The COVID-19 pandemic has challenged and stretched organizations, which have been forced to become remote workplaces, sometimes overnight. Some employees relish the opportunity to work from home, some do not, and managers are learning how to manage all of them from afar. As remote work gains steam, due largely to collaboration technologies like Slack and Zoom, futurists predict a post-pandemic world in which many employees expect to retain the work-from-home option.
Those who work in SecOps are no exception. Employees and industry analysts alike are making the case for remote SecOps. However, the long-term feasibility of this option is up for debate. Organizations actually stand to gain greater success using a combination of traditional SecOps and the appropriate use of automation.
Pitfalls of the Remote SOC
For SecOps teams, working remotely is difficult. It can be done during a time of crisis, and many organizations have implemented this tactic out of sheer necessity. They continue to function in this strange time, but incident response is by its nature a collaborative process. Working in isolation is by no means ideal.
This is particularly true for new security analysts. They will most likely find remote work difficult; SOC analysis is not a job one learns individually. In most cases, new analysts learn by working with more senior analysts, in the SOC, side by side. Those who aren’t in the trenches underestimate the amount of guidance new security analysts need. It’s also harder for any analyst to troubleshoot alone. It’s much easier and faster when the person you need to help or need help from is in the same building.
When organizations are suddenly thrust into a remote work protocol, it can prove challenging to support workers with all the equipment and access they need. This is particularly true for security analysts. Will they be able to see the SOC console where alerts are processed and viewed? Will they have access to incident response ticketing systems, shift turnover logs, investigation notes and other required information and tools?
Business Continuity Through Automation
Automation plays a pivotal role in sustaining security operations during crisis situations. It can reduce an organization’s reliance on the usual number of personnel by taking over many redundant tasks. If an organization needs to limit its manpower – such as during times when members of the SOC team cannot work, whether for health or other reasons – it needs to increase its investment in automation. Cloud migration is also helpful in this scenario, since the use of SaaS and IaaS solutions has reduced the need for employees to be physically present in the workplace – in this case, in the data center.
Inherent human limitations continue to be the primary bottleneck in SecOps. No matter how highly skilled and intelligent SOC analysts are, they will never be able to get better or faster at monitoring the massive quantities of security log data that an organization’s sensors produce today. Automation is a valuable tool that addresses this disconnect.
Most of today’s SOCs are constructed based on formally structured, regular and repeatable operational processes. This means they are already set up to be highly responsive to automation. SOC teams can automate tasks that go far beyond the capabilities of the human mind, such as correlating an IP address associated with an alert with a sequence of events that took place on another part of the network in the past.
SOC automation is practical from a staffing perspective, but it has the added benefit of ensuring that team members can turn their skilled attention to more fulfilling and interesting activities than console monitoring, such as threat hunting. If automation can analyze and triage security data better than humans can, then leave it to automation. in this way, automation decreases the chance of errors and of the burnout that leads to employee turnover. And this ultimately helps your organization stay resilient, even during times of crisis.
Remote Communications for Your SOC Employees
Because remote SecOps is sometimes necessary, so is a strong remote communications plan. This includes:
- Ensuring the set-up of appropriate, necessary notifications for the appropriate team members.
- Verifying that contact information for all team members – including both work and personal phone numbers and email addresses – is up to date.
- Creating an FAQ document to direct employees to the appropriate contact for the different subjects/topics that arise.
Scheduling is also an important consideration. Shifts need to be planned with both primary and back-up staff. The whole SOC team should know not only their own role but also the availability of everyone else on the team. Publish staff schedules in a way that everyone can access and making sure that shifts and turnover policies are communicated clearly.
Short-Term Remote, Long-term Automation
The pandemic is a particularly extreme example of the uncertainties of life. Business continuity requires innovation and agility, particularly for critical areas of business like SecOps that can’t afford to miss a beat. Organizations have the cloud-based tools available to weather this storm from a safe distance, but once the stay-at-home order lifts, is SecOps one of the functions that should remain remote?
Automation is a necessary aspect of an agile business continuity plan but seeing its successful use during times of crisis as a go-ahead order for long-term remote work is the wrong conclusion. SecOps is a team pursuit that requires live, fast interaction, which means it is better suited to on-site roles. Fortunately, though, automation is available to help for those few times when that’s not possible and for all other times to improve the organization’s security posture.