First, look for a SIEM tool that lets you modify correlation rules as needed. Over time, you may prefer to set the system to be more sensitive and sound more alarms (false positives), which will lead to more false positives but you’ll catch more incidents. Or, due to resource constraints, you may prefer to lower the sensitivity and risk missing some security events. The point is it should be reasonably easy for you to modify the rules in your correlation engine as needed.

Also, your SIEM tool should include built-in threat intelligence to provide context to security incidents. Some SIEM tools like SolarWinds® Threat Monitor use threat intelligence from multiple sources in combination with event log data to help you make better security decisions.

4. Measure progress and quality

In any business, metrics help you manage. They help you improve over time. However, for SOCs, metrics take on special importance as these numbers often drive security investments. You should, of course, track the number of incidents discovered, the number of incidents closed, and the average resolution times.

As a service provider, you also have to make sure your team’s work quality is high. You can test work quality and response times by placing a certain percentage of false test cases into the SIEM tool. From there, you can check whether the analysts took the correct steps, and if they did so within the expected time frame. This lets you take the temperature of your team in general and, if it’s a trend across your team, help you course correct by either hiring more help or offering more training.

How SolarWinds Threat Monitor Can Help

Security operations centers live and die by their SIEM solutions. Without the right tools in place, SOC analysts could miss important details around events or get bogged down in minutia when locating and interpreting logs.

SolarWinds Threat Monitor is built to streamline the process of running and operating a SOC without sacrificing power or accuracy. Threat Monitor is a cloud-based SIEM designed to help MSSPs easily collect, correlate, and analyze logs from across their customer base. With built-in threat intelligence, out-of-the-box reporting, and a customizable alarm engine, Threat Monitor can play an integral role in keeping your operations efficient and effective. You can try it yourself with a free 14-day trial.

Guest blog courtesy of SolarWinds MSP. Read more SolarWinds MSP blogs here.