Carefully thought-out incident response procedures are meant to streamline every task and detail in your SOC incident response plan. Yet when security analysts are faced with real life cyberattack, SOC procedures don’t always work as planned. The SOC team faces the challenge of handling the entire incident response lifecycle; monitoring, detection, prevention, investigation, response and remediation. Your organization is under the constant threat of attack and analyst teams that use a SIEM platform without SOC automation tools and platform face an impossible workload.
4 Incident Response Failure Points
#1: Too many alerts
With the growing number of threat types and variants, detection solutions are preparing themselves for the most evasive techniques. While detection platforms are becoming more and more sensitive to basic machine actions, SOC analysts are forced to deal with endless alerts, many of them false positives, pushing the analysts into a state of alert fatigue. Over time, analysts grow accustomed and even indifferent to new alerts. This damages incident response by wearing down their ability to respond quickly and correctly to a real-life cyberattack.
Solution: Integrate a SOC automation platform that can organize alerts, group them based on various characteristics, and prioritizes them by risk or severity will relieve alerts fatigue in the SOC team. The incident response automation platform should also let analysts filter alerts easily, helping them manage their shift.
#2: Too much unorderly manual work
Performing incident response and investigation involves in-depth analysis, but also an abundance of small, repetitive manual tasks. These tasks take up analysts’ precious time and can cause boredom and burnout. Today there are advanced automation technologies, there is no reason to perform many of these tasks manually.
Solution: Implement automated workflows and workflow designer platforms, which can automatically perform many manual tasks such as endpoint data collection, machine isolation, and sending alerts, in an orderly and timely fashion. This frees up analysts’ time and attention to perform more advanced incident response steps that do require the skills and judgement of a well-trained human analyst.
#3: Most SOC analysts have never experienced a real breach
Of course your SOC analysts have had all the required training and hopefully, many of them have racked up a few years of experience, but does that mean they are prepared to handle a severe cyber breach? According to ESG Through the Eyes of Cyber Security Professionals: Annual Research Report:
- Less than 30% of the analysts experienced a Ransomware incident
- Less than 20% of the analysts experienced a security incident resulting in the disruption of a business application/process
- Less than 10% of the analysts experienced a data breach of sensitive/regulated data
If an analyst has never faced these high-pressure incidents, will they have the composure to make difficult decisions under pressure, keep calm and focused so they can smoothly carry out a precise incident response plan? Will they be able to cooperate with other SOC team members when the heat is on? What about communicating with other departments and executive management that will want to be involved and demand updates and information? A major cyberattack is an extremely high-pressure event that can damage your team’s incident response capabilities when they are needed most.
Solution: Incorporate realistic hands-on training into security operations strategy. The more experience your team has facing down all kinds of threats, the more likely they will be to perform well in the case of a real incident. Just like in competitive sports, the more times you have run the scrimmage for a play the more likely you are to carry it out on game day. When possible, let your team train for the “real thing” in a full simulated environment. Complement simulator training with tabletop exercises ( See: 3 Tabletop Cyber Security Training Exercises You Can Do Today).
#4: Shifts create knowledge gaps
It’s not easy to start a shift exactly where the previous shift left off. Shift handovers are temporary. Once the shift handover ends and the personnel that have the most complete knowledge about the last shift’s events leave the SOC, the new shift is on its own. Knowledge gaps between shifts can cause disorganization and analysts may accidentally do the same work twice.
The Solution: Shift management software uses shift reports and automatic shift briefings.
Set your SOC up for incident response success
Many of us managed SOCs using the SIEM and all security tools directly. We mastered the complexity and gargantuan mission of checking every alert and making sure no threat slipped by. But today we face threats so sophisticated and a sheer quantity of attack attempts and vectors, that doing the job with a SIEM alone is no longer feasible. Add to this the difficulty finding, retraining and training skilled analysts and the situation is simply unsustainable. The good news is you don’t need to hire a bunch of new analysts, just automate and orchestrate the SOC so that the ones you have can be more effective.