Improving the SOC Analyst Experience

Improving the SOC analyst experience featuring Forrester and LogRhythm

It’s essential to continuously improve the analyst experience (AX) and maximize the team’s efficiency when protecting the organization. Focusing on what matter the most to security analysts and making their job easier can also reduce burnout and help you retain top talent.

LogRhythm recently presented a webinar featuring Forrester on this topic called, “The SOC Analyst Experience: Tools and Techniques to Enhance Performance.” Senior Threat Research Engineer, Sally Vincent, and our special guest, Forrester Senior Analyst Allie Mellen, discussed the challenges SOC analysts face and explored strategies to enhance their experience. Let’s dive into some of our key takeaways from their discussion.

How to Improve the SOC Analyst Experience

It’s no secret that being a security analyst is a challenging job. Here are the top focus areas for security leaders to consider when enhancing the analyst experience.

1. Continuous Training and Collaboration

Enhancing the analyst experience isn’t just about focusing on the user experience (UX) and user interface (UI) of products, but also providing opportunities to properly learn how to use security tools, understand security processes, improve skill sets, and develop career paths.

Before investing in any security platform, chief information security officers (CISOs) need to evaluate onboarding processes and training opportunities to ensure the team will be set up for success. Your team shouldn’t have to read through a 300-page PDF on how to get started (nor will they want to). Finding opportunities for hands-on or interactive training is much more impactful.

During the presentation, a SOC manager prompted the question, “When we are developing our new analysts, where should our focus be? Training or having them focus on the tools?”

Allie discussed the importance of striking a balance between spending time focused on product training versus enabling the team to learn security processes that can be transferrable in their career. She recommended giving novice analysts “space to take alerts from start to finish” as soon as possible. It can be challenging, but the benefits go a long way to expedite their knowledge. She also suggested that analysts use 10-15% of their work week to explore other disciplines like threat hunting, threat research, and incident response to get them ramped up quicker.

With over ten years of hands-on cybersecurity experience, Sally added that fostering a culture of collaboration and knowledge sharing within the SOC enables analysts to learn from each other’s experiences and collectively strengthens their capabilities. Sally emphasized the importance of training and resources offered by organizations like the SANS Institute.

“Take a SANS course. SANS is wonderful about doing interactive training, and it’s a good investment that companies can make to send their team members to that training because it’s hands-on and applicable right out of the gate.”

By investing in training courses, analysts gain a deeper understanding of different attack vectors, learn to effectively use various security tools, and develop the ability to think critically when investigating incidents.

2. Improve Investigation in the Analyst Workflow

 Security analysts must perform a lot of tasks across the detection and response workflow. A common challenge arises during investigation steps, which are often overlooked in the security industry. Allie stated:

“Investigation takes up so much time. It is by far the most manual part of this process, the most difficult part of this process, and it’s not really mentioned very much when you think about many of the products that have been used over the years.”

When an analyst reviews alerts on a dashboard, they need to be able to answer questions such as:

  • Which alert should I respond to first?
  • Which alert can I take from start to finish or get to the point of triaging?
  • Which alert is the most difficult or the most interesting to delve into?

Even when risk-based priority ratings are assigned to alerts, knowing the proper threats to investigate can still be challenging. Many times, the logic for why a detection fired is unclear. To bring your analysts more value they need a security tool that can help them understand the background of alerts and all the joint components that lead to why the alerts fired in the first place. The more contextualization and correlation analysts have, the better they can tell a story with the data and make confident and accurate decisions.

3. Leverage Automation and Playbooks for Threat Detection

Reducing manual work for analysts is crucial to improve detection and response times, as well as enable analysts to focus on more strategic tasks. Sally dove into the power of how security orchestration and response (SOAR) tools help automate processes, handle alerts, perform escalations, and collect evidence. Integrating tools and automating processes can greatly improve the workflow and efficiency for analysts.

In addition, cybersecurity playbooks vastly help with streamlining the detection and response process. Playbooks are predefined, step-by-step guides or documentation that outline actions and responses to take in the event of a cybersecurity incident. Sally specifically called out the following playbooks as useful for SOC analysts:

“Having a playbook for threat hunting, a playbook for ransomware, and a playbook for malware backdoors is extremely helpful.”

She also recommended using playbooks to your advantage for training and walking new analysts through incident response. You can test your playbooks by simulating a threat hunt with red team and blue team exercises.

In addition, Sally noted how LogRhythm provides a user-friendly interface and pre-built components, such as dashboards and playbooks, that allow novice analysts to operate without deep scripting knowledge. However, Sally recommended learning scripting languages like Python and PowerShell for those interested in going further and customizing the platform.

