Security operations
Laura Brosnan

5 ways to reduce SOC analyst burnout

Amid a chaotic threat landscape, SOC analysts are overwhelmed. It’s time to consider morale and culture in an industry built on binaries.

Security leaders, it’s time we address the elephant in the room: Analyst burnout is real.

Take it from someone who knows. Prior to joining Red Canary, I was a security analyst in a 24/7 Security Operations Center (SOC). My small team of analysts was tasked with defending our environment by sifting through hundreds of alerts per day, analyzing logs from various tools, blocking on indicators of compromise (IOC), neutralizing confirmed threats on a hybrid network littered with unpatched personal endpoints, dealing with shadow IT, tracking daily threat metrics…and, well, the list goes on. Let’s just say feeling “overwhelmed” was a gross understatement.

While responsibilities and maturity vary by SOC, the overtasked, overworked lifestyle of a security analyst is certainly widespread. Unfortunately, it’s fast becoming a cross-sector enigma as threats and attacks continue to increase. In a recent study commissioned by Palo Alto Networks, 96% of analysts polled said they feel significant personal impact following cybersecurity breaches, while more than one-third of respondents reported feeling anguish or losing sleep.

The startling statistics on the health and wellbeing of security analysts doesn’t stop there, either. According to this anthropological-style study, it turns out there are certain interactions and daily struggles that contribute to the disillusionment of modern analysts.

Beyond magically ridding the world of cyberthieves and digital fraudsters, there’s not much we can do about the challenge of defending against an increasingly sophisticated threat landscape. However, there are things that can be done to improve the quality of life for the infosec warriors on the front lines. If we want analysts who are willing to trudge through the trenches of the digitized battlefield, it’s time to consider morale and culture in an industry built on binaries.

Here are five effective ways to empower your analysts and improve your security posture for good.

1. Automate

As an analyst, repetitive response tasks such as ticket creation, blocking IOCs and initiating customer outreach were the bane of my existence. Furthermore, manually documenting these mundane actions felt like rubbing salt into the wound. Every moment spent on these menial tasks was time detracted from monitoring the network at-large.

The value of logging and documentation is immeasurable—that’s certainly not being contested—but believe me when I say you will find more value in leveraging your human capital for tasks that require in-depth analysis and complex problem solving. Automation that can be done via simple scripting, APIs, or existing tools will go a long way in improving reliability and operational efficiency while also preserving human bandwidth for more meaningful work. Inspire your team to take stock of daily tasks and propose automated solutions for routine requirements.

Every moment spent on menial tasks is time detracted from monitoring the network at-large.

2. Provide training on core tools

Security analysts are brilliant technicians, but, bear in mind, we can’t know everything about every tool. Perhaps in a not too distant future, we’ll be able to download data and become security cyborgs. Until then, training your very human analysts on core tools and how they’re deployed within your environment is critical. Say your organization leverages Microsoft Defender for Endpoint as an EDR product, but still uses an on-prem legacy tool for vulnerability assessments. From the get-go, analysts need to know how tools function within your environment and where telemetry is sourced, as it is key to their operational competence.

Make use of vendor documentation to ensure the most up-to-date training is being provided to your analysts, no matter what. Less mature SOCs tend to focus on writing step-by-step procedures for the use of individual tools within their environments, spending precious time recreating resources that already exist. While internal documentation on Standard Operating Procedures (SOP) can be useful, internally composed how-to’s on vendor-specific products are redundant and require man-hours and oversight to keep them current.

For the love of security, PLEASE STOP BUYING NEW TOOLS. There’s always going to be a new tool to worship, one that claims it can protect your environment from all-of-the-things. Even if that were true, perpetual “tool hopping” is a detriment to your network and those who are tasked with protecting it. Pushing new tools to production may damage the efficacy of the security controls and procedures already in place. Instead, closely evaluate your company’s existing toolset and consult with your analysts to determine capabilities. In doing so you may find the control you were looking for is as simple as toggling a switch. At the very least, you’ll have keen analysts who’ve helped develop a capability matrix from which you can make informed decisions when it comes to purchasing the right tools. Of course, there are times when you may need new tools, but buying new things should not be the default reaction to every perceived problem or shortcoming.

