In the last blog entry I gave my view of why major corporations keep getting hacked. I argued that the focus of security within organisations is all wrong and, due to lazy evolution, corporate security teams fail to provide business owners with the information needed to make informed decisions on how to defend against cyber-attacks.
Whilst I stand by this view, things are never quite as clear cut and in-fact there are many consequences of this position that only serve to re-inforce the problem of achieving effective cyber defence.
One of the issues facing the IT security industry at the moment is the lack of skilled security analysts. We constantly hear of the IT skills gap and of the massive shortfall that seems to grow and grow with each passing year.
For the last decade it seemed to be that developers were the most in demand group of IT personnel, especially those in esoteric but widely used technologies such as SAP, Oracle, and the like. However, for the last 3 years the focus has begun to shift. Today the demand for security analysts is insatiable. You want a job in IT? Well just say you’re willing to be a SOC analyst and you’re in.
Why is this? Well there is a problem at the heart of all SOCs. SOC analysts arrive, stay for a while, and then the good ones leave. Why should they do this? I see three primary reasons for such a high turnover of staff:
- The salary of SOC analysts is appalling for the IT sector
- The roles are tedious for 90% of the time – limited technologies and limited tasks breed boredom
- The working hours often include night shifts
All these things conspire to put good analysts off.
A good SOC analyst needs to have a range of technical skills and knowledge, and enquiring mind-set, and be willing to put the hours in.
These are just the same skills a good IT architect needs and a good analyst can quickly jump ship and become an architect… and earn double their salary. Who wouldn’t want to do this and live a more normal lifestyle to boot?
So how do the big companies address this issue? Well instead of increasing the salary of analysts to reflect their importance, instead of providing interesting alternative work and training that supports the cyber defence of companies, and instead of designing integrated SOC capabilities that enable an analyst to make a real-time difference, they recruit graduates straight of out of university who will be grateful for the salary and their first job.
They perpetuate the problem instead of trying to solve it.
The consequence of this behaviour means that most SOCs are under skilled, under resourced, de-motivated, and have broken operational processes due to a lack of continuity. Organisations pay lip service but don’t invest in their Operations team. As I said previously the reasons for this parlous state lie back, deep, in the mists of time (well the 70s and 80s at least).
So what does a good SOC team look like? How do good SOCs keep their staff? In essence a good SOC team consists of staff who are trained, paid well, kept motivated to defend their company, and who believe they can make a difference by using integrated systems and carrying out analysis across all security data sources quickly and efficiently resulting in informed, evidenced based, recommendations to the business to address cyber threats and attacks.
A modern SOC team has clearly defined roles but actively supports the progression and rotation of staff across these roles to help expand knowledge and reduce the risk of boredom and complacency. A modern SOC team focuses on more than just protective monitoring. It actively researches threats to the business, it actively seeks intelligence, and it develops playbooks that are meaningful and frequently reviewed for accuracy.
A good SOC team carries out continuous service improvement, incident reviews and simulations to ensure that staff are aware of the causes of problems and how to address them in the future. If companies believe in investing in people then these are the people to invest in.
In short a good SOC team is full of committed security analysts who are using tools that encourage, and not hinder, anomaly detection and security analysis. Who enjoy making a difference.
Without an engaged team (I’m sure we use to get called Nerds and Geeks) it is not possible to defend a business. It is these staff who have knowledge, skills, awareness, and commitment that will understand the threat to the business and make specific informed decisions on how to address them. If your people are bored, pressured, untrained, and de-motivated and sat on the graveyard shift then you are beaten.
In my next blog posting I will look at the importance of common sense, intelligent, processes to the effective execution of cyber defence.