Cyentia Institute’s new global study on security operations centers (SOC) is a one-off: Instead of digging into the mechanics of fortifying defenses, its Voice of the Analyst research peers into the “human side” of the SOC to better understand what staffing analysts do and how and why they do it.
The research’s premise is simple: Most security breaches can be traced to inefficient operations and failures, rather than “simply a dice roll pitting attacker strength against technical defenses.” It is “SOCs and the analysts who staff them the cornerstone upon which effective cybersecurity defenses are built,” Cyentia contends.
Underlying the study is the debilitating (and well-documented) shortage of skilled cyber security personnel. Fittingly, the work’s sponsor is startup Respond Software, whose Respond Analyst platform is designed to emulate the decision-making ability and judgment of an expert security analyst to help extend a short-staffed SOC’s reach.
Key Findings: Inside the Mind of A SOC Analyst
The key findings -- gleaned from 160 SOC analysts averaging five years of experience, 20 percent of whom are managers or directors -- are telling in what they reveal about job satisfaction and actual duties. Right off the top, one in three SOC analysts are looking for a new job even though 75 percent are satisfied with their current role. It’s important to note that nearly half of all respondents work for an MSSP, which makes sense considering that SOC analysts largely work for MSSPs.
Here are more top-level results:
- Expectations: 45 percent said the SOC doesn’t meet them.
- Satisfaction: 75 percent are satisfied with their job. However, higher up the analyst ladder, dissatisfaction hits 50 percent.
- Respect: 30 percent, mostly engineers and product managers, do not feel respected by peers outside the SOC.
- Intrusion: 28 percent have never stopped an intrusion or don’t remember doing so.
- Monitoring: Analysts who spend the most time on event monitoring are least likely to catch intruders.
- Detection: Generalists are twice as likely to claim recent detections.
- Hunting, forensics, intel, intrusion analysis: All rate favorably among analysts.
- Training, collaboration: Offer the biggest bang for the buck.
- Event monitoring: Ranks high among activities that could benefit from automation.
On the job hunting, Cyentia has an interesting take on retaining talent:
“Negative factors are not the only reason analysts explore the job market. The same positive reasons that lead them to the SOC in the first place (e.g. new challenges, broadening/sharpening skills, better compensation, a chance to make a difference) are the ones that will lead them to another role in another SOC. If you want to keep them around, offering those same positives in-house is just as important as eliminating the negatives that drive them out.”
SOC Analysts: What They Do
There are also some revealing data on how SOC analysts spend their day: The most common tasks are reporting (84%), intrusion (76%) and monitoring (74%). Interestingly, hunting, proactive and forensics are the last three tasks at the end of the list of 12 activities. As to which jobs take the most time, monitoring (25%), intrusion (18%) and shift ops (17%) top the list.
What does Cyentia recommend?
- "Free your analysts from burdensome tasks (like monitoring, shift ops, and reporting) so they can spend more time on those that drive greater enjoyment and productivity (like hunting and
forensics)." - "Invest in your people (especially in training and collaboration)."
- "Equip analysts with the information and tools they need to perform complex tasks (like hunting, intrusion detection and forensics) better, smarter, and faster."
- "Leverage the automation and orchestration boom to your advantage, but don’t view algorithms as a replacement for intuition."
And some advice: "There’s a lot of snake oil going around, but solid solutions exist that can help your SOC run like a well-oiled machine (made of humans)."
A word about Respond: In August, the company landed $12 million in Series A funding, and made available its flagship Respond Analyst platform. Mike Armistead, one of Respond’s three founders, co-founded Fortify in 2003, later bought by Hewlett-Packard, and Pure Software, which went public in 1995.