For the love of security, PLEASE STOP BUYING NEW TOOLS.

3. Do not implement quotas

Measure the quality of the work, not the quantity. Tracking individual performance metrics such as severity of work handled, time spent on alerts, and tasks completed does little if anything in measuring the overall performance of the SOC. In reality, individual quotas deter thorough analysis and can lead to the mishandling of an incident, thus becoming a devil takes the hindmost kind of situation.

It’s definitely ok—and necessary, really—to track analyst metrics from a macro level to gauge team performance. Unlike analyst-specific quotas, which incentivize speed over literally anything else, team-level data can help you determine knowledge gaps, process inefficiencies, and tool shortcomings. If you were to notice that your team’s mean time to containment (MTTC) was more than four hours per incident, for instance, that would be worth looking into as an area for improvement. Ultimately, shifting focus from individual to operational performance will provide analysts some breathing room in an already high-pressure, high-performance environment.

Individual quotas deter thorough analysis and can lead to the mishandling of an incident, or worse.

4. Pave way for growth

Nobody wants to feel like they are on an endless road to nowhere. The easiest way to lose scarce, stellar talent is by failing to support them. I get it; as CISOs and SOC managers, you’re likely busy attending strategy meetings in conjunction with developing security policies (and we thank you!). But, I promise it will pay dividends to prioritize a couple minutes per week to check-in with analysts and let them know you care. Make your presence known, celebrate victories and offer guidance. A little hype from leadership goes a long way when preventing burnout.

Additionally, allow your analysts to specialize in technical areas that align with their individual interests. If you leverage a certain authentication protocol in your environment such as Kerberos and an analyst expresses interest, set them up with a pentesting course that addresses Kerberoasting. Not only will they potentially grow into a subject matter expert (SME), but their newfound skills will benefit the overall operation.

Security analysts who become SMEs can spread the love in the form of a Lunch and Learn event or a team training session. Think of it this way: investing in the education and training of an analyst is investing in the team as a whole. Whether it is vendor or peer-led education, fostering a pipeline for growth will ultimately give way to greater operational maturity and an infantry of analysts well-qualified for upward mobility.

Investing in the education and training of an analyst is investing in the team as a whole.

5. Encourage work/life balance

This “always-on” culture that has become so prevalent in SOCs is hindering operational capacity and, as noted, adversely affecting the mental and physical health of security analysts around the world. While tools don’t need rest, humans do. Adopt a culture that promotes a balance between work and personal life. Every minute an analyst spends working off-hours is equivalent to two minutes lost in output while on the clock. That adds up. Exhausted analysts tend to produce less effective results. It’s human nature. Encourage time off and lead by example.

If you implicitly expect analysts to stay overtime, hire more analysts or give thought to an alternative work schedule such as four 10-hour shifts or three 12-hour shifts (state labor laws apply here, so do your research). It is also wise to rotate schedules biannually, at minimum, to combat stagnation and low morale. Lastly, plan for the future by giving analysts the option to work remotely. The security industry has proven that a remote workforce can succeed, even when we were all forced to work from home with no time to prepare. If security teams manage to drive productivity and innovation during a global pandemic, think of your team’s potential when they’re given the tools and support to work from anywhere.

While tools don’t need rest, humans do.

A hopeful future

As someone who has been both an analyst and a leader within a SOC environment, I’ve seen the good, the bad, and the ugly. I’ve seen the pressure of it all break people, more times than I’d like to admit. But, I’ve also witnessed humanity, resilience and the technical prowess the very same individuals exude. The reality is: without highly skilled analysts, logs would go unchecked, threats would go unnoticed, and network security wouldn’t stand a chance. So, rise up and be an ally to those standing watch. Help inspire a new generation of cyber leaders and defenders. A little altruism never hurt, especially when it comes to the betterment of the community.

 

Law & Order: Incident Response Unit

 

The simple math behind an effective incident response program

 

5 ways to fulfill the promise of secure DevOps

 

Testing and validation in the modern security operations center

Subscribe to our blog