While things are improving, there still isn’t enough staff to go around. In the meantime, alternative operating models are now starting to gain traction, writes Simon Howe, Vice President Sales Asia Pacific, LogRhythm
As Australian businesses increase their reliance on digital channels, executives are acutely aware of the risks.
In PwC’s annual CEO survey this year, 95% of Australian chief executives identified cyber hazards “as a key threat to organisational growth” – above the global average – and 78% said they have “increased long-term investments into cybersecurity and data privacy” as a result.
Most practitioners – but particularly those stationed in security operations centres (SOCs) – will tell you that investment is long overdue.
For some time now, SOCs have been understaffed.
Those that work in SOCs told one survey that the biggest hindrance to their work is the “lack of skilled staff”. The same survey found the most common size of a SOC is 2-10 full time equivalent (FTE) staff, a level that, coincidentally most respondents say is needed just “to do the system administration for the SOC”, and nothing more.
In other words, “Just ‘keeping the lights on’ is what a lot of SOCs spend their time doing, essentially just running security systems as opposed to dedicated analysis using the security relevant data in those systems,” the survey concluded.
A separate annual study found SOC staffing “remains an issue with nearly 40% of the organisations who feel their SOC is understaffed, often by fewer than 10 employees.” To be more specific, 40 percent of understaffed SOCs say between two and five people would help, and a further 31 percent need between six and 10 more staff.
That’s all well and good, but the reason SOCs remain understaffed is a historical lack of management buy-in on cybersecurity, and a long term global skills shortage.
As the PwC survey shows, executives are much more committed to cybersecurity and to investing in internal capabilities, so this at least is being resolved.
The skills shortage is a much more difficult problem. It will remain a problem: RMIT Online predicts that Australia alone will need an additional 18,000 cybersecurity experts by 2026.
Until then, building and retaining cybersecurity teams will remain an expensive proposition, and we are likely to see other approaches emerge that enable SOCs to operate more effectively, despite their lean staffing levels.
An understaffed SOC team is likely to experience fragmented workflows and task overload, and face challenges managing complexity at scale.
Understaffing is also likely to rule out around-the-clock operation, resulting in alarm fatigue in the hours the centre is open and blind spots when the centre is closed.
In addition, understaffing may manifest in delays to detect and respond to incidents. Most SOCs are goaled on metrics such as mean time to detect (MTTD) and mean time to respond (MTTR) to threats.
Under-resourced SOCs give threat actors more time to execute their attacks and stay undetected within the environment for longer periods of time. That extended ‘dwell time’ negatively impacts the MTTD and MTTR statistics, and – at minimum – may cause risk tolerance deviations and invite unwanted scrutiny.
Finally, staff time spent ‘keeping the lights on’ is time not being spent on hunting and detecting threats proactively. This is not only a core capability of the SOC being stifled; it’s also likely to be what SOC staff want to be doing.
Keeping staff engaged may mean they are more likely to stay. That kind of stability is something most, if not all, security operations aspire to.
The rise of automation
Increased use of automation in SOCs is an obvious solution, and one that many are turning to.
“With a perceived lack of talent or competent people, it is no wonder that respondents have turned to automation and orchestration tools to try to get things done,” the 2020 SOC Survey noted.
By introducing automation, a SOC is able to operate more effectively and efficiently. Analysts can hand off boring, routine tasks and focus their finite attention on the threats that really matter to the organisation.
Immediate notification via automated processes allow the SOC team to identify and quickly respond to any extremely unique events.
That combination of analysts and automated augmentation should translate into faster threat detection and response, and reduced MTTD and MTTR metrics.
Most SOCs will accomplish this with some form of security orchestration, automation, and response (SOAR) solution. These are recognised for their ability to simplify and streamline workflows, improve a team’s ability to detect and respond to threats quickly, and even improve job satisfaction for security analysts.
With a SOAR, organisations are able to rely more on automation to pick up workload and reduce the overhead that SOC teams – at least for now – will continue to face.