Escaping Dante’s SOC Inferno: Don’t Leave Me in Limbo
Prepare to rejoice, followers of this blog series! We’re very close to making our escape from the nine circles of SOC hell – just one more to go: Limbo. We hope you’ll agree that it’s been an interesting journey so far, and like us you’re looking forward to feeling the sun on your face when we complete the final ascent. So let’s clip on those carabiners and get started!
As well as being a very cool dance originating from Trinidad which is making our backs ache just thinking about it, Limbo is the final circle of Dante’s SOC Inferno. But as rhythmically dancing under a pole doesn’t tend to be so common in most of the SOCs we know about, we’re going to talk about a different sort of limbo (please, PLEASE tell us if it’s a part of your shift though).
Limbo can be described in a number of ways, some more miserable than others, but if we step away from any religious connotations, it’s often described as a place of uncertainty. When we’re doing investigations in the SOC, uncertainty can crop up, especially when you’re lacking a clear line of sight into what’s really happening.
For example, determining whether something purporting to be malicious is actually a false positive can be daunting. Taking the decision to choose to end the investigation brings a degree of doubt — what if this is really something I need to worry about? What if I mark it as a false and then later it transpires it was a mistake? What if I’m right, but I’ve now second guessed myself into spending another four hours chasing a ghost? “What ifs” can literally send us in circles, especially if we don’t have easy access to enough information to make accurate decisions, or we’ve been bitten in the past from choosing the wrong path. So it’s not really surprising that in our recent SIEM productivity report, we found that analysts in U.S. SOCs were spending an average of 25% of their time working on false positives. And we’d hazard a fairly comfortable guess that no one reading this has “Professional FP Investigator” on their business card.
Uncertainty is very applicable to the future too, particularly when it comes to the topic of change. Those of you reading this who have been around the cybersecurity block for a few years will have seen much change in the landscapes we are charged with protecting and defending. Life seemed so much simpler when we only really had desktops and servers to worry about. And without wishing to bang the drum of exponentialism too hard, the threat landscape is in many cases a very different beast, too. Yes, some types of attacks seem to be on a veritable merry-go-round of resurgence and regression, but I think we can all agree that one of the most exciting things about working in cybersecurity is that no two days are the same.
But why though when it comes to working practices in the SOC, is it that change doesn’t always come so quickly?
Stuck at Limbo Station?
Readers of the series are probably wondering how we go this far into a post without some sort of pop culture reference. Red pills at the ready, we’re off to The Matrix… Specifically, Mobil Ave (yeah, at least one of us watched the sequels, judge ye not) where the main protagonist, Neo, finds himself stuck at a station that he seemingly can’t leave. Mobil is thought to be an anagram of Limbo. Neo does eventually escape Mobil Ave, as you’d hope, right? Otherwise that’d be a weird end to a movie even by the Wachowski sisters’ standards.
To draw a pertinent parallel, in the SOC we can often feel like we are stuck in Mobil Ave, despite the day to day threat nuances, as manual processes and legacy tooling prevent us from escaping the query/pivot treadmill. Many of us see the benefits of the new ways, the next-gen tools (Neo-gen? Us: OMG we’re making that a thing. (Marketing: no, we’re not.)), the automation and orchestration that can help us transcend the limbo in which we’re so desperate to escape.
This exact sentiment showed up in our Cybersecurity Professionals Salary, Skills, and Stress Survey — 88% of security pros agreed that automation would make their jobs easier. But, what was more concerning, but perhaps understandable (more on that in a minute), was that over half the respondents to the survey that were under the age of 45 thought that automation was a threat to their job.
To quote Neo: Woah!
Knowing that something could make your job easier, but worrying it would make you surplus to requirements is possibly the ultimate in limbo situations.
What’s likely contributing to this paradox is a number of factors — lack of career path in the SOC, lack of time or employer willingness for training, cost-cutting measures driven by the current pandemic, plus the issue we’ve talked about many times in this series: security pros spending too much time as glorified DBAs because traditional SIEMs aren’t designed to help security analysts succeed.
I’m in SOC Limbo…. Get me out of here!
Automation, done right, will help you succeed and mean that you can demonstrate your value as a security professional. You’ll have vital information at your fingertips, not buried in the bowels of a disparate set of logs needing a doctorate in matrix-ese (ok, data science) to unearth the answers to your questions. You’ll make decisions with confidence, supported by data that is automatically provided through powerful analytics. And you’ll respond faster, using playbooks that gather information you’d usually collect from a plethora of third-party tools.
Time will be back on your side — giving you more freedom to hunt, to learn, and to mentor. To focus on strategic initiatives and drive improvements in security operations. To find bad stuff, fix bad stuff, and get credit for it ((c) Steve Moore). To be the badass analyst you always were.
To blaze the trail out of Dante’s SOC Inferno.
Let’s DO this!
The host of Exabeam folks and our dear friend Duncan McAlynn who’ve put together this blog series have all experienced these pains first hand. We’re here to help you make a stand and get back to doing what you love most about the career you picked, and we want you to succeed.
Come and see for yourself how we can help you and your team revolutionize life in the SOC, with a technical demo of our security management platform with one of our security engineers. Head on over here to get started!
In case you missed them, here are the rest of the articles in the series. Happy binge reading.