6 Security Operations Center Best Practices for 2024
Is your organisation’s security operations centre (SOC) a high-performance shop for stopping threats, or is it a machine for burning out staff?
It could be both. But for most organisations, it tends to be the latter. Case in point: although most SOC teams love their work, they also find their jobs “painful.”
In a recent report on key SOC challenges by Devo, nearly three-quarters of respondents rated the on-the-job “pain” felt by SOC staffers at between 6 and 9 out of 10. The same survey found that 71% of SOC staff are “very likely” or “likely” to quit their jobs if their organisations don’t take meaningful steps to improve their SOCs’ effectiveness.
Because it’s obviously important for every SOC to be staffed by skilled professionals who aren’t planning on leaving their jobs due to stress, security managers need to take action to improve their employees' work life and retain talent.
Here are six security operations centre best practices worth noting to boost staff morale and increase impact.
Use Consolidated Tool Stacks
For a SOC to effectively detect and respond to security threats, it needs to be able to see what's happening across a network.
Yet visibility is what SOCs seem to lack the most. In the above-mentioned report on key SOC challenges, “lack of visibility” was cited as the number one reason respondents’ SOCs were ineffective (along with a lack of skilled personnel).
The problem is that most modern SOCs rely on several siloed security tools like endpoint detection and response (EDR) and network detection and response (NDR) to identify potential security events. Platforms like security information and event management (SIEM) are then used to collect and aggregate this data.
This is not a good setup for ensuring visibility. SIEMs are known for their visibility gaps and endless streams of alerts. About 15% of respondents to a 2021 Panther Labs State of SIEM survey said their SIEM doesn’t provide adequate visibility.
One solution is to invest in a consolidated security tool stack, i.e., a single platform from one vendor that can do several things instead of multiple solutions from many vendors.
In a 2021 Gartner survey, 41% of respondents said their organisational risk posture improved after they consolidated their tool stacks. And in 2022, Gartner predicted that consolidated tool stacks are “the future.”
Reconsider 12 Hour Shifts
A SOC is a high-pressure environment, and 79% of analysts say they experience some form of burnout. The type of shift pattern you implement can make matters somewhat better—or worse.
For example, studies from other industries show that working 12-hour shifts leads to lower job satisfaction and a higher turnover rate. Similarly, the Health and Safety Authority recommends that 12-hour shifts be avoided for demanding (mentally or physically), monotonous, or safety-critical work.
Alternative shift patterns such as the three-shift rotation, which consists of three 8-hour shifts structured into a Day, Swing and Night shift, can alleviate some of these issues but come at the cost of significantly unsociable hours for sleep schedules and travel. A shift starting at midnight and ending at 08:00 in the morning can be particularly difficult for staff who rely on public transport, for example.
Using a “follow the sun” model where you recruit staff across several continents can allow you to mitigate negative health impacts, increased churn, and job dissatisfaction. However, this model requires you to have a mature hiring process and a capable HR function which can deal with legislation across multiple countries.
Whatever kind of shift pattern you choose, consider asking what everyone wants and see if you can fit their preferences into the schedule. Some SOCs also give a preference list of shifts to employees every quarter.
When planning your shifts, make sure they are fair and balanced. A common rule is to ensure core bank holidays such as Christmas and New Year’s are never worked by the same employee in a row.
Automate Routine Work
Although working in a SOC can be exciting, many SOC professionals are frustrated about having to waste their time on tedious tasks. A 2021 report found that manual work is analysts’ main pain point and that 64% of them spend more than half of their time on this kind of work.
The recent rise of security automation means that things don’t have to be this way. And security professionals are becoming increasingly aware of this.
About two-thirds of analysts believe that half of their tasks could be automated. Doing so would give them time to work on more important and challenging initiatives, like developing advanced detections and integrating more systems and logs.
SOC professionals frequently have the skillset and understanding to automate their own work but a reduced ability to do this due to alert volume and noise. A managed SOC can assist in reducing this workload as a partial solution.
Measure the Quality of Your Detections
SOC analysts are drowning in alerts.
According to a new ESG study by Kaspersky, around two-thirds of companies are struggling to deal with the number of alerts their security controls generate—many of which end up being false positives.
To improve “signal-to-noise” in your SOC, it’s critical that you measure the quality of your detections.
You can do this by asking the following questions:
What is the breakdown of your alerts? If every alert is high severity, then chances are, none of them really are.
