Working in a SOC is so stressful that two-thirds of employees want to leave
Fully 73 percent of 554 IT and IT security practitioners, surveyed in the Ponemon Institute’s Devo-commissioned improving the Effectiveness of the Security Operations Centre study, said the increasing workload that SOC staff face was causing burnout, while 71 percent blamed the 24/7/365 on-call culture and 69 percent said there were just too many alerts to chase.
Respondents also named a range of other problems that made 70 percent agree that working in a SOC is “very painful” – including the inability to recruit and retain expert personnel (68 percent), inability to capture actionable intelligence (55 percent), lack of resources (53 percent), and “complexity and chaos” within the SOC (49 percent)."
Full Article: https://www.cso.com.au/article/664803/working-soc-stressful-two-thirds-employees-want-leave/
Thoughts?
Comments
-
chrisone Member Posts: 2,278 ■■■■■■■■■□A few thoughts/bullet points from my own experience. I don't care to fully articulate or elaborate on each topic lol
but...- alert fatigue
- others not pulling their weight (probably due to lack of skills plus not "wanting" to improve skills)
- management not encouraging training
- hire a MSSP/MDR for night shift
- switch to pure red team (where I am headed)
- buy fireeye! (seriously these things weed out the false positive and give you very accurate none BS alerts)
- IPS (maybe pro-active IPS devices are better after all? they do the work for you )
- management should give SOC members 1-2 hours of threat hunt sessions (SOC engineers need to be in an "active defense" mindset and not always in a reactive boring alert mindset)
- hire a snort/suricata experience infrastructure engineer to tune the damn thing! (I can't stand shops who expect SOC analysts to be infrastructure engineers and for infrastructure engineers to attend to alerts!) Its like asking your mechanic to be your driver too!
- more orchestration
- playbooks (what should we react to and what we should let go)
- go cloud, everyone will eventually be in the cloud
Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
Swift6 Member Posts: 268 ■■■■□□□□□□Not surprised by these findings. While practices vary depending on the organisation, the ever increasing volumes of data don't make it any easier.There is no one fits all solution.
-
LonerVamp Member Posts: 518 ■■■■■■■■□□Definitely a thing. By the time an organization is of a size to have a SOC, they probably have enough infrastructure and users and endpoints and data floating around from years or organic growth that getting visibility into what you'd need is probably futile without a very narrow (read: achievable) scope.Part of the problem is probably around management of the SOC and its tooling/purpose. I suspect many SOCs have lots of low level people, and then maybe a few "higher level" managers who really aren't more than glorified resource managers rather than security planners.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
PC509 Member Posts: 804 ■■■■■■□□□□It sounds like the major issues could be fixed by management, but we all know how that goes. Give them the tools they need, the abilities they need (network visibility), and company resources (budget). With that, you could train the SOC analysts to not want to jump ship right away and probably keep a pretty good, trained team. Those that don't leave to go elsewhere will become engineers or fill other positions in the same company.
I think the majority of issues when it comes to these things are not due to the job itself, but due to managements lack of attention to the job. It can be stressful, but so is working on a car with a crescent wrench and a hammer. Doable, but you're swearing the whole time. Give them the right tools, the right training, and have their back. These numbers would change quite a bit. -
LonerVamp Member Posts: 518 ■■■■■■■■□□To be fair, you only should spend as much money on security as you need to...
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
JDMurray Admin Posts: 13,089 AdminThere is a creeping "sticker shock" with information security budgets in modern, corporate organizations. The people and technology costs required to secure just email for a Fortune 500 company is considerable. Many organizations are reluctant to allocate the budget needed to mitigate their security risks, or feel they need to get their money's worth from that budget by having their security people also work non-security roles (netops, help desk, etc.). Both will cause situations that lead to the burn-out of SecOps people.
Organizations are also slow to understand how security automation and orchestration can help improve their security posture. This is not a quick or cheap thing to implement. It requires both full understandings of all the normal activity occurring on your network and ongoing tuning to be effective. Lastly, network operations teams typically design their network(s) to be easy to diagnose and repair--which is usually not conducive to a network being internally secure. This leads to a deluge of noise that makes it difficult to determine the occurrence of true, malicious security incidents. Once again, mental fatigue and disillusionment with the SecOps role results. -
JDMurray Admin Posts: 13,089 AdminOh, if anyone has a copy of that Ponemon study, I would like to know what organizations are having such problems with their SOC processes that "their SOC team would benefit from stress management programs and psychological counseling."
-
UnixGuy Mod Posts: 4,570 ModSo there is a shared sentiments that incompetent management is the problem. When we say 'organisations don't understand the importance of security', this translates to senior management don't have security as a priority (until a breach happen) and when they do, they don't do it right.
-
JDMurray Admin Posts: 13,089 AdminFor those interested in solutions rather than just finger-pointing, have a look at the SANS Common and Best Practices for Security Operations Centers: Results of the 2019 SOC Survey webcast and PDF (July 2019).The biggest obstacles to effective SOC performance in this survey are:
- A lack of skilled staff
- A lack of automation and orchestration
- Too many unintegrated tools
- A lack of management support
- A lack of processes and playbooks
- A lack of enterprise-wide visibility
- Overhyped technologies (AI & automation solves staff shortage problems, etc.)