Allie cautioned that some playbooks have many steps to them but that they might only be useful in certain circumstances. When getting started with creating playbooks, she recommended focusing on automating little tasks and then orchestrating those pieces together. From there, you can build upon those smaller tasks and then create documentation for incident response processes and playbooks.

Many security vendors provide playbooks to their customer base that SOC teams can implement or build upon, but both presenters also mentioned that Cybersecurity and Infrastructure Security Agency (CISA) has playbooks available on GitHub that are great starting points as well.

4. User-Centric Product Development and Analyst Feedback

Sally and Allie highlighted the importance of developing security tools with the workflow of analysts in mind. They noted that many products lack a user-centered approach, focusing more on integrations and flashy features rather than aligning with analysts’ needs.

Allie emphasized that a vendor’s vision and understanding of user problems play a significant role in influencing analysts’ decision to stick with a product. According to Allie, most security tools are built for the economic buyer and unfortunately security analysts run into challenges when the product is not focused on what they do every single day. When evaluating security vendors, you need to ask questions like, “take me through what an analyst is actually going to have to do in this platform day-to-day.” Understanding their workflow and getting buy-in from the actual end users is essential. Whether you are a consumer or a producer of a security product, Sally emphasized the importance of incorporating feedback from both new and experienced analysts.

Security managers and CISOs should schedule regular touch points with the team to routinely gather analyst feedback as new challenges arise throughout day-to-day work.

5. How Moving to the Cloud Affects the Analyst Experience

Not all organizations can, need, or want to transition from on-prem environments. It depends on a security team’s objectives and their business’ operations within a certain region and industry. But, for security teams transitioning to cloud-native solutions, Allie and Sally had some thoughts to share. Migrating to the cloud does not necessarily result in cost savings. It is essential to consider all the associated costs holistically, rather than assuming that the cloud will automatically be cheaper.

That said, Sally and Allie highlighted the advantages of faster updates with the Software-as-a-Service (SaaS) model. By leveraging automated updates, organizations can save time and effort spent on manual updates and maintenance. Sally noted how this allows SOC teams to focus on more critical tasks such as threat hunting, red and purple team exercises, and running playbooks, rather than being burdened with product upgrades. Allie went on to add:

“As a CISO, as a SOC manager, you need to set up a platform service that’s delivering the SIEM in its entirety with all the integrations that you need, and the data that you need coming in, so the SOC can just take off running and start developing detections and doing investigation and response. Don’t put that on them to manage all the setup… because just the maintenance alone can take up so much time.”

6. Invest in Security Operation Center Services

If your team is strapped with little resources or struggling to keep up with cyberthreats, investing in security advisory services can help you get a better return on investment. These kinds of resources may address a range of complex issues, such as, obtaining faster time to value during the deployment process, expanding threat detection capabilities, reducing false positives, or tuning and optimizing security analytics content.

For example, Sally mentioned the value of LogRhythm’s Co-Pilot Services, a team that helps customers get the most value out of their security platform and processes.

“I used to work on a team called the Co-Pilot Team within LogRhythm Professional Services, where we basically helped SOC teams use LogRhythm and be a more effective SOC team. And I think it was such a good service, because it’s really a quick start guide for running a SOC and having somebody to help you through that process. I always loved doing that service.”

7. How Artificial Intelligence Plays a Role in the Analyst Experience

There is a lot of hype circling the industry about how AI will impact the market. As it pertains to the security team, Allie brought up an interesting point about its potential to improve reporting.

Both participants agree that AI can be valuable in improving reporting and documentation by automating the writing of recaps, incident explanations, and reports, saving analysts time and effort. This aspect has significant potential for quick implementation and offers low risk. However, they acknowledge that using AI for recommending response actions and alarming may present challenges, as the human touch and expertise of analysts are still crucial in these areas. They emphasize the importance of being cautious about the data being inputted into AI systems to protect sensitive information. Overall, while AI shows promise in certain aspects of analyst work, human analysts are unlikely to be replaced entirely and will continue to play a vital role in the field.

Final Thoughts on Improving the SOC Analyst Experience

As highlighted by Allie and Sally, improving the SOC analyst experience requires a multi-faceted approach. Investing in quality training and services, striking a balance between automation and human intelligence, and leveraging tools and processes that are user friendly are key to improving analyst performance. By incorporating these recommendations, organizations can strengthen their defense against cyberthreats, enhance the overall security posture, and alleviate a common issue of getting security analysts ramped up quickly and retaining quality talent.

To hear from the experts directly, request more information here. And if you have not heard, LogRhythm delivers new product enhancements based on customer feedback — every single quarter. Our goal is to make the analyst experience as easy as possible. If you want to learn more about our 90-day innovations, visit our What’s New webpage to view our progress.