Skip to content

Search the site


"We Can Be Heroes" -- But SOC heroics could be smarter, more creative.

"In the hands of a distrustful tech, an EDR tool becomes little more than a flight recorder"

What is heroism in cybersecurity? The dictionary defines a hero as an illustrious warrior and the central figure in an event. Unfortunately, security operations centres have morphed the concept in a way that's detrimental to cybersecurity, writes Jan Tietze, Director of Security, EMEA, SentinelOne. It is not rare that we see a trait in SOC analysts that we call 'hero syndrome'. SOC employees often focus on big threats only when they surface as ongoing attacks. At this point analysts will often be forced to save the day in dramatic, visible ways.

This approach isn't intentional. SOC analysts don't harbour Rambo-esque fantasies.

Like everyone else, they want to get the job done quickly and painlessly, but many have evolved to operate in a way that leaves them scrabbling for solutions at the last minute. This is not the most effective way to tackle incident response. Organizations  work best when it handles emerging threats early on with judicious preparation.

We can no longer afford to lurch between dramas

Other kinds of first responders live by these rules. Firefighters would rather not fight fires at all. Instead, they devote time to fire prevention. Similarly, your doctor will urge you to adapt your diet and do some moderate exercise now to avoid surgical drama later. Whether we're talking about something as simple as wearing your seat belt or as profound as climate change, simple prevention is always better than dramatic cure. The latter tends to be painful, with collateral damage. So what causes SOC operators to adopt it?

The rise of hero syndrome

SOCs still prioritize human interaction at all stages of incident response. Many SOC analysts  distrust automated tools like antivirus software, considering them generic and ineffective against targeted attacks. This is because they concentrate on incidents where security tools have failed them rather than areas where they have helped.

Blinded by this confirmation bias, SOCs often use human operators to do what a computer could have achieved on its own. They avoid automation, even as it transforms countless industries around them.

The adverse effects of hero syndrome

This antipathy to software tools doesn't mean SOC analysts stop using them altogether.

Instead, they pay less attention to the software that they do have, using only part of its capabilities. That ends up being even more debilitating.

For example, in the hands of a distrustful tech, an endpoint detection and response (EDR) tool becomes little more than a flight recorder, relegated to gathering data rather than as an automated tool to spot and neutralise digital toxins. Such tools can certainly generate lots of data if you want them to, but as the means, not the end. Instead of using the tooling data to deal with immediate threats, analysts use it analytically to refine their future approach, thereby disregarding the tool's main functionality.

See also: Hackers breach PHP Git repository, add backdoor to script used by 79% of websites

An ambivalence to automation often also stops an SOC from developing a cohesive tools strategy. Instead, it buys tools as data generating devices, duplicating software functionality in some areas while leaving gaps elsewhere. The result is an inefficient use of budget, in which it pays too much for metrics that can blind analysts rather than help them.

Failing to take full advantage of these tools leaves analysts in a difficult spot. They miss the small things that could be fixed easily with relatively simple action. Those small events eventually become incidents, and if still not addressed sometimes grow into full-blown emergencies. By the time analysts pay attention to those red flashing lights, it's too late; they must take drastic measures that affect the business.

The cybersecurity landscape has evolved to the point where we can no longer afford to lurch between dramas. Attackers are becoming increasingly proactive. Modern compromises might still be partly manual but adversaries are automating more of the attack chain every day. That makes prevention and early responses even more important.

Time for a rethink

A late entry to save the day might sometimes make an impressive splash, but efficient cybersecurity work is far more mundane. Cyber threat mitigation, like politics, should be anything but dramatic. It should be considered, preventative and, when working well, largely invisible.

SOCs can take action now to alter their approach and become more proactive. This begins with earlier threat detection and mitigation, which in turn means taking a more thoughtful approach to emerging threats. This approach should be short, efficient, and surgical. Rather than extending an incident to learn more about it, SOC analysts can render it harmless through fast, simple, and early containment.

SOCs can use automated tools both to detect these emerging threats and to contain them with minimal human intervention. The key to that is a well-integrated platform with tools that communicate in a common format and that complement each other's functionality. The more strategic a SOC's tool design and procurement policy is, the more of an asset it will be during the incident response process, from the earliest stages onward.

"Analysts who learn to embrace automated tools can swap out the mundane tasks for truly creative ones"

Does this mean analysts must give up their hero status? Not at all. By using automation for manual, repetitive tasks, they can free up their own time for high-value pursuits. There's a real possibility here for analysts to become detectives, focusing on hypothesis-based threat hunting that takes skill and insight.

Analysts who learn to embrace automated tools can swap out the mundane tasks for truly creative ones. And there's nothing quite so heroic and worthy of recognition than human creativity. With a more mature approach and a little more trust in the tools, SOCs can be cybersecurity heroes for more than just one day.

Follow The Stack on LinkedIn