Changing Role Tier 1 SOC Analysts

1
Changing Role Tier 1 SOC Analysts

• Should You Stop Hiring?

2
Introduction

• Much has been written about the death of the Tier
  1 SOC analyst. To paraphrase Mark Twain, reports
  of that death are greatly exaggerated. A simple
  Glassdoor search yields 186 open positions that
  posted in just the last month. Is one of your
  open roles on that list?

3
Recruiting Multiple Analysts

• Odds are you are recruiting for multiple security
  analysts at any given time, particularly at the
  entry level. This is largely due to a combination
  of attrition and growth in alerts coming in from
  your various security tools. To add insult to
  injury, if youre like most organizations, those
  jobs have probably been sitting unfilled for
  three months or more.

4
Time To Fill An Open Cyber Security/ Information
Security Position
5
Why Need Tier 1 Analyst

• Directing or managing a SOC is no easy task,
  especially when youre short on people to manage.
• Before you start thinking this is yet another
  diatribe on the cybersecurity skills shortage, we
  assure you, its not. Rather, in this blog we
  will look at the role of the Tier 1 SOC analyst
  today and the part security orchestration and
  automation play in bringing about an evolution in
  the way SOC leaders think about these positions.

6
Would You Want This Job?

• The typical Tier 1 cybersecurity analyst job
  description reads a little something like this
• Under general supervision, this role is
  responsible for monitoring networks for security
  events and alerts to potential/active threats,
  intrusions, and/or indicators of compromises and
  responding to incidents at the Tier 1 level.
• Monitor security infrastructure and security
  alarm devices for Indicators of Compromise
  utilizing cybersecurity tools, under 24/7
  operations.

7
Security Analyst Role

• Direct response and resolution to security device
  alarm incidents and additional incident
  investigation as needed.
• Utilize cyber security analysis to generate
  security incident reports and document findings.
• Log details of Security Operation Center call,
  including all events and actions taken, and track
  tickets to maintain workflow management. Document
  all events and actions.
• Determine the intent of malicious activity based
  on standard policies and guidelines and escalate
  further investigation incidents to the next Tier
  of Incident Response.

8
The Rise of the Machines

• Enter machine-driven solutions. Security
  orchestration and automation platforms are
  specifically designed to address many of the most
  prevalent security operations challenges.
• Challenge 1 Too Many Alerts
• Most security operations teams get thousands of
  alerts per day and can only investigate and
  respond to a portion of them. On average,
  security operations teams leave 44 of alerts
  uninvestigated. Your Tier 1 analysts are the ones
  on the front line of this alert deluge, making
  them the ones most susceptible to alert fatigue
  and ultimately, job burnout.

9
Contextual Alert Grouping

• Addressing alert overload is one of the biggest
  benefits security automation can bring to a SOC
  team. Data gathering is time-consuming,
  repetitive and highly detail oriented. Its
  perfectly suited to automation.
• Applied correctly, security automation tools can
  identify relevant, critical alerts in a fraction
  of the time, with a higher degree of accuracy
  than a human analyst can. By employing an
  automation solution that identifies and groups
  related alerts into workable cases, you can
  redirect your analysts time toward in-depth
  investigation, analysis, and incident response
  activities.

10
Challenge 2 Too Many Tools

• With a dozen or more security technologies to
  work across, your analysts spend much of their
  day switching from screen to screen just to
  gather the data they need. And mastering the ins
  and outs of managing and using a variety of tools
  creates a steep learning curve for new analysts.
• Security orchestration fundamentally changes the
  game for SOC analysts by creating a single,
  cohesive interface for managing disparate
  security tools. As with the automation of alert
  grouping, this puts more time back into the
  analysts day for tasks that truly require human
  intervention.

11
Challenge 3 Many Manual Processes

• Are your SOC workflows documented? Entry-level
  analysts frequently find it tough to get up to
  speed and become effective quickly when processes
  arent formalized and executed consistently.
  Manual steps within each workflow whether
  interacting with users, looking up files and
  hashes or adding new rules and signatures only
  compound the issue further by taking time away
  from higher value activities.

12
Conclusion

• Because much of what is traditionally associated
  with the role of a Tier 1 analyst can be
  addressed with security orchestration and
  automation, its easy to see why some think these
  roles are on their way to being obsolete.
• Yes, its true that much of what your average
  entry-level analyst is tasked with today can be
  completed faster and more efficiently through
  automation, but that doesnt mean you should give
  up your open reqs just yet. Instead, you should
  think about how to redefine your Tier 1 roles.