Amidst more frequent cyberattacks and limited resources, security operations centers (SOC) are struggling to keep up with demand without overwhelming their employees, with 40% of organizations reporting issues with staff shortages. Under such conditions, burnout is a major problem, and finding ways to avoid that is a critical goal, according to an article in Security magazine.
Normally, an SOC would have a set of analysts who perform immediate response to alerts and incidents, and more specialized staff who perform management activities and analysis of more advanced threats. With most actions being assigned to the front line analysts, companies need to consider how to distribute these actions to ensure the greatest effectiveness. For respondents, their approaches fell into one of three categories:
The classical approach, where staff are sorted into lines based on expertise, with the first line performing basic analysis on events, and distributing them to the second line for further review, if needed. In turn, the second line’s greater expertise will allow them to dispose of most remaining issues, or advance them to any specialists forming a third line
The expertise approach, where alerts are assigned to specific analysts based on the category of attack, or type of system under attack. Lines in this approach would be split based on critical or non-critical systems
The single queue approach, where all analysts form a common pool, and each member picking up the next alert available on completion of their previous task. In this approach, there is also typically a second line of support available, in the specific event an analyst is unable to address an alert without assistance.
While all approaches offer advantages, the specific technique used by any organization needs to depend on their resources, funding, and technical needs and, over time, may need to be updated to respond to changing circumstances.
Source:
