Escaping Dante’s SOC Inferno: Gluttony and the SOC Skills Shortage
Gluttony is having a profound effect on our ability to do our jobs, and it’s compounding the problem of the security skills shortage. Gluttony is described as a “habit of eating and drinking too much”, so at first glance you may be forgiven for wondering how this is causing hell in the SOC. But hang in there for a moment, there’s more than a tenuous link, we promise, and has nothing to do with Hannibal Lecter, fava beans, or even a nice chianti (read: no-one’s actually eating SOC analysts, not as far as we know anyway).
Depending on which article or report you read, today we have a global shortage of 3-4 million skilled people in cybersecurity. There’s even a suggestion that the skills shortage has fallen, but this is more likely to be an impact of the current pandemic, and not the slightly positive story the headline suggests. And as we’ll be discussing in this blog, the skills gap isn’t just about unfilled roles — “inexperienced staff” is cited as the biggest pain point for frontline security team members in the 2020 State of the SOC report. And what’s more concerning is that this particular pain isn’t always being seen as such an issue by security management or CISOs.
Let’s take a look at what’s on the Dante’s SOC Inferno menu today:
Appetizer: gluttonous recruitment practices stuffed with 14 certs
If you’ve ever tried to find entry-level work in cybersecurity, chances are you’ve come up against the impossible job description, which requires you to have multiple years of hands-on experience, with knowledge of a host of specific security tools, and a selection of certifications which cost thousands of dollars to obtain, in addition to whatever student debt you’ve racked up getting a degree. Yet often the salary on offer doesn’t align with the impossible requirements either. The same can apply with more senior roles, too — how many people do you know who have 10-15 years of cloud security experience, especially when cloud security hasn’t really even been around that long? Gluttonous recruitment practices are creating a significant and unnecessary barrier to entry, it’s no surprise that so many roles aren’t being filled.
Entree: SIEM as-a-Status-Symbol
Gluttony doesn’t just apply to food and drink, it can also apply to material items, particularly expensive things which may be wielded as status symbols. In security operations, some of us have inadvertently ended up more attached to the SIEM vendor than our original calling of being security professionals, because over the years we’ve turned into glorified DBAs. Without stealing too much thunder from our next post in this series, traditional SIEMs have also created a degree of knowledge gluttony — whereby only the best query/pivot ninjas can eke out any nutritional value from the SIEM, and the more junior folks aren’t able to glean much more than scraps. Plus if a SIEM is so complicated to use that it needs to be a line item on an analyst job spec, it’s not doing much to help solve the skills gap.
Main course: SIEM avec thyme (#notsorry) consumée
Time flies in the SOC, whether you’re having fun or not. Think about how long it takes you to thoroughly investigate an alert and really get to the bottom of what’s going on. And whilst you’re digging around in the SIEM looking for answers, the pile of alerts keeps on growing. Even with the best querying skills, it can take hours to fully ascertain the extent of an attack. Plus threat hunting, mentoring, knowledge sharing, and training are totally off the menu when you’re busy chowing down in your SIEM.
Dessert: after eight (hours…)
Whilst we’re starving for more skilled people in the SOC, we’re full to the brim with work that needs doing. There’s always more coming in than we can easily handle, more alerts to investigate, more data sources to analyze. Our shifts are filled with manual tasks that are eating into our time, and devouring our ability to focus on our mission of securing our organization. We’re work-bloated, and on the verge of exploding. Just one more wafer-thin alert before you go home? It’s only a tiny, little, thin one….BOOM!
“Monty Python” comedy references aside, and on a more serious note — analyst burnout is a very real issue, and our industry is losing skilled people due to high levels of stress and a poor work-life balance. If you’re constantly staying late and feeling like you’re on a never-ending treadmill of work-eat-sleep-repeat it’s easy for things to spiral downwards. It almost goes without saying that this needs to change, but clearly change is needed so we’re saying it.
Changing the menu
Not sure how you’re feeling after all that, but it’s given us a nasty bout of SIEM-digestion (thank you folks, we’re here ‘til Friday — try the veal!). Let’s look at how we can improve our eating habits, feel better inside, improve the skills gap — and escape this circle of SOC hell.
Appetizer: tasty recruitment practices
The skills gap can’t be solved just by changing job specs, it needs a different way of thinking to bring in and support new talent. If you’re a recruiter or a hiring manager reading this post, and you’re struggling to find skilled people, perhaps it’s time to review how you’re presenting your expectations. Certifications can be useful, but they can be gained whilst in a job and supported by mentoring and knowledge sharing. And if your organization is hiring security analysts with a view to turning them into DBAs, then it’s likely to result in shattered career dreams. Referring back to our old friend the 2020 State of the SOC report, lack of a career path was cited as the biggest reason frontline staff would leave an organization. So it’s important to consider not just who you’re trying to hire (and whether they even exist), but how you can provide an environment where they can thrive.
Security information needs to be easily accessible to all the analysts in the SOC, and not hampered by overly complex tooling which can only be used well by one or two people. In our recent webinar, Andy Skrei talked about tasking two analysts with investigating the same alert, and getting two completely different answers. By adding intelligence to your security tools, work can be shared more evenly, junior team members can gain experience, and everyone gets to focus on the mission of the SOC — to protect and defend the business (or in the words of our own Steve Moore “find bad stuff, fix bad stuff, get credit for it”). It also makes it easier to have folks cross train into cybersecurity from other technical disciplines without needing to learn a whole new query language as well as getting to grips with cybersecurity.
Main course: thyme (#stillnotsorry) to decide
Automating a lot of the manual work that occurs during investigations will save you *so* much time. Erik Randall, who was a former SOC analyst, undertook an experiment to see how long it would take to create a fairly simple timeline of an incident using manual queries, and the results were staggering. You can read about it in detail here (grab a coffee first, it’s a long but good read) — but the tl;dr is that it took over 20 hours of querying and analysis to get a decent representation of an incident timeline — that Exabeam Advanced Analytics creates automatically. This means you can move faster at making informed decisions, and not get bogged down in the time-sucking quagmire of gluttonous SIEMs. Threat hunting, mentoring, knowledge sharing, and training are now back on the menu — hoorah!
Dessert: a sweeter life, in (and out of) the SOC
We genuinely believe that improved working conditions across the SOC through automation, accessibility, and better decision support can make a real difference to the day-to-day lives of SOC analysts. Being able to focus on your mission, be more proactive, and help others improve their skills, will mean you can enjoy your work and have time for some of that life stuff too.
We’d like to show you and your colleagues how Exabeam can help your organization achieve this — sign up for a demo today and we’ll be in touch!
If you’ve missed out on the previous posts in our Dante’s SOC Inferno series, here’s where you can binge read the rest: