The past 18–24 months have been difficult for most people, personally and professionally, and it’s no different for security operations center (SOC) analysts. The worlds of home and work have collided, resulting in more people than ever before working remotely. This has meant greater demands on remote access across various devices, geographies and security challenges.
This acceleration of digital transformation driven by the pandemic has led to a global increase in cyber risk. More than two-thirds (68%) of organizations in the UK and Ireland say cybersecurity is now a top priority for them. While prioritizing security is good news, for those working in the SOC, it raises further issues. Since everyone’s working faster, we expect more from our SOCs, including faster response times and quick resolution. However, keeping pace with enhanced digital transformation and new remote working needs presents various challenges, such as a lack of visibility, increased workload and more time spent on manual, repetitive tasks. These challenges have led to an ‘always on’ mentality amongst SOC analysts, often resulting in burnout. So how do we prevent this from happening?
SOC Transformation: Automation and AI
At NTT, we have also been through our own SOC transformation project to keep pace with digital transformation and exponential business risk. Part of our aim was to create global consistency in service delivery for our SOC as a Service (SOCaaS) offering and to create a common understanding across teams. While we want to deliver the best possible service to our clients, it’s also important we give space to our SOC teams to grow and develop their skills and knowledge rather than be always on. To achieve this, we shifted towards a security orchestration, automation and response (SOAR) approach to reduce the time spent on manually repetitive tasks. By automating these activities through implementation of artificial intelligence (AI) machine learning, we can ensure data and analytics are constantly reported, with a common process and language enabling analysts to be proactive rather than reactive.
For an analyst, visibility is key. It’s crucial to be able to see across your IT infrastructure, and this is exactly what moving our analytics into a single SOAR environment has allowed us to do. This consistency has meant our analysts can work from a common interface, with a collective language and playbooks. Even without a specialized understanding of the underlying technologies, they can work across multiple incident types and provide key insights to clients. From a client perspective, automation also presents many benefits, especially when it comes to response time and cost. By putting this automation in place, we can establish a single alerting stream, allowing us to respond to alerts more efficiently and consistently, which means our clients can react quicker to attacks and minimize the impact.
Developing Skills
It’s well known that the cybersecurity industry as a whole has a gap in skills and resources, and the SOC is no different. Greater investment in cybersecurity, with technologies like automation and AI, isn’t a way to replace people. But by automating the time-consuming, repetitive tasks often performed by analysts, the SOC team has more time to focus on honing and developing the team’s skills and knowledge. In addition, they have the opportunity to spend more time on interesting and exciting tasks, which often benefit from human intervention.
"It's well known that the cybersecurity industry as a whole has a gap in skills and resources, and the SOC is no different"
Advancing the skills of SOC analysts not only assists their own personal development but also that of the SOC itself and the business as a whole. Creating a more engaging work environment for your employees will improve the employee experience and increase retention rates — protecting your staff from burning out or looking elsewhere. As a result of implementing SOAR, at NTT, we were able to integrate teams and cross-train people with specific capabilities, broadening the skills base. For the business, that was a huge benefit, as team members could be upskilled quickly and were empowered to work in a new space and learn new skills, as they were given the capacity to do so by taking away some of the basic tasks through automation. Everyone was able to learn at a quicker rate and choose whether or not they wanted to specialize in a particular discipline, go into deeper problem solving, work in the response space or develop their threat hunting skills to a whole new level. The need to perform repetitive tasks was taken away, and the team could focus on providing the best possible service to clients.
SOC: Why, How and Who?
With the attack surface constantly growing, SOCs are more important than ever. If you can’t see something, you can’t respond to it — a SOC provides clear visibility of what’s happening inside your organization. If you’re consuming threat intelligence from other sources, it can also help you see what’s happening across peer organizations so you can plan ahead. The risk to the business is so broad and varied that an IT infrastructure without a SOC puts your business at far greater risk and leaves you accountable to your shareholders without the necessary data.
Establishing a secure, successful and compliant SOC does take time and expert resources to ensure that it’s run correctly. A lot of organizations don’t have this in-house and instead need to look at outsourcing options, such as NTT, to run their security operations for them. An outsourced SOC comes with its own benefits, such as:
- Immediate access to cybersecurity and threat detection skills
- Ease of implementation and scalability
- Cost savings
- Greater customization to support specific business needs
However, when outsourcing your SOC, paramount to success is partnering with a trusted organization. You’ll be working closely, so you need to have a partnership where trust and knowledge are shared — they’ll need to have a solid grasp on your organization, and you’ll need to understand what the SOC is doing for you. There needs to be a genuine partnership with the SOC provider because at the end of the day, they’ll be responsible for keeping you secure.
Regardless of whether you outsource your security operations, or manage it in-house, developing your SOC from a people, process and technology perspective is paramount. Not only will nurturing talent and the right skills improve the capability of your SOC, but will protect your business as a whole. Having visibility across your IT estate and building a smart, sustainable, technology-enabled workforce should give you some comfort that you have the tools in place to manage the inevitable: risk.