COMMENTARY: The industry standard structure for Security Operations Centres is to split an analyst team into three tiers based on seniority. Level 1 analysts, typically younger and less experienced staff, fill their days with security admin. They triage alerts and share events that they believe warrant further investigation with more experienced Level 2 analysts. Level 2 analysts are responsible for further investigation, mitigation, and response. If they can’t resolve an incident, they send it up the ladder again to Level 3. A tiered structure has some potential efficiency gains at scale, but the industry is far too wedded to it. It’s not a good fit for every SOC. In fact, it’s a pretty bad fit for most SOCs. But tier not! There is another way to structure the SOC without tiers, which can improve analyst retention and service quality, while offering additional benefits to those offered by a tiered SOC. A tierless SOC involves every analyst, including junior ones, managing incidents from beginning to end, with the support of more senior analysts as and when required. Naturally, this requires significantly more hands-on training and support when an analyst first joins. However, the long-term results quickly outweigh the extra upfront investment, and this will lead to better security outcomes, including faster response times.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
Employee satisfaction and retention
Being a Level 1 analyst in a tiered SOC is a great starting point to gain experience. However, these analysts only see the low-level details of a cyber incident, not the full picture. They are not involved in the rest of the investigation process, including the determination and resolution of an alert. There is limited scope for learning and development if incidents are passed over at the point when they are determined to be genuine. This pass-the-ticket-style approach also hinders opportunities for promotion and self-improvement. A flat SOC structure ensures that junior SOC analysts broaden their skills more widely, develop new skills faster, and test them out more regularly in real-world scenarios. It also gives analysts greater emotional and professional investment in their work. It is far more rewarding to carry out the full investigation, response, and containment cycle as opposed to handing this off to a more senior analyst. It’s why people pursue a career in cybersecurity to begin with. They imagine stopping the bad guys to keep organisations safe, not working on a glorified helpdesk. Happy junior analysts are more likely to stay and become senior analysts. It prevents the inevitable problem in traditional SOCs of Level 1 analyst churn. A happy SOC also segues neatly to my main reason why a tierless SOC is so effective: Improved outcomes.Improved outcomes
In my experience of working in tiered, tierless, in-house, and outsourced SOCs, I think there is a strong correlation between employee fulfillment and quality of work. Quite simply, a happy SOC is a high-performing SOC. Picture a dynamic SOC environment where every analyst is professionally fulfilled, suitably challenged by their work, and the team is growing together. It is an ideal environment for detecting and mitigating cyberattacks. As a SOC improves the happiness of its team, it simultaneously improves the quality of its work. There are tangible business benefits to a tierless SOC. Most notably, improving incident response times. In a traditional SOC, incidents are passed between analysts, and each new analyst needs time to get up to speed with the situation. In a tierless SOC, incidents are not passed around. The assigned analyst can respond in real time and not waste time waiting for a specific senior analyst to be available. It also means that the responding analyst has seen the entire incident from beginning to end and is not reliant on a handover. This ensures details aren’t missed with each subsequent handover. In a flatter, tierless structure, a SOC team should have improved collaboration. All analysts have direct communication and collaboration, leading to a better sharing of knowledge and faster problem-solving. This helps prevent silos and promotes teamwork. Most importantly, it improves security outcomes.Operational benefits
There are several internal operational benefits of running a tierless SOC, too. Coverage, for example. If a business can suitably improve its retention, it will soon have a SOC full of Level 2/3 capable analysts. By having more analysts capable of carrying out the full investigation and containment cycle, individuals can be swapped in and out virtually interchangeably. This reduces the need to have many analysts of each type (Level 1, Level 2, Level 3). Imagine a small traditional SOC managing alerts for multiple clients. It will always need a Level 1, a Level 2, and a Level 3 analyst on duty. This team works in shifts. There is a day shift team, a night shift team, and a third team to give the business extra cover to account for weekends, holidays, and sick leave. That’s 12 people. A tierless SOC with level 2/3 capable analysts can offer the same or better cover with eight to 10 more experienced workers. This structure is also more resilient to unplanned or unforeseen circumstances. In a tiered SOC, it only takes a couple of holidays or a sickness bug to leave the entire SOC exposed. A tierless SOC should also offer greater accountability. In a flat structure, being responsible for the end-to-end process encourages a stronger sense of ownership and accountability in handling incidents. It is easier to review incidents and make sure nothing slips through the cracks.Going tierless, fearlessly
Going tierless is not a change that can be made overnight. There will be nervousness from Level 1 analysts not ready for the extra responsibility, as well as Level 2 and 3 analysts who are used to working in a certain way. Senior employees may also be hesitant at the prospect of allowing junior analysts the kind of scope and responsibility that was previously theirs alone. It’s a move that requires time, planning, and, most importantly, a team that will embrace this new way of working. Don’t focus on the short-term pain; think instead of the long-term gains. A flat-structured team full of experienced Level 2/3 capable analysts will operate at an extremely high level of performance. Your team will feel empowered and fulfilled, and this structure offers considerable benefits to security operations.MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected].
