You Are The Weakest Link – Goodbye!

I am sure everyone remembers the TV Game Show, The Weakest Link, where host Anne Robinson in the end would notify the team member who answered the most questions incorrectly during the round that they were “The Weakest Link – Goodbye!” and repeat the process until there was a winner.

As security practitioners, we must constantly assess where our weakest links are within our operational workflow. This is a continuous evaluation, and designating a weakest link only means you have identified an area that currently requires more focus and refinement to get the best possible results.

CISOs and Security Operations Managers must evaluate all potential technologies through the perspective of who their weakest link is in the security workflow process – the front line SOC Analyst. Now, this doesn’t mean they are doing a BAD job – but there are realities of the position that every SOC Manager knows:

  • The Front-Line SOC Analyst is generally the first entry into the world of cyber security for many. They have recently earned their security certification or degree but many times lack practical work experience.
  • This entry-level position has the most turnover. As analysts gain experience they desire to take on more responsibility and challenges – or your competitor offers them promotions and salary increases to come to their SOC. Evaluating alerts day in and day out can wear on anybody. This constant turnover creates a huge strain on SOC resources both in the constant recruiting, hiring and training of staff but also ensuring the staff maintains a level of quality that ensures alerts are processed correctly.
  • The job responsibilities of this position centers around volume. A SOC Analyst typically has three minutes to evaluate an alert and assess if it merits further scrutiny or can be ignored.
  • The elevated stress level the analysts are under can introduce errors into the process. Or worse, result in a de-sensitization where key details are glossed over in favor of meeting speed and volume metrics.
  • This is a 24×7 requirement. Advanced Targeted Attackers do not work on your SOC schedule. They will attack when and where you are weakest. This will typically either be when the most junior team members are on shift (graveyard perhaps?) or when alert volume is at its heaviest and odds increase that something will get missed.

And here is the one undeniable fact: The fate of the company rests on whether the SOC analyst makes the right call. Don’t believe me? Revisit a few of the articles around the Target breach:

The SOC analyst is the most junior, highest turnover, stressed job in security – and it all rests on him or her making the right call.

This means when you are evaluating your security solutions, you really need to look at how the information will be presented to the SOC Analyst and how they will react. Is it in plain, easy to digest statements that even a non-security person can readily understand? Can you put the information in front of anyone and ask “Do you think this is bad?” and consistently get the correct response?

Because no matter how good the technology is – if you do not address your weakest link, you may be the one that is told “Goodbye!”