It’s no secret that the Level-1 SOC analyst has been continually vilified by the security industry as being ineffective against the modern threat. It’s really not the analysts’ fault because we are, in fact, expecting way too much from them. To understand this dynamic better, let’s examine the following six reasons why the job of monitoring a console for incidents in a SOC is so difficult to get right.
1. The demand for SOC analysts far surpasses the available talent. And, as early career security professionals, the retention rate is very low — typically 18-24 months — because their market value continues to rise very rapidly. That puts most companies in a disadvantageous position of constantly hiring and retraining their front-line defenders, which costs in valuable time, money and resources.
2. Today’s event volume levels boggle the imagination from even a few years ago. Using the traditional SIEM funnel, event volume is reduced to much less than 1% of the total to match the SOC analyst scarcity, or those available to look at the data. So, it’s no surprise incidents are missed due to looking at much smaller sample sizes than should be to ensure modern threats are identified.
3. The SIEM funnel is usually just a list of heuristics (correlation rules) that describe common attack scenarios. Some are even as bad as “multiple failed logins.” These static rules are an engineering headache to maintain and can only capture well understood or commodity attack patterns, leaving the real bad guys free to roam our networks.
4. Level-1 SOC analysts also bring a host of management challenges. I’ve witnessed episodes of incredibly poor judgment displayed especially on a less than fully supervised night shift. This includes various types of non-professional behavior, to carrying guns to work to show their friends. Experienced management is needed to help train and shape junior analysts into seasoned security pros. But that level of management talent is hard to staff on shift.
5. Lack of knowledge when it comes to critical business context is also another factor to consider. There are many complex business models in this modern economy. That means security analysts need to have an understanding of fundamental business operations across a wide array of enterprise disciplines. Understanding what a critical attack might look like across ecommerce, integrated supply chain logistics, finance, regulations, and more becomes a necessary skill.
6. Finally, the attacker ecosystem has fully professionalized into a “dark market.” The dark market is capable of a stunning variety of advanced attacks that leverage “living off the land” tools, making them very difficult to detect by traditional security practices. We are pitting our youngest new hires against their criminal best and losing, which is no surprise.
From our point of view at Respond Software, the industry is overdue for a different, more effective approach. And, we shouldn’t blame the Level-1 SOC analyst for failing in the face of an almost impossible task. Analysts monitoring consoles to identify attackers is not the way we are going to get ahead of the bad guys in the future.