Enhancing Work Efficiency in SOC Teams

Enhancing Work Efficiency in SOC Teams
Enhancing Work Efficiency in SOC Teams

These days, there’s not a SOC in sight that isn’t trying to juggle a load or hack a way to do more with less. As the cyber talent crisis persists, AI-generated threats hit the fan, and teams try to scale to an ever-widening workload and ever-growing attack surface; it is important that SOCs follow high-efficiency practices to be able to survive.

Here are some ways to help your SOC do the most by focusing on the things that matter most.

Wisely Leverage GenAI

PWC’s 2024 Global Digital Trust Insights report reveals that generative AI, while causing security problems, is also being used to close the cyber talent gap between what needs to be done and what resources an organization has on deck.

Per the report, SOCs can now leverage GenAI in the following ways:

  • Threat detection and analysis | Identifying anomalies at scale and autonomously beginning the investigation process by methodically pursuing possible paths. This saves a lot of time on perfunctory searches and helps SOCs get to the real lead sooner.
  • Adaptive controls | As software supply chains and cloud environments evolve, Machine Learning (ML) can provide to-the-minute policy recommendations and best practices to help SOCs adapt to where things are now – it changes that fast.
  • Cyber risk and incident reporting | Natural Language Processing (NLP) can quickly take in complex cybersecurity reports and technical documents and break them down into layman’s terms so everybody can understand them on the same level.

Gartner predicts that by 2028, the adoption of generative AI will have completely closed the ongoing cyber skills gap, replacing as many as half of all entry-level cybersecurity roles.

Have a Plan for Handling Alerts

IDC research notes that it takes about 30 minutes to investigate each false positive alert. So much wasted time is spent looking at the wrong details, so prioritizing where to search first is paramount in improving SOC efficiency.

Save time by establishing playbooks for each type of alert, so you have a quick and standardized starting place. This eliminates time spent on fruitless searches that go down irrelevant paths. Prophet Security’s Grant Oviatt, Head of SecOps, notes that “[Playbooks] should include specific indicators of compromise (IOCs) or behaviors identified in the detection, along with references to their sources, such as whitepapers, tweets, etc., or other related alerts,” arguing that “this approach provides analysts with immediate context to begin triage and investigation.”

And that context will at least get you looking in the right area.

Automate, Automate, Automate

“If it can be automated, it should be automated” is a strong saying to live by in cybersecurity. Thankfully, GenAI (and AI in general) makes that incredibly easy. So do other technological approaches and their applications.

CISA notes that “Enabling automation is a critical component of every organization that wishes to address the speed and scale of modern cyber attack.” They also provide the following advice for determining what to automate:

“Automated processes should be designed to leverage what automation does well, which is consistent, rapid, and repetitive execution of conditional logic. This makes automation perfect for implementing triage and prioritization tasks, allowing analysts to quickly focus on the information and events that are associated with the most risk.”

That means that automation should be applied to parsing out what is important, like separating legitimate alerts from false positives. SOC experts can then focus on what is important and do what they do best; make intelligent inferences, experienced judgment calls, and final decisions.

Prioritize to Avoid Burnout

Vendict’s 2024 CISO Burnout Report notes that 80% would classify themselves as “highly stressed,” with one in three admitting that it compromises their ability to effectively perform their roles.

While not directly a part of SOCs, high anxiety levels in CISOs are perhaps only indicative of the rising levels of security burnout among the general ranks. RSA Conference’s Executive Chairman, Dr. Hugh Thompson, notes that burnout levels are indicative of what we saw during the height of the COVID-19 crisis, claiming that “[we] saw levels of burnout go back down to a steady state in 2022 and 2023, but now they’re going back up for different reasons.”

Those reasons? In addition to the usuals like ransomware, “liability” and “reporting” obligations have put a new level of pressure on already-strained SOCs. In the middle of a high-level security attack, SOCs now struggle to balance reporting the crisis (in full legal detail) and actually putting it out.

We all know alert fatigue is a huge contributor to security burnout. So is the complexity, overwhelm, and frustration caused by too many unintegrated tools, too many unused tools (“shelfware”), a lack of visibility into complex environments, and security surprises from Shadow IT, an unvetted supply chain, and all-too-common OS vulnerabilities. SOCs today have attacks coming in from all sides, and efficiency demands they make the best use of their time.

The solution? Put first things first. When you can’t get to it all, you at least need to handle what is most important. As Malcolm Harkins, Chief Security and Trust Officer at HiddenLayer, explains, “If you have a limited budget, the things you need to manage first are the things that are going to kill you.”

Conclusion

Today’s SOCs are under an immense amount of pressure, but “the night is darkest just before the dawn,” as the saying goes. Thanks to generative AI advancements, new automation tools, improved thinking around alerts, and overall frustration with overstretched experts, SOCs are getting the solutions they need to “work smarter, not harder,” and put their cybersecurity domains into a strategy they can efficiently control.

About the author:

An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation, and the intersection of information technology and human rights. She has written for Bora, Venafi, Tripwire, and many other sites.

Leave a Comment