Understanding Burnout in Security Operations Center Staff
In the cybersecurity realm, burnout is a prevalent issue affecting Security Operations Center (SOC) analysts, detection engineers, threat hunters, and other professionals. This burnout arises from a multitude of factors, notably the unrealistic demands placed on these individuals.
Operating within the realm of Security Operations is arguably the most challenging facet of cybersecurity. The divide between theory and practical reality is stark, and security operations often takes a backseat in management’s priorities until a security breach occurs.
Now, let’s examine the root causes of this burnout and consider potential solutions.
Unrealistic Expectations
1. Overwhelming Threat Landscape
In the realm of security operations, a key source of burnout is the relentless demand for security professionals to keep pace with every threat group and their ever-evolving Tactics, Techniques, and Procedures (TTPs). The dynamic nature of the threat landscape poses an immense challenge. Threat actors, be they state-sponsored entities, cybercriminal organisations, hactivists, or individual hackers, frequently adapt and refine their strategies to bypass security measures and exploit vulnerabilities.
Security teams are tasked with an almost impossible mission: not only keeping up with these dynamic threats but also actively defending against them. This requires an in-depth understanding of each threat group, their specific methodologies, and the indicators that signal potential attacks. Keeping current with emerging threat intelligence is an ongoing and demanding endeavour.
This unrelenting pursuit of threat awareness places an enormous burden on security professionals to be omnipotent in their field. The fear of missing a crucial threat or failing to detect a novel TTP creates an environment of perpetual stress and anxiety. The pressure results in long hours, high-pressure scenarios, and a persistent sense of urgency, contributing to burnout.
2. Complex Log Formats and Accuracy
Another contributing factor to the challenges in security operations is the sheer variety of log formats and types that analysts are required to monitor and comprehend. Dealing with this multitude of data sources can be a formidable task, as each format may have its own unique structure and content.
Furthermore, security teams must invest significant effort in creating and maintaining the systems that support security monitoring rules. This includes setting up and managing the infrastructure and technology necessary to execute these rules. The combined complexity of managing these aspects can quickly become overwhelming over time.
Adding to the complexity, the accuracy of the information contained within these logs can sometimes be unclear.
“What is the timezone in which the logs are recorded?”
Unfortunately, not all log vendors place sufficient emphasis on the accuracy and completeness of what they record. Despite improvements over the past few decades, we still find ourselves grappling with the challenge illustrated in the XKCD comic regarding logging standards, highlighting ongoing issues in this domain.
3. Technology Tax
Security analysts face the challenging responsibility of deciphering how threat actors and their Tactics, Techniques, and Procedures (TTPs) manifest in log data. This complexity is further compounded when you consider the multitude of technologies they must manage. This technology landscape often includes systems like Endpoint Detection and Response (EDR) solutions, Network Detection and Response (NDR) tools, Security Incident & Event Management (SIEM) platforms, and even traditional antivirus solutions. Each of these technologies serves a unique function in the security ecosystem, and security professionals must not only comprehend their individual workings but also understand how they interact and collectively contribute to an organisation’s defence.
The intricacy of managing this assortment of technologies is exacerbated by their interdependence with the organisation they safeguard. These tools are essential components in a complex security architecture that must be fine-tuned to work in harmony. This demands ongoing maintenance, configuration adjustments, and continuous monitoring to ensure they effectively detect and respond to emerging threats. The challenge here is not just adopting these tools but ensuring that they are optimally configured, continually updated, and synchronised to provide comprehensive protection. The burden of this multifaceted task rests on the shoulders of security operations teams, often leading to high stress and workload.
4. User Behaviour, Security Education and Psychology
Adding to the complexity, there’s the issue of user behaviour. Despite receiving security education and training, employees, developers, engineers, and administrators sometimes engage in activities that create security risks, to put it mildly. The ongoing fear of a potential breach and the pressure to prevent it contribute to the stress and burnout experienced by security personnel.
All Security Operations Center (SOC) operators universally dread Friday afternoons. It’s when they often receive the alarming last-minute announcements of major incidents, either from within their own organisation or from external entities.
We can draw a parallel to the experience of post-traumatic stress disorder (PTSD) in returning soldiers from active service. Special Forces Groups, like the Australian SAS or US Navy SEALs, statistically suffer less from PTSD compared to their counterparts in the regular army, marines, and similar units. One primary reason believed, in the case of Special Forces Groups, akin to hunters, is that they are tasked with clearly defined objectives and goals. On the other hand, those on defensive duty are in a constant state of alert waiting to respond, which is mentally stressful and taxing over time.
