Top SOC Challenges Facing Analysts and Managers

It has never been harder to deliver exceptional outcomes in a security operations environment than today. As a former SOC analyst, I empathize with the persistent challenges of managing an onslaught of grueling false positive alerts with limited context (looking at you DNS alerts). However, there have been three significant changes over the past decade that have made SOC analysis and management jobs even more challenging.

• The security perimeter kept growing with remote workforces and cloud migrations
• Adopting more security tools to protect your expanded perimeter generated massive volumes of alerts
• Ransomware went mainstream, threatening every organization

Challenge #1: You have to be a security expert at “everything”

The security perimeter is larger than it’s ever been. With the proliferation of SaaS applications, cloud workloads, and distributed workforces, organizations are adopting security tools that extend visibility into different facets of their network environments. Things like cloud audit logging and autoscaling workload monitoring that were in their infancy 10 years ago are table stakes today. While increased visibility enables your team to respond to impactful threats that have adapted to modern workplaces, it also adds strain for maintaining consistent and effective response.

SOC Analyst Challenge

SOC analysts must now learn how to gather data from a wide array of security tools across domains (cloud, endpoint, etc.), and then hone the right analytical process to identify and respond to threats. This takes a mental toll, especially when your workflow spans multiple vendor consoles and different contexts in a single day.

SOC Manager Challenge

SOC leaders now carry the burden of finding security experts that can accurately investigate alerts across their entire technology stack, but they’re almost impossible to recruit. Additionally, the need to monitor a broader perimeter leads to increased SIEM data costs and product investments that cut directly into hiring budgets. 

Challenge #2: More alerts doesn’t equal more security

Increased visibility serves as both a blessing and a curse for security teams. While more telemetry brings about the potential for higher fidelity and more responsive security outcomes, it also significantly increases the alert volume for your operational teams – often without a tangible benefit. This “alert barrage” from security vendors forces most organizations to take one or more of these three paths:

• “Grin and bear it” by applying more analyst resources (internal or outsourced) to the triage and investigation of every alert with a significant severity.
• Tune alerts to fit the team’s capacity by consistently modifying or disabling (eek!) alert sources.
• Make a substantial investment to automate and enrich alerts in an attempt to eliminate common headaches.

SOC Analyst Challenge

Responding to every alert that crosses the wire, especially false positive activity, can be monotonous and stressful, often feeling like there is no end or reward in sight. It’s a dangerous recipe that quickly leads to analyst mistakes, burnout, and ultimately high job turnover. In fact, a study by Mimecast found that one-third of SOC analysts are considering leaving their role due to stress and burnout.

Investing in automation engineering has the promise of easing alert fatigue, but the responsibility is often owned by a separate team that doesn’t have to respond to alerts. That disconnect can lead to overlooked tuning, or worse, custom noisy detections the SOC must manage.

SOC Manager Challenge

As a SOC leader you’re faced with the delicate balance of maintaining employee morale and managing the risk of false negatives due to overtuning detections or disabling alert sources altogether – both of which create significant operational risk. 

Challenge #3: Every organization is now a target of ransomware

Before the advent of ransomware, most notable cyber crimes were reserved for a small percentage of globally recognized businesses that harbored intellectual property, political intelligence, or large scale payment processing that would attract the attention of a sophisticated threat. 

Today, every organization is a potential target for ransomware, with ransom demands skyrocketing along with the risk of business disruption through mass encryption and secondary extortion from data theft. Compounding the issue, ransomware operators are moving faster. Secureworks cited the median time between initial access and payload delivery to be 24 hours for ransomware actors, and Rapid7 in their Vulnerability Intelligence report found that 56% of vulnerabilities they observed in 2022 were exploited within seven days of public disclosure. 

This change in the threat landscape demands hypervigilance from security operations teams along with close coordination with internal IT and engineering teams to not only investigate, but remediate threats and external vulnerabilities immediately.

SOC Analyst Challenge

Universal ransomware risk forces SOC teams to not only be highly accurate but operate at a break-neck pace in order to protect against potential business shutdown. This leads to long hours, high degrees of stress, and new tasks like vulnerability management added to the never-ending todo list of security work. 

SOC Manager Challenge

SOC managers are under more pressure than ever with the expectation of flawless team precision and speed, further lowering morale.

Overcoming these SOC challenges

It’s clear that the nature of security operations has rapidly evolved, and the current technology we’re using is struggling to keep up with the security demands of modern organizations and threat actors. Ultimately, a new approach is required that supercharges human analysts to fully investigate and respond to threats at machine speed rather than turning people into alert automatons. 

Key takeaways:

1. Embrace 'defense in depth' whenever feasible, implementing multiple layers of visibility and security controls that cover the entire threat actor lifecycle. At a minimum, use application based multi-factor authentication across your perimeter and reliable backups.
   
2. When forced to prioritize, invest your team’s investigative resources in the most efficacious signals within your environment – preferably those that are closest to “initial access” in the attack lifecycle.
   
3. Job diversity is the spice of life for security teams. Formalize cross-training or rotation programs across your security organization to de-risk talent attrition and improve morale.
   
4. Require detection authors on your team to also triage alerts (at least for some portion of their week). This ensures there’s a vested interest across all operations team to write effective rules and tune appropriately.
   
5. Support your teams (including managers). We're all facing these challenges together, and it's a demanding environment. Foster healthy operational practices that enable team members to disconnect and recharge whenever feasible.
   ‍

How Prophet AI for Security Operations helps

We developed Prophet AI for Security Operations in order to address some of the key challenges of triaging, investigating, and responding to alerts. If you’re interested in supercharging your human analysts, request a demo of Prophet AI to learn how you can triage and investigate security alerts 10 times faster.

Further reading

What is MFA fatigue attack?
Investigating geo-impossible travel alert
Top 3 scenarios for auto remediation
Automated incident response: streamlining your SecOps
SOC metrics that matter
Key SOC tools every security operations needs
Demystifying SOC automation
Alert triage and investigation in cybersecurity: best practices
Alert tuning best practices: keys to reducing false positives
How to investigate Okta alerts
AI SOC: Key to solving persistent SOC challenges
AI SOC Analyst: A comprehensive guide

‍