Changing Role Tier 1 SOC Analysts - PowerPoint PPT Presentation

About This Presentation
Title:

Changing Role Tier 1 SOC Analysts

Description:

Addressing alert overload is one of the biggest benefits security automation can bring to a SOC team. Data gathering is time-consuming, repetitive and highly detail oriented. It’s perfectly suited to automation. isit - – PowerPoint PPT presentation

Number of Views:203

less

Transcript and Presenter's Notes

Title: Changing Role Tier 1 SOC Analysts


1
Changing Role Tier 1 SOC Analysts
  • Should You Stop Hiring?

2
Introduction
  • Much has been written about the death of the Tier
    1 SOC analyst. To paraphrase Mark Twain, reports
    of that death are greatly exaggerated. A simple
    Glassdoor search yields 186 open positions that
    posted in just the last month. Is one of your
    open roles on that list?

3
Recruiting Multiple Analysts
  • Odds are you are recruiting for multiple security
    analysts at any given time, particularly at the
    entry level. This is largely due to a combination
    of attrition and growth in alerts coming in from
    your various security tools. To add insult to
    injury, if youre like most organizations, those
    jobs have probably been sitting unfilled for
    three months or more.

4
Time To Fill An Open Cyber Security/ Information
Security Position
5
Why Need Tier 1 Analyst
  • Directing or managing a SOC is no easy task,
    especially when youre short on people to manage.
  • Before you start thinking this is yet another
    diatribe on the cybersecurity skills shortage, we
    assure you, its not. Rather, in this blog we
    will look at the role of the Tier 1 SOC analyst
    today and the part security orchestration and
    automation play in bringing about an evolution in
    the way SOC leaders think about these positions.

6
Would You Want This Job?
  • The typical Tier 1 cybersecurity analyst job
    description reads a little something like this
  • Under general supervision, this role is
    responsible for monitoring networks for security
    events and alerts to potential/active threats,
    intrusions, and/or indicators of compromises and
    responding to incidents at the Tier 1 level.
  • Monitor security infrastructure and security
    alarm devices for Indicators of Compromise
    utilizing cybersecurity tools, under 24/7
    operations.

7
Security Analyst Role
  • Direct response and resolution to security device
    alarm incidents and additional incident
    investigation as needed.
  • Utilize cyber security analysis to generate
    security incident reports and document findings.
  • Log details of Security Operation Center call,
    including all events and actions taken, and track
    tickets to maintain workflow management. Document
    all events and actions.
  • Determine the intent of malicious activity based
    on standard policies and guidelines and escalate
    further investigation incidents to the next Tier
    of Incident Response.

8
The Rise of the Machines
  • Enter machine-driven solutions. Security
    orchestration and automation platforms are
    specifically designed to address many of the most
    prevalent security operations challenges.
  • Challenge 1 Too Many Alerts
  • Most security operations teams get thousands of
    alerts per day and can only investigate and
    respond to a portion of them. On average,
    security operations teams leave 44 of alerts
    uninvestigated. Your Tier 1 analysts are the ones
    on the front line of this alert deluge, making
    them the ones most susceptible to alert fatigue
    and ultimately, job burnout.

9
Contextual Alert Grouping
  • Addressing alert overload is one of the biggest
    benefits security automation can bring to a SOC
    team. Data gathering is time-consuming,
    repetitive and highly detail oriented. Its
    perfectly suited to automation.
  • Applied correctly, security automation tools can
    identify relevant, critical alerts in a fraction
    of the time, with a higher degree of accuracy
    than a human analyst can. By employing an
    automation solution that identifies and groups
    related alerts into workable cases, you can
    redirect your analysts time toward in-depth
    investigation, analysis, and incident response
    activities.

10
Challenge 2 Too Many Tools
  • With a dozen or more security technologies to
    work across, your analysts spend much of their
    day switching from screen to screen just to
    gather the data they need. And mastering the ins
    and outs of managing and using a variety of tools
    creates a steep learning curve for new analysts.
  • Security orchestration fundamentally changes the
    game for SOC analysts by creating a single,
    cohesive interface for managing disparate
    security tools. As with the automation of alert
    grouping, this puts more time back into the
    analysts day for tasks that truly require human
    intervention.

11
Challenge 3 Many Manual Processes
  • Are your SOC workflows documented? Entry-level
    analysts frequently find it tough to get up to
    speed and become effective quickly when processes
    arent formalized and executed consistently.
    Manual steps within each workflow whether
    interacting with users, looking up files and
    hashes or adding new rules and signatures only
    compound the issue further by taking time away
    from higher value activities.

12
Conclusion
  • Because much of what is traditionally associated
    with the role of a Tier 1 analyst can be
    addressed with security orchestration and
    automation, its easy to see why some think these
    roles are on their way to being obsolete.
  • Yes, its true that much of what your average
    entry-level analyst is tasked with today can be
    completed faster and more efficiently through
    automation, but that doesnt mean you should give
    up your open reqs just yet. Instead, you should
    think about how to redefine your Tier 1 roles.
Write a Comment
User Comments (0)
About PowerShow.com