SOC analysts are under siege to keep pace with the ever-changing threat landscape. The analysts are overworked, burnout and bombarded with the sheer number of alerts that they must carefully investigate. This intense workload can be a true testament against anyone’s patience. We need to empower our SOC analysts to overcome this monotonous work that is leading to career burnout.
Our industry is struggling to keep up and is alternatively promoting silver bullets and panaceas to catch zero days, defend against APT and use AI to detect attacks better and faster. Instead of detecting or preventing better and faster, we should be looking inwardly at our SOCs to be better serve our human analysts.
Security departments should be seeking data-driven approaches for more efficient evaluations on operations. Approaches like data science and algorithms to statistically evaluate the operations within a SOC will help.
Big data is becoming a big problem for SOCs. But instead of it being a problem, it should be a solution. Analyst’s laborious investigations already include a variety of data points, logs, analyst’s notes, escalations, and conclusion tags. Combining these data points or independent variables can feed a ML algorithm against a dependent variable or conclusion tags to build an evaluation score against sensors and detection rules.
With proper labeling and data wrangling, an evaluation score can be gleaned from a logistic regression algorithm. This output can evaluate the efficacy of alerts from SIEM’s. With this insight security engineers, management and analysts alike can be empowered to make data driven decisions to tune and lessen the burden on the SOC from investigating fewer false positive related cases.
Key takeaways:
1. SOC analysts are continually overwhelmed with the honorable job of investigating many alerts. But analysts are overwhelmed by tedious investigations that continue to be resolved with false positive or business as usual conclusions.
2. We can score these cases by implementing a machine learning model to get closer to signal and more meaningful investigations rather than noisy or false positive related conclusions.
