Jack “@jackcr” Crook is back with another great post on improving your SOC’s performance. Previously, he covered his tips on implementing an internal SOC training program. Now Jack points out five tips to minimize missing those elusive important alerts and improve overall analyst moral.
- Since many SOC analysts are new to this field, add documentation to signatures so they can fully understand their context and can more easily identify when they should ask for help.
- Tune out noisy alerts by providing a mechanism for analysts to easily flag them in the course of their daily duties and setting up a regular meeting to review submitted alerts.
- Let analysts focus on their job of analyzing alerts and not side tasks outside of their normal daily responsibilities.
- Keep analysts in the know of any incident response activities so they can better understand signature context (even if they weren’t directly involved) and gain a perspective beyond just the alert queue.
- Motivate analysts by giving them training that enhances their abilities in their current job and prepares them for their next one, offering small challenges to test their skills, and recognizing their successes.
Having spent most of last year helping to train a 24/7 SOC as well as having performed a ton of alert analysis myself, I hold a special place in my heart for these people. I wanted to write this post, not only for the analysts I work with, but for others as well. These people typically have first eyes on indications, mainly in the form of alert data, that their company has been breached. With this role comes a lot of focus and attention from others. Unfortunately a lot of this focus and attention comes when alerts are missed and often can be interpreted as blame. If you look at the Target breach and all of the focus surrounding the missed indicators I’m sure you will see where I’m coming from.
Today’s post pic is from beba. See ya!