This article originally appeared as part of Cyber Defense Magazine March Edition for 2023.
While it seems we are constantly hearing of massive layoffs at tech companies and concerns of a looming recession, there is one industry that can’t seem to hire enough people and retain talent: cybersecurity. Even with companies reaching deep into their pockets to attract candidates with what can seem like open checkbooks, CyberSeek reported that there are nearly a half million open cybersecurity roles in the U.S. right now. How are these staffing shortages hitting the SOC (Security Operations Center) and what organizations can do to fill the gaps?
Overwhelmed SOC Staff Stretched Thin
When it comes to the SOC, 79% of security decision makers agreed that the cybersecurity skills shortage has impacted their security operations, and according to a recent survey (which data will be cited from throughout the rest of this article) of security decision makers responsible for threat detection at their organizations. As environments are increasingly becoming more chaotic while requirements are constantly changing, SOC teams are not only understaffed; they are increasingly overwhelmed. 57% of respondents in the survey indicated that SecOps is more chaotic than it was two years ago and almost all respondents (93%) felt their organization needed to re-evaluate its SecOps priorities.
SecOps teams are working to aggressively adapt to a landscape that is constantly evolving—it’s like running up a moving escalator. Attackers don’t care that organizations are understaffed, in fact, they love it. As security teams re-architect operational infrastructure to help organizations support modern, cloud-driven, hybrid work usage models, the massive amount of IT infrastructure change leaves room for new threats to be introduced through weak links.
IT teams are facing an uphill battle to transform their security operations infrastructure while fending off attacks, and all the while, daily SecOps activities must continue to mitigate risk as it re-architects security operations strategies, processes, and technologies. Migrating to the cloud cannot be done in a vacuum, everything in the organization modernizes with it. How do teams become smarter and more efficient while enhancing enterprise security postures?
Efficiency vs. Efficacy: The Lean Tradeoffs
What is one of the things making SOC staff most overwhelmed? Alerts.
Security alert management is a serious pain point, and no wonder, since 77% of survey respondents report a rise in alert volumes.
Consider how many alerts you would get in the course of a day on your phone if some were not disabled or silenced. While the ten-minute alert before a meeting is often helpful and important, an alert, every time an email or text comes in can distract from things that need our full attention and are not pressing to attend to at that moment. Similarly, for folks with video doorbells, you want to know if someone is trying to open one of your doors but not to be alerted every time a car drives up your street or the wind blows. Context matters.
As security controls grow in number and scope, data volume and tools multiply, making managing fragmented security investments strenuous as the controls and regulations are placed on security. The result? Over half of surveyed security professionals report that alert triage is challenging or overwhelming. Similar to disabling personal phone notifications, the easier fix to this problem is re-configuring noisy threat detection solutions, the harder problem to address is threat landscape evolution outpacing SecOps countermeasures.
What are SOC staff doing to keep up? Almost everyone (96%) surveyed cited that they are making tradeoffs between efficacy and efficiency to keep up. What is the best way to combat alert fatigue and ensure that SOC staff can work as efficiently as possible, especially as teams are likely stretched thin? Automation.
Detection Engineering & Automation: What Understaffed SOC Team Dreams Are Made Of
The top security operations challenges and trends are intertwined and cyclical - it’s important to work smarter, not harder. Beyond staffing challenges, these include security alert management (which we’ve already walked through) and the sustained need for efficiency in detection engineering.
Detection engineering is an important area, and security leaders put a premium on time spent on this, but limited skills exist here compared to other security operations activities. As organizations' infrastructures evolve, security teams need to ensure the investments they’ve made in detection rules can be applied across multiple detection mechanisms, optimizing tools and detection engineering investments. Only 14% of security professionals surveyed indicated being able to accomplish developing and implementing new threat detection rules in less than one week, and 57% said the amount of work to design, code, implement and manage their threat detection rules was either overwhelming or challenging.
With the premium placed on implementing new detection rules, and 77% of survey respondents looking for a new way to engineer them, automation is the answer to the top challenges SOC staff face. While 83% of respondents were using automation in some capacity to assist with security operations, those that weren't using it exclusively were more than two times more likely to have challenges prioritizing alerts.
Not only do organizations seem to think increased investment in detection engineering will
pay off, with three-quarters expecting a moderate or drastic reduction in attack dwell time, but almost all are willing to put their money where their mouth is. 98% of survey respondents are confident that their organization will fund the transformations needed in their SOC. While SOC teams look to fill the gaps on their teams, some gaps can’t wait: a gap in securing an environment against threats is one of them. Automating detection engineering is the solution that will help organizations through this transformational journey.
Get to know more about the author Karthik Kannan, Founder and CEO, Anvilogic