Light Dark
July 27, 2018 By Jasmine Henry 3 min read
Intelligence & Analytics

New research reveals the majority of security professionals involved in the management of a security operations center (SOC) want change. Across enterprises, however, there is a divide between the perspectives of executives, directors and individuals involved in day-to-day incident response (IR) activities.

Sixty-two percent of executives, managers and analysts believe their organization needs improvement around technology, talent, processes or another key area of operations, according to Exabeam’s 2018 State of the SOC report. While technology is the biggest pain point across all positions, security operations professionals working in frontline roles are more than twice as likely as executives to identify technology as a barrier.

These trends exacerbate the struggles of security analysts, who report themselves “overworked, understaffed and overwhelmed,” according to recent findings. It’s time for CISOs and SOC directors to understand the real impact of legacy technology and talent shortages on IR staff.

Updating Tech Should Be a Top Priority

Across all job titles, technology is perceived as the greatest opportunity for improvement in the enterprise SOC. However, individual perceptions of the day-to-day impact of IR technologies vary enormously.

Analysts and directors are more than twice as likely as CISOs to deem outdated solutions a barrier. Fifty percent of frontline staff and managers rank legacy technology as a pain point, according to the Exabeam report, compared to just 22 percent of the C-suite. One respondent even expressed a desire to “trash it all and start over instead of milking ancient legacy systems and hardware.”

The details of the negative impact of legacy technology, such as analyst alert fatigue, may not be fully understood by many CISOs. Forty-seven percent of frontline analysts and managers are concerned with how difficult it is to keep up with alerts, compared to just 35 percent of executives.

Frontline Staff Want Emotional Intelligence

Talent and staffing revealed another divide between the perspectives of top leadership and analysts: Sixty-two percent of frontline staff believe inexperienced talent is a major risk, according to the report, while just 21 percent of executives agree. Twenty-eight percent of all SOC professionals believe their team needs to hire as many as 10 analysts.

When it comes to the specifics of the information security skills gap, it’s clear that emotionally intelligent ops analysts are in peak demand. Respondents are seeking hires who exhibit the following soft skills:

  • Teamwork;
  • Communication;
  • Leadership ability; and
  • Personal and social skills.

Interpersonal skills and team chemistry should play a significant role in shaping the staffing trajectory of the enterprise SOC. In times of crisis and change, an analyst’s abilities to adapt and communicate are likely key success factors.

Effective SOCs Invest in Talent and Emerging Technology

While 81 percent of SOCs believe they are underfunded, the most effective SOCs allocate their budgets differently than their peers, according to the same research. While financial allocation cannot compensate for a dramatically underfunded security program, investing in the right areas of operations improves outcomes. Less effective operations centers spend more on facilities and management, while struggling to fund technology and talent.

In contrast, the majority of effective SOC professionals believe their center is correctly staffed and are significantly more likely to use more categories of security information and event management (SIEM) technology than their peers. Leading organizations are also more likely to have invested in emerging technology categories.

Effective SOCs are set apart by the depth of their investments in:

  • Identity and access management;
  • Advanced network and cloud monitoring;
  • User behavior analytics;
  • Machine learning and cognitive intelligence;
  • Big data security analytics; and
  • Endpoint detection and response.
Related: Internet of Things: All Well or Orwell?

Mending and Strengthening the SOC in 2018

It’s time for CISOs and SOC directors to lessen the load on analysts before talent pursues other opportunities. Ninety-one percent of CISOs believe the severity of data breaches and cyber incidents will increase over the next 24 months, according to the Ponemon Institute’s recent “The Evolving Role of CISOs and Their Importance to the Business.” There could be talent-based security risks facing the enterprise if leaders fail to improve employee satisfaction.

Unlocking employee engagement requires smarter technologies, intelligent outsourcing and training investments. CISOs and directors should work to understand frontline staff’s perspectives and the impacts of legacy technology. According to IBM research, analysts in the enterprise SOC face 200,000 unique pieces of security event data each day.

When hundreds of thousands of data points are filtered through legacy SIEM solutions, security analysts must manually review alerts to separate false positives from true threats. Analysts need augmented intelligence for context to quickly distinguish meaningless noise from risks.

The best security intelligence sources real-time data from a variety of structured and unstructured sources, including threat intelligence feeds, exchanges, security blogs, vulnerability lists and more to rank and categorize event data by actual risk. The most highly effective SOCs will sufficiently allocate both technology and staff to their analysts so they can quickly analyze threats and reduce pain points at all levels of operations.

 |  |  |  | 
Jasmine Henry

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature