Much has been written about the death of the Tier 1 SOC analyst. To paraphrase Mark Twain, reports of that death are greatly exaggerated. A simple Glassdoor search yields 186 open positions that posted in just the last month. Is one of your open roles on that list?
Odds are you are recruiting for multiple security analysts at any given time, particularly at the entry level. This is largely due to a combination of attrition and growth in alerts coming in from your various security tools. To add insult to injury, if you're like most organizations, those jobs have probably been sitting unfilled for three months or more.
Directing or managing a SOC is no easy task, especially when you're short on people to manage.
Before you start thinking this is yet another diatribe on the cybersecurity skills shortage, we assure you, it's not. Rather, in this blog we will look at the role of the Tier 1 SOC analyst today and the part security orchestration and automation play in bringing about an evolution in the way SOC leaders think about these positions.
Would You Want This Job? The typical Tier 1 cybersecurity analyst job description reads a little something like this:
Under general supervision, this role is responsible for monitoring networks for security events and alerts to potential/active threats, intrusions, and/or indicators of compromises and responding to incidents at the Tier 1 level.
- Monitor security infrastructure and security alarm devices for Indicators of Compromise utilizing cyber security tools, under 24/7 operations.
- Direct response and resolution to security device alarm incidents and additional incident investigation as needed.
- Utilize cyber security analysis to generate security incident reports and document findings.
- Log details of Security Operation Center calls, including all events and actions taken, and track tickets to maintain workflow management. Document all events and actions.
- Determine the intent of malicious activity based on standard policies and guidelines and escalate further investigation incidents to the next Tier of Incident Response.
Sounds...riveting, right? Necessary sure, but, the Tier 1 SOC analyst is misnamed. Most of these roles - like the one outlined above - largely come down to data gathering, not analysis.
As a SOC leader, you're giving someone an analyst title but a job that entails spending their day with eyes on glass sifting through the digital equivalent of a monster haystack in search of a needle or two. And more hay just keeps getting added to the stack as they go. It's repetitive, manual work that generally offers little in the way of reward but carries a huge risk for the analyst who misses that one vital alert.
The Rise of the Machines Enter machine-driven solutions. Security orchestration and automation platforms are specifically designed to address many of the most prevalent security operations challenges.
Challenge 1: Too Many Alerts Most security operations teams get thousands of alerts per day and can only investigate and respond to a portion of them. On average, security operations teams leave 44% of alerts uninvestigated. Your Tier 1 analysts are the ones on the front line of this alert deluge, making them the ones most susceptible to alert fatigue and ultimately, job burnout.
The Solution: Contextual Alert Grouping and Case Management
Addressing alert overload is one of the biggest benefits security automation can bring to a SOC team. Data gathering is time consuming, repetitive and highly detail oriented. It's perfectly suited to automation.
Applied correctly, security automation tools can identify relevant, critical alerts in a fraction of the time, with a higher degree of accuracy than a human analyst can. By employing an automation solution that identifies and groups related alerts into workable cases, you can redirect your analysts' time toward in-depth investigation, analysis and incident response activities.
Challenge 2: Too Many Tools With a dozen or more security technologies to work across, your analysts spend much of their day switching from screen to screen just to gather the data they need. And mastering the ins and outs of managing and using a variety of tools creates a steep learning curve for new analysts.
The Solution: Security Orchestration and a Single Pane of Glass
Security orchestration fundamentally changes the game for SOC analysts by creating a single, cohesive interface for managing disparate security tools. It mitigates the need for expertise in each individual technology and, when delivered through a single-pane-of-glass workbench, can virtually eliminate the need to switch between multiple consoles. As with the automation of alert grouping, this puts more time back into the analysts' day for tasks that truly require human intervention.
Challenge 3: Too Many Manual Processes Are your SOC workflows documented? Entry-level analysts frequently find it tough to get up to speed and become effective quickly when processes aren't formalized and executed consistently. Manual steps within each workflow - whether interacting with users, looking up files and hashes or adding new rules and signatures - only compound the issue further by taking time away from higher value activities.
The Solution: Documented, Automated Playbooks
By definition, security orchestration and automation solutions don't just streamline security technologies; they help teams improve the creation and execution of processes that surround the use of those tools. Particularly valuable is the ability of these solutions to provide a framework for standardizing and automating playbooks and workflows. By creating a consistent sent of processes, analysts spend less time guessing about next steps and automation of key steps redirects their efforts to more critical tasks.
Hopefully you see a theme developing here. It comes down to where you want the people in your SOC spending their time. What tasks truly necessitate the critical thinking that only a human can provide? Once you are clear on the answer to that question, you can determine where to deploy automation vs. where your security talent will be most effective.
So, Do I Actually Need Tier 1 Analysts? Because much of what is traditionally associated with the role of a Tier 1 analyst can be addressed with security orchestration and automation, it's easy to see why some think these roles are on their way to being obsolete.
Yes, it's true that much of what your average entry-level analyst is tasked with today can be completed faster and more efficiently through automation, but that doesn't mean you should give up your open reqs just yet. Instead, you should think about how to redefine your Tier 1 roles.
By applying security automation, your Tier 1 analysts can start to function more like Tier 2 analysts. Your job descriptions should start to include responsibilities like:
- Conduct proactive research on emerging threats
- Perform deep incident analysis and triage
- Assess risk and provide recommendations for improving security posture
- Assist with the development of incident response plans and workflows
Security orchestration and automation can up the game of your team at all levels. As Tier 1 analysts take on what are traditionally Tier 2 tasks, Tier 2 analysts can step up their game, and so on up the chain. This allows you to not only evolve the various roles in your SOC, but it will provide the basis for evolving your security operations from largely reactive to more proactive in nature.
A Practical Case No amount of automation can eliminate the need for the critical thinking and analysis that can be provided by human security professionals. Together, security automation and smart security talent can make for a stronger, more efficient security operations team.
But don't just take our word for it. Check out our case study with MSSP Choice Solutions. By deploying security orchestration and automation, Choice Solutions has been able to automate 98% of its Tier 1 tasks. As a result, its team of analysts has been able to step up to a higher level and take on higher-value activities.
No, the Tier 1 SOC analyst isn't a dead role. However, through the continued adoption of security orchestration and automation, Tier 1 analysts are poised to have the tools, time and empowerment to truly live up to the title - analyst.