What is the false positive reporting rate (FPPR) like? If the FPPR is too high, you likely need to increase the quality of your detections.
In addition to reviewing your existing detection effectiveness, having a detection quality assessment process and a formal sign-off from your detection engineers to your SOC team is key. Without this, you will be continually adding new noise and workload to the SOC, which could have been drastically reduced using a QA process.
Understand Your Response Capability
You can have the best detections in the world, but if you’re not seeing alerts or responding to them in a timely manner because your team is busy doing something else, then threats will slip past your controls and potentially cause untold damage.
The only way to figure out how quickly you can identify and respond to alerts is to use response efficacy metrics like the ones below:
Mean Time to Acknowledge. The average time between a system triggering an alert and when someone responds to it. This metric helps track your team’s responsiveness. The lower this metric, the faster your team is responding to alerts.
Mean Time to Detect. The average time it takes your team to detect a security incident.
Mean Time to Respond. The average time it takes to neutralise an identified cyber threat since you were first alerted to it.
Mean Time to Resolve. The average time it takes to fully resolve a security incident, including taking action to prevent the event from happening again.
Although useful, response metrics like the ones above are not the be-all and end-all.
Don’t assume that just because something doesn’t align with specific metrics, there’s something inherently wrong with what you’re doing. There might be some wider context that’s missing.
As a result, there needs to be leeway. For example, rather than aiming to resolve a cybersecurity incident strictly within two hours, give your team a 10% leeway. If incident resolution takes longer, you can then review what went wrong and how to improve your Mean Time to Respond.
Provide Continuous Training
The threat landscape keeps evolving, and your in-house security team members need to evolve with it. From emerging threats to new technologies, continuous security training can help security professionals understand how they can do their jobs more effectively.
Unfortunately, few organisations seem to prioritise employee development. In a recent survey, just 39% of security practitioners said they received enough training.
This is a lost opportunity. Studies show that employees that get frequent training feel more empowered and are less likely to quit. In the current cybersecurity labour market, where the cyber skills gap is said to be contributing to as many as 80% of security breaches and where organisations are struggling to hold onto the security staff they have, providing employees with training is more important than ever.
However, it’s not enough to give employees access to training.
Most SOC staff already feel burned out. As a result, they may not feel like they have the time to do training during work hours. At the same time, since training is being provided to them, they may feel pressured to do it in their downtime.
The end result is the opposite of what anyone wants. For employees, it’s increased workload and stress. For organisations providing the training, it’s security employees that are even more exhausted—and more likely to miss threat indicators.
A good SOC manager will incorporate training time into their team’s workday. Not only will this ensure that security pros actually have the time and space to train, but it will also make it easier for SOC managers to track and review their team’s progress.
Improve Your SOC with SenseOn
A consolidated security platform, SenseOn can help improve the efficiency of your SOC in several ways:
Improved visibility into your organisation's entire digital estate. SenseOn’s low-impact software, known as “Universal Sensor,” captures data from users, devices, processes and network telemetry, all the way down to deep packet inspection. This gives IT security analysts unparalleled visibility, collating all relevant alerts into a single incident and removing data silos.
Advanced threat detection. SenseOn performs continuous monitoring of your estate and uses various intrusion detection and deception techniques to identify andmitigate malware and threats. Our Resilience service allows us to react to malicious activity and contain threats quickly, reducing the exposure time to attackers and associated risks.
Constantly learning. We have a unique method for modelling user and device behaviour to establish a “baseline.” We know that organisations are continually evolving, which is why SenseOn uses machine learning to constantly adapt to your environment in real time, saving human analyst time and automating high-effort manual tasks.
Automated investigation, response, and prioritising. SenseOn’s artificial intelligence technology, known as AI Triangulation, mimics how human analysts think. Rather than immediately flagging a security event as suspicious, SenseOn looks at it from all angles and with data from other parts of your estate to establish if it’s genuinely malicious or a false positive. Only malicious alerts are brought to human analysts’ attention for review. Instead of responding to thousands of separate alerts, you are able to identify and prioritise the important, clearly suspicious incidents.
Live incident response. In the case of time-critical cyberattacks like ransomware, SenseOn can take immediate remediation action on behalf of your incident response team using our Resilience service, mitigating threats in a timely manner and preventing lateral movement and data exfiltration.
Want to learn more about where SenseOn’s threat intelligence platform could fit into your SOC operations? Schedule a demo today.