Birth of the Next Generation Security AnalystTo solve the cybersecurity skills shortage, know how software will impact the roles. By: Kevin Hanes
In 2017, a provocative article went viral in the cybersecurity industry — Death of the Tier 1 SOC Analyst by Kelly Jackson Higgins of Dark Reading. In this arresting piece of analysis, Ms. Higgins argued that entry level analyst positions in security operations centers were on track for extinction, thanks to a combination of new technologies, industry skills shortages and the particular joys of a role that consisted of triaging an ever-growing flood of alerts. Instead, she predicted that SOC managers would reorganize responsibilities, apply automation to manage the level 1 work and reallocate human input for higher level investigations.
A couple of years down the line, how is that analysis playing out?
The industry certainly isn't operating how we used to. Ms. Higgins was on the ball with the increasing importance of technology. The steady growth in threat actor activity, both in terms of volume and technique means it is simply not possible to fill the cybersecurity skills gap with humans alone. Instead, we're arming human analysts with continuous self-learning AI tools, comprehensive visibility and precision automation to enable analysts to raise their game and stay ahead of the bad guys, while staying focused on what's critical to the organization.
Of course, not all AI techniques are created equal. But the targeted use of data science techniques like machine learning and deep learning are sorting through data oceans of alerts, processing at least 95% of alerts that previously a tier 1 human analyst would have had to view and weeding out false positives. We are way past the tipping point with the use of these technologies — this is not a trend that will reverse.
Algorithms are not just reducing the number of time-wasting false positives, but also enhancing SOC abilities to extrapolate from data to pattern match so that previously unknown exploits can be flagged up and investigated further. The self-learning nature of these techniques has allowed us to create much higher fidelity models. As a result, we can continually improve our ability to identify incursions.
Because of this, human activities in the SOC are changing, becoming more proactive. In fact, the priority has changed from reactive firefighting to proactive threat hunting, because there are fewer distractions, less time being wasted, and more context for taking the right action.
I disagree with Ms. Higgins that Tier 1 analysts will disappear altogether, but I do agree that the role as it has been defined and known to date will soon be obsolete. Instead, the very nature of the analyst role will change.
At Secureworks®, the type of person we recruit into SOC analyst positions has altered radically. Rather than only seeking the type of smart, highly technical person who relishes looking at log files, all day, every day, we're now recruiting for more rounded individuals with consulting and teaching skills too. People persons in other words, with high levels of empathy, who can focus not just on the what but also on the why and on the how. Of course, technical skills are still relevant, but we must be able to add people skills as well.
Our hiring has shifted because SOC analysts at every tier are becoming more akin to incident managers or handlers. They need investigative skills, forensic skills and they also need the ability to hold a consultative dialog, to be able to discuss why something has happened rather than just to pass a ticket up the line. We've gone from discussing alerts to discussing incidents.
And we're finding that our customers welcome that. They want people who can talk to them. Even if the future is machine to machine communication, they still want a human being on their side.
At the same time, the human factor is also invaluable in adding context, in providing the threat intelligence – and incident response experience – that helps identify the needle in the haystack.
The result is a more direct career path for SOC personnel, perhaps removing some of the blockages that led to the high wastage rate that Ms. Higgins mentioned. While in the past we simply needed a lot of people just to sort through the noise, now the skillset needed is far, far higher.
That's not to say that new technology completely fixes the industry people problem, but it certainly does change it. We have a responsibility to adjust our own hiring and training practices to help incoming talent prepare for the future, not the status quo.
These trends are set to intensify, but of course, this is still early days. Cybersecurity remains an asymmetric battle. Threat actors move fast, so we must move faster. So today, advanced software driven approaches like Secureworks Red Cloak™ Threat Detection and Response (with or without a managed services option) are pointing the way to the future.
The level of automation can only increase. But to automate an effective response, we need to infuse the best of data sciences with intelligent, proactive, human input. In the SOC of the future, you could even argue that analysts might emulate cyborgs – technology enhanced humans – but cyborgs with high levels of empathy.