If we apply this comparison to cybersecurity, the Offensive Security teams are the hunters, while the Blue Team represents the defenders. An attacker only needs to infiltrate a single system and achieve their objective as quickly as possible before declaring victory.
In contrast, defenders must remain vigilant day in and day out, 24/7, with little hope in sight for significant improvement due to the factors mentioned above (and this is just a concise overview, as there are likely many more intricacies to explore, possibly enough to fill a book).
A quick note, there challenges faced by cyber security professionals is nothing compared to the service men and women that enlist and defend their respective peoples, having served myself I can attest to this safely. It is merely one of many ways to demonstrate the different psychological effects of attacker versus defenders.
The Unsolvable Equation
When we delve into these fundamental issues, it becomes evident that no internal security operations team, Managed XDR (MXDR) provider, or Managed Security Services Provider (MSSP) can realistically meet all of these demands.
While it may seem relatively straightforward to create a security rule and identify a threat, sustaining this effort over the long haul, especially with limited resources and a constantly evolving threat landscape, is an incredibly challenging task.
And keep in mind, when I say “a rule,” most teams are tasked with managing hundreds of these logical components within their monitoring solutions, whether it’s a SIEM, XDR, hunts, and so on. What initially appears simple and manageable becomes increasingly difficult and, in the long run, nearly impossible. That’s the essence of the problem we’re facing.
We have convinced ourselves, and our constituents, of the following
The impacts of burnout
In the most basic terms, your cybersecurity investment will suffer a significant reduction in effectiveness. This is because the resources you’ve allocated, including tools, your team, and threat intelligence, won’t deliver the outcomes you anticipate.
The end result of this is the emergence of ‘False Positives.’ When a potentially malicious event is identified, there’s a high likelihood that it will be categorised as one of the following:
1. False Positive
2. Not Malicious
3. Requires Tuning
4. Malicious Unsuccessful
5. Unknown
6. Incident?
If you’re fortunate (and the threat actor is noisy), you might eventually reach the ‘Incident’ stage. But how do we reach this point?
It’s essential to remember that trust in the accuracy of the logic and supporting data is paramount. This concept is akin to the story of ‘The Boy Who Cried Wolf’ in the context of cyber threat detection. If false positives continue to pile up, trust in the system’s alerts deteriorates. When a genuine threat finally emerges, nobody responds as they should, as their trust in the system has been eroded by the numerous false alarms.
It’s important to note that this erosion of trust doesn’t affect just a single rule; it impacts the entire array of rules and coverage techniques you’ve implemented to safeguard your organisation.
The Solution
To tackle this challenge, Illuminate Security introduces the concept of a Community Driven Threat Detection & Response ecosystem.
Imagine a scenario where, instead of relying on a small and overburdened security detection team, you have access to a vast and specialised army of experts. In this world, security analysts can concentrate their efforts on specific threat categories, Tactics, Techniques, and Procedures (TTPs), and various types of attacks. This focused approach leads to a reduction in false positives and enables analysts to convey a more compelling and accurate narrative from the log data.
As a result, security rulesets become more concise, efficient, and sustainable over time.
While the current landscape often resembles a zero-sum game for SOC teams, the presence of hundreds of dedicated detection engineers underscores the notion that “the whole is greater than the sum of its parts.” With this collaborative approach, analysts can prioritise areas that truly matter to their customers, freeing them from the burden of maintaining compliance rules that often contribute to burnout.
Our approach creates a more streamlined, effective, and manageable security capability, benefiting both the security professionals and the organisations they defend.
Join Illuminate Security
If you’re an analyst looking for a way to help defend organisations, and be rewarded for your expertise, consider signing up to Illuminate Security’s Bluehat Platform!
Here, your expertise will be valued, and you can focus on what you do best — Identifying threats and helping defend against attacks.
If you’re an organisation seeking to enhance your detection capabilities, build a long running sustainable security control, and access world-class experts who are dedicated to achieving outcomes, get in touch with us. We’re here to help you defend your organisation, your staff, and your customers.
In conclusion, the issue of burnout in security operations is a complex one, but by rethinking the approach to security and embracing new solutions like the Bluehat Platform, we can move towards our vision of uplifting Detection & Response for all.
I hope you enjoyed reading this as much as I did putting it together! Any questions or points I am always happy to chat and can be reached on Linkedin
In the next article in this series we will delve into the truly unsung heroes in Product & Engineering teams that keep the ship running that security operations teams rely upon
Cheers!
Shaun Vlassis