SOC

Security Operations Centres Challenges

No Comments

I have been working with Security Operations Centres (“SOC”) for most of my career in the past 9 years, and I have worn many of the hats available – SOC Analyst -> SIEM Engineer -> IR Specialist -> Threat Intel Lead -> Consultant. As with many other careers and jobs, there are always ups and downs, good times and bad times. My first work as a SOC Analyst was to transition the managed SOC service under a new vendor (the company I was hired by). This felt like a smooth introduction to the world of Security, but little did I knew that this was just mainly compliance checks and monitoring. Going straight to the point, what I have learned is that after a while you start to pick up and more easily recognise the challenges that are more common to see in Security Operations.

I tried to categorise the challenges into two main pillars: the most common and the most frustrating. I think many have different experiences, but this is how I feel I would split them up from my point of views. So here it goes, and what I usually watch out for.

Most common SOC challenges

  • Alert fatigue and firefighting with little or no time for critical thinking process
  • Reactive vs Proactive attitude
  • Lack of automation and integration
  • Lack of additional data to triage alerts and understand context behind alerts
  • Lack of understanding of the infrastructure and key security controls
  • No clear processes (SOC, IR, CTI, VM etc.)
  • Lack of documentation (service catalogue, operating model, processes and procedures, etc.)
  • Lack of understanding of business mission and crown jewels
  • Lack of understanding of how the business operates – trying to adapt general processes (every environment is different)
  • Lack of understanding of key stakeholders and escalation points
  • Insufficient authority of the SOC and no clear escalation path
  • No effective measurements of SOC performance, metrics focusing on quantity rather than quality
  • Lack of best practices and standards – not using frameworks
  • No dry run exercises/simulations to prepare for the real thing

Most frustrating SOC challenges

  • No business buy-in
  • No strategy from leadership
  • Relying too much on technology rather than people and processes
  • Not enough staff, not enough skilled staff, not enough training and knowledge transfer
  • Acquiring technology without understanding business needs and requirements
  • Duplication of work (Siloed teams and lack of collaboration medium + too many tools doing the same thing)
  • Recruitment and retention strategy – no clear training and career path for junior analysts ending up in high turnover for the SOC
  • Running too fast without learning to walk first – focusing on advanced capabilities and neglecting the basics
  • Bureaucracy, internal politics and personal agendas

After jotting down some of my points, I started researching for resources on the same subject and found the ones below really good.

References

https://www.researchgate.net/publication/347520429
https://www.devo.com/wp-content/uploads/2019/07/2019-Devo-Ponemon-Study-Final.pdf

Close Menu