Of course, the much-touted “Cybersecurity Skills Shortage” isn’t news to anyone, or it shouldn’t be. For seven or more years, journalists, industry analysts and practitioners have been opining about it one way or another. Analyses and opinions vary on how we have reached this impasse, my own being that this is a largely self-inflicted crisis caused by proscriptive hiring practices and unreasonable job requirements, but the outcome remains the same. We have too few people doing too much work, with too many tools and too few meaningful resources.
The typical SOC of today is drowning in a volume of alerts. In the financial world for example 60% of banks routinely deal with 100,000+ alerts every day, with 17% of them reporting 300,000+ security alerts, according to research carried out by Ovum, and this pattern is repeated across industry verticals.
There is no way that the typical Security Operations Center is staffed to the levels required to be able to triage these alerts, meaning that a large proportion of them are simply never actioned (read ignored). Of those that do eventually see a pair of eyes, it hardly seems worth the effort. An EMA report all the way back in 2017 found that analysts were spending around half an hour investigating each incident with much of the time being spent either downgrading alerts marked as critical (46%) or otherwise reprioritizing (52%) and identifying false positives (31%).
This deluge of information, coupled with a focus on small, repetitive and often manual tasks are critical components contributing to fatigue, boredom, and a feeling of powerlessness in the workplace. A recent survey carried out by Trend Micro revealed that IT teams are under significant pressure, with some of the challenges cited including prioritizing emerging threats (47%) and keeping track of a fractured security environment (43%). The survey showed that they are feeling the weight of this responsibility, with many (34%) stating that the burden they are under has led their job satisfaction to decrease over the past 12 months. It’s not just the SOC analysts either. In that same survey one third of IT executives told us that they felt completely isolated in their role.
Workplace pressure at these levels is simply not sustainable, fatigue leads to neglect, neglect to mistakes, and mistakes lead to burnout, further reducing the available talent pool and dissuading others from ever entering into the industry, it’s a vicious circle.
This security event flood is exacerbated by the fact that the majority of organizations rely on large numbers of specialized and disconnected tools. Many of the alerts that analysts are dealing with are often different views of the same object, or duplicate notifications from discrete security tools. The Ovum report I mentioned above notes that almost half their respondents (47%) told them that only one in five events is actually related to a unique security event.
In fact, Security Operations Centers are drowning in threat data, all the while thirsting for meaningful threat intelligence.
A recent blog post by my friend and colleague Greg Young laid out his reasoning on “Why XDR is a big deal and is different from SIEM and Platforms.” And a truly mature XDR technology, with feature rich APIs, collecting, correlating, triaging, reporting and perhaps even remediating (to a certain level) must represent the direction of travel for the SOC of the near future.
We are not going to solve the skills shortage within a decade; arguably, we are not going to solve it at all, particularly if we continue to focus on filling the gap with human brains. The problem is not in the potential recruitment pipeline, it is in the actual data pipeline and that is where technology must play the lead role. An AI driven Tier I SOC platform able to scale with the continually increasing volume of data, automating and accelerating initial analysis, the creation of incident context, chasing down patient zero through an automated root cause analysis. Such a system would present the human Escalation Analysts with aggregated data in a logical attack-centric progression automating the Monitor, Prevent, Detect and Investigate roles and providing the SOC analyst with actionable threat intelligence for real Response and Remediation.