The expression to be “all out of Schlitz” might be familiar to you for one of two reasons. For some, this was the long-time slogan (actually “When you’re out of Schlitz, you’re out of beer”) for a brewer during its most popular days in the mid-20th century.
For many current and former military members, it means something else. During the period of high utilization experienced by the US military over the past 20 years, it became common for military planners to quip that they were, “all out of Schlitz.” That is, amid combat deployments, natural disaster relief, training, and other missions, there was no additional capacity in reserve for the military to perform new missions. Even if you’re not familiar with the expression, many cybersecurity professionals can relate since many teams continue to be overworked and understaffed. However, much of the overburdened capacity in many SOCs is actually wasted and could be recaptured with the right automation.
Here are three signs that front line analysts are burning their time on non-value-added tasks that could be accelerated or eliminated altogether through automation. While these activities may seem trivial, read on to see how they sap the productivity of individual analysts and degrade the effectiveness of the entire team.
Analysts juggle 10 or more open browser windows
In order to triage an alert, analysts must gather context to determine whether the activity is benign or malicious. Every analyst has their go-to sites for gathering threat intelligence to determine if the questionable IP or file is known in the community, has been analyzed, and is safe or malicious. Log data is examined from tools in the environment to determine which are detecting activity associated with the known IOCs. Our 2020 Cybersecurity Automation Survey found that 48% of organizations have more than 30 cybersecurity tools in their environment, making the juggling of tools a key responsibility of many analysts.
In computer science, the activities that the computer CPU executes to change from one program to another, are known as a “context switch.” When the processor changes to another program, it must stop execution of the current program, store in memory the data associated with the current program, load the data associated with the new program from memory and then begin executing again where it left off previously. The switch occurs in a few billionths of a second. But, as the number of running programs increases, the processor spends a greater percentage of its time performing context switches rather than running programs. When that percentage gets high enough to cause noticeable performance issues, the processor is said to be “thrashing.” Essentially, it has lost its ability to perform useful work.
The human brain is much like a computer processor in that it needs to perform a type of mental context switch when a person attempts to multi-task. Consider our analyst who needs 10 browser windows open to get the data she needs to perform her job. The physical act of moving the mouse or tapping the keyboard to switch windows takes some time but refocusing the brain on the new “context” of another source of data is where the real performance hit lies. Research published by the American Psychological Association found that multi-tasking “undermines our efficiency.”
A subsequent study conducted at Stanford University focused on media multi-tasking (e.g., writing an email while also trying to watch the news) and found that heavy multi-taskers under-performed light multi-taskers on every cognitive test in which they were compared.
Later, a Harvard Business Review article penned by a professor of cognitive psychology pegged the decline in mental efficiency attributable to multi-tasking at a whopping 40%!
One of the most basic functions performed by SOAR platforms is data enrichment (i.e. automatically combining relevant contextual information from multiple sources to form a unified picture). Automation could reduce or even eliminate the need to view multiple sources of data for SOC analysts, restoring (according to the research) up to 40% of the mental capacity of already overworked SOC teams. For the 48% of security teams which have 25 or fewer security professionals, the capability lift from this improvement could be the equivalent of hiring an additional 16 team members!
Copy and paste shortcut keys are wearing away on the keyboard
Analysts collect, document, and share a ton of data, making copy and paste a fundamental part of the daily routine. Cybersecurity tools, produced by a host of different vendors, don’t generally integrate with one another without some type of integration medium (like the SIEM) to bring everything together. Even then, the data must be indexed, correlated, and analyzed in order to be useful. Market-leading SIEM tools are effective at indexing the data and typically have some correlations built-in. But advanced correlations and complex analyses require significant tuning to enable. Even after the right rules and correlations have been built, the SIEM typically isn’t the place where real work gets done by an analyst. After she gets a clear picture of the situation from the SIEM, a security analyst usually needs to move to another tool to take action (e.g., respond to an attack, request cleanup for a host, queue an incident for investigation, etc.). Even with the best analysis and correlation, she’s still copying and pasting data between tools to get the job done.
SOAR tools augment the analytical capabilities of SIEM tools by directly integrating with the tools that analysts will use in a response. So, when interesting activity is detected by the SIEM, it can immediately signal the SOAR to automatically perform the same actions that an analyst would normally execute manually. This includes the movement of data between tools, orchestration of response actions, and reporting of status information.
The potential for improvement in this area has already been recognized by teams that have augmented their security teams with an automation solution. The two functions that respondents to our survey most wanted to see automated in whole or in part were security monitoring and incident response, which were selected by 39% and 38%, respectively, of respondents as their top automation priorities.
Spending most of the day chasing false positives
Any SOC analyst has thousands of alerts to sift through daily. Many teams receive duplicate alerts from multiple data sources, increasing the amount of time required to dig out of the noise. These same teams often spend too much time triaging false positives instead of actioning serious threats to the organization. A 2015 collaborative study executed by the Ponemon Institute and Damballa found that the average security team spends 395 labor hours per week on false-positive alerts - the equivalent of having 10 full-time employees who produce no real value for the organization.
In many cases, analysts can’t simply reduce the number of alerts that they receive. While tool tuning has long been cited as the best response to excessive alert noise, nearly 63% of respondents to our survey reported that they lack training or expertise on their tools or are unable to maintain their security tools effectively. Instead, teams need to develop means to more rapidly process low value alerts, so they never reach a human analyst.
From an improvement perspective, this is perhaps the most important capability of automation for most teams. The improved data correlation and enrichment capabilities of SOAR tools can enable entire classes of alerts to be automatically actioned or squelched entirely, returning a significant portion of the 395 wasted labor hours for the average team. Not only will this improve productivity for the existing team, but cybersecurity leaders may be able to reallocate precious headcount away from analyst roles that are waiting to be filled to more specialized functions like cloud or application security where emerging threats are creating new challenges.
With the talent and capacity challenges experienced by many cybersecurity teams, the SOC actually has more in common with Schlitz than one might think. One of the most popular brewers throughout most of the 20th century, Schlitz declined and finally became defunct as a distinct brand in 1999. So, we’re all “all out of Schlitz” permanently.
With few hiring opportunities in a constrained labor market and a robust set of tools already in-house, cyber teams are running out of options to increase effectiveness and capacity. But the right automation can squeeze significant additional value from the resources the team already has by creating new opportunities for efficiency gains.