Its the People: 5 Reasons Why SOC Cant Scale

  /     /     /  
Publicated : 22/11/2024   Category : security

Its the People: 5 Reasons Why SOC Cant Scale


There are always more security alerts and threats to respond, but the answer isnt to simply throw more money at the SOC to hire additional Tier 1 and Tier 2 security analysts.


SAN FRANCISCO -- Blame people for the SOC scalability challenge. On the other hand, dont blame your people. Its not their fault.
The security operations center (SOC) team is frequently overwhelmed, particularly the Tier 1 security analysts tasked with triage. As companies grow and add more technology -- including the Internet of Things (IoT) -- that means more alerts.
As the enterprise adds more sophisticated security tools, such as Endpoint Detection and Response (EDR), that means more alerts. And more complex alerts. Youre not going to see a blinking red light that says: Youre being hacked. Or if you do see such an alert, its not very helpful.
(Source:
iStock
)
Whats the problem? Its the people, say experts at the RSA Conference, which wrapped up last week. The SOC team -- or teams -- simply cant scale fast enough to keep up with the ever-increasing demand. Lets talk about the biggest problems challenging SOC scalability.
Reason #1: You cant afford to hire enough Tier 1 analysts
You certainly cant afford the Tier 2 analysts who respond to real -- or almost certainly real -- incidents. According to a quick glance at sites like
Glassdoor
and
Indeed
, be prepared to pay over $100,000 per month, per person.
Reason #2: You cant find the analysts; theres not a huge talent pool
Weve created a growing demand for labor, and thus, weve created this labor shortage, said Malcolm Harkins, chief security and trust officer of
Cylance
.
There are huge numbers of open positions at all levels of information security, and that includes in-enterprise SOC team members. Sure, you could pay more, or do competitive recruiting, but go back to the previous point: You cant afford that. Perhaps a managed security service provider can afford to keep raising salaries, because an MSSP can monetize that expense. An ordinary enterprise cant, because security is an expense.
Reason #3: Team training is a never-ending journey without a happy ending
Even with the best security tools, being an analyst requires constant training on threats and techniques -- which is expensive to offer, especially for a smaller organization. And wouldnt you know it, as soon as you get a group of triage specialists or incident responders trained up nicely, off they go for a better job.
Reason 4: Collaboration is tough for incident handoffs to the next analyst
Rishi Bhargava, co-founder of
Demisto
, pointed out that around-the-clock, follow-the-sun security, with investigations and incident response, brings its own challenges, particularly during shift changes.
Collaboration, along with all the skill set problems, is a real problem, Bhargava said. How do you do the handoff? How does the collaboration happen? How do you ensure that everyone has the right context to advance the investigation?
The fundamentals of network security are being redefined -- dont get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual
Big Communications Event
. Theres still time to register and communications service providers get in free!
You cant send the next shift team an email explaining the status of todays incidents, he added, and hope an analyst can pick up it up at the start of his or her shift.
Reason #5: Security management cant scale either
Theres alert fatigue for the Tier 1 and Tier 2 analysts, but the problems go all the way up the food chain.
Theres decision-maker dementia for the executives, who are pulled in too many different directions with competition priorities -- and they cant figure out how to scale either, said Cylances Harkins. There are too many risks that senior analysts and management must address, contain or stop, for the good of the company.
Its not their fault
Go ahead, blame the analysts, and security managers, for not handling an ever-increasing workload, while fighting alert fatigue, knowing the next incident might be a Target-sized, or Equifax-sized, data breach. The real challenge is to find more resources, including better tools, practices and procedures, for scaling the SOC.
Because you cant simply throw more people at the problem.
Related posts:
Cyber Attacks Have Doubled, but Security Is Getting Better at Blocking Them
Microsoft Security Is Channeling the Terminator
DHS Secretary Kirstjen Nielsen: Cybercrime Will Reach $6 Trillion Annually
Microsofts Brad Smith: 2017 Was a Cybersecurity Wake-Up Call
— Alan Zeichick is principal analyst at
Camden Associates
, a technology consultancy in Phoenix, Arizona, specializing in enterprise networking, cybersecurity, and software development. Follow him
@zeichick
.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
Its the People: 5 Reasons Why SOC Cant Scale