Security operations centers (SOCs) seem to be in a state of flux; where balancing the need for fast, threat remediation is challenged by the volume of threats. According to a Ponemon Institute study, there are many challenges facing the SOC and the cybersecurity analysts that keep them running. Here are some interesting takeaways from the report:
- The visibility problem: The top barrier to SOC success, according to 65 percent of respondents, is the lack of visibility into the IT security infrastructure and the top reason for SOC ineffectiveness, according to 69 percent of respondents, is lack of visibility into network traffic.
- The threat hunting problem: Threat hunting teams have a difficult time identifying threats because they have too many Indicators of Compromise (IOCs) to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise, and too many false positives.
- The interoperability problem: SOCs do not have high interoperability with the organization’s security intelligence tools. Other challenges are the inability to have incident response services that can be deployed quickly and include attack mitigation and forensic investigation services.
- The alignment problem: SOCs are not aligned or only partially aligned with business needs, which makes it difficult to gain senior leadership’s support and commitment to providing adequate funding for investments in technologies and staffing.
- The problem of SOC analyst pain: IT security personnel say working in the SOC is painful because of an increasing workload and being on call 24/7/365. The lack of visibility into the network and IT infrastructure and current threat hunting processes also contribute to the stress of working in the SOC.
- As a result of these problems, the mean time to resolution (MTTR) can be months. Only 22 percent of respondents say resolution can occur within hours or days. Forty-two percent of respondents say the average time to resolve is months or years; and we know what this delay can mean to an organization.
The Ponemon study is not the only one citing these disturbing trends. Dark Reading recently highlighted an Exabeam report that showed SOC analyst time-drain is caused mainly by reporting and documentation (33%), alert fatigue (27%), and false positives (24%). It’s no wonder that nearly 65 percent of SOC analysts have considered changing careers or quitting their jobs, and why many experts are calling for automation of the security workflow process.
There are a number of ways that SlashNext solutions can assist SOC teams with the challenges they face.
SlashNext Real-Time Phishing Threat Intelligence can help with the interoperability, alert fatigue, increasing workloads, and turnover problems. It easily integrates with leading TIPs, SIEMs, SOARs, and NGFWs to automate detection and protection against zero-hour threats. By analyzing threats in real-time, it speeds remediation and improves MTTR. It can provide these benefits because unlike many other anti-phishing solutions it delivers definitive threat verdicts—malicious or benign (no threat ratings to stress out over and waste time researching)— with exceptional accuracy and near-zero false positives. This prevents SOC team members from spending most of their time on the pressure packed task of investigating and closing the high volume of alerts that come their way and instead allows them to get more job satisfaction focusing on protecting employees by remediating security threats.
In addition, Targeted Phishing Defense can assist by performing preemptive, global, and proactive threat hunting on an enterprise network providing SOCs with advance visibility of IOC threats, specifically callbacks to command-and-control (C2) servers. It can also help with the visibility problem by providing detailed forensics, phishing site screen capture, and IR information. Finally, it may even help with the alignment problem. Once executives are shown how many previous unknown phishing attacks have been detected specifically targeting them and their organization (think social engineering and spear phishing attacks), senior leadership’s awareness that the C-level suite is a growing target for attacks may hit home and open them up to providing adequate funding for investments in new technologies and staffing.