The changing role of a Security Operations Centre analyst
As the world transforms into a virtual forest of information, organisations are finding that
cyber security has become ingrained into its roots; investing in digital defences has become an essential common practice. Being a Security Operation Centre analyst is being on the front line of an organisation’s fortress; they are the staff who protect the perimeter, guard the entryways and patrol the virtual corridors.
With most businesses relying on their IT infrastructure to function, it has been predicted that by 2020, our digital universe will hold 44 trillion gigabytes of data, which is the equivalent of 6.6 stacks of iPads between the Earth and moon. The incredible rates of data growth mean that Security Operation Centres (SOCs) face the problem of being swarmed by a plethora of security alerts, and SOC analysts can become consumed by alert management tasks rather than fulfilling the mantle of a proactive defender. The introduction of Prescriptive Security, brings in intelligent automation of alerts to enable SOC analysts to better utilise their time as an advanced threat hunter and security specialist.
I was drawn to a career in cyber security following the shock of learning about the devastating impact that cyber attacks can cause. I started to wonder how it was possible for an organisation to protect itself from an ever-changing threat. My time as a SOC analyst began in 2015 as a Graduate Trainee and involved being part of a round-the-clock team monitoring a variety of networks and devices. Each set of security devices will inspect the network traffic going to or from the device or zone it is protecting, and trigger an alert based on a set of rules that define suspicious characteristics or behaviour. The analyst would then inspect the alert created and perform investigations using in-house and open source intelligence tools to determine if the alert is legitimate or a false positive. Legitimate alerts are classified as incidents and require further investigation into the nature of the risk or breach, then the relevant specialist or incident management teams are engaged to resolve the incident.
Power of Prescriptive Security
The modern growth of connectivity and business infrastructure quickly impacted the role significantly. The vast amounts of data and alerts caused the thinly-spread specialised Analyst to prioritise their responsibilities, meaning actively seeking and researching threats took a back-seat. What should have been a partly proactive role suddenly became a heavily reactive one.
Prescriptive Security is based on automating simple threat analysis. Sophisticated machine learning can identify threats, even initiate remediation and clean-up actions in significantly quicker time. Automating the basic tasks of a SOC analyst frees them to combine the brilliance of a human mind with the supercomputing power of Prescriptive Security. Under this new model, Analysts are returning to detailed malware analysis, researching the latest exploits and spending more time on stopping attacks before they even happen. As advanced technology can draw meaning from huge quantities of seemingly random data, complex patterns and trends emerge which were before unseen, unlocking further potential for accurate foresight to keep organisations one step ahead.
Embracing the change
While not all SOCs work in the same way, they share a common need to mature in order to provide an efficient and effective service. It is no surprise that the more advanced security organisations are embracing the need for change, and realising the requirement to adapt its people as well as technology is equally important. The role of a SOC analyst is maturing, with the true value of people upheld through the integration of big data analysis techniques with cyber security.
It is said that cyber security progressions are driven by the boardroom, with leading organisations in all industries setting the standards, in turn affecting how SOCs operate. Organisations who invest in intelligent security will advance their asset protection by enabling a proactively focused defence strategy. The SOC analysts will no longer be burdened with repetitive alert management and instead invest their time and passion into the work and research of a true security practitioner.
Digital Vision for Cyber Security
This article is part of the Atos Digital Vision for Cyber Security opinion paper. We cover what every business should know about cyber security, why a concerted response is essential, and how to protect data, systems and services from any attack.