March 20, 2020

SOCs and the coronavirus: Why automation is key for security operations centres

By Lucy Ingham

As ever more companies switch to remote working due to the coronavirus, cybersecurity professionals and those working in security operations centres (SOCs) are facing an unprecedented challenge.

While SOCs need to contend with a flurry of new issues related to users accessing company systems from a myriad of locations, they also need to contend with having a SOC team that is forced to work remotely due to the coronavirus.

And this, according to Chris Triolo, VP of customer success at cybersecurity automation provider Respond Software, is posing issues in and of itself.

Remote working in SOCs: Key challenges during the coronavirus outbreak

One of the biggest issues, according to Triolo, is the pace at which tasks can be performed.

“Speed is sacrificed: things tend to move faster when people are physically co-located,” he explains.

“Remote working can slow down SOC processes. At times, speed is important to quickly identify and resolve security threats, time-to-detect, time-to-remediate.”

Key to this level to which scattered SOCs teams can coordinate when they are isolated from each other due to the coronavirus.

“Coordination can be more challenging when working remotely, especially if you don’t have adequate tools in place,” he says.

He adds that there are tools proving vital to assisting the process, such as video conferencing solutions with screen sharing support, which he describes as “extremely important”.

“You can have employees working from home as long as good collaboration tools exist like Slack, Zoom, and documented processes and procedures available in a wiki or similar document repository.”

However, SOCs are also faced with finding digital solutions to more low-tech practices.

“’Working on the whiteboard”’ is typical when working through complex incident analysis or incident response activities with a group of people (as these situations sometimes demand), [and] this whiteboard-type collaboration is hard to achieve remotely,” explains Triolo.

“Remote meetings for shift turn-overs, war room discussions, and sharing threat or attack intelligence will be necessary to get in place and make effective. Most organisations have been working on this. And yet, it’s still better to have the team in the office, which is why most teams do exactly that.”

How automation can help SOCs

While the current ideal remains having SOCs teams in one physical location, the coronavirus is increasingly not making this viable.

For those that still are in the office, Triolo recommends including fully remote scenarios in regular mock incident response training, but for those facing the reality of a remote team, he argues that automation can play a vital role.

“Most business continuity and disaster recovery plans account for infrastructure resiliency (back-up sites) or things like work-from-home support. But what happens when your staff is sick and can’t work, even from home?” he says.

“Having automation in place that can (or does) replace human tasks can ensure security monitoring is being done (by machines) even when the humans are too sick to work.”

As schools close in many parts of the world, many professionals are also juggling childcare alongside working remotely, and Triolo argues that this too makes a strong case for automation.

“We can see the demands that coronavirus is putting on our lives, even if we’re not sick, we’re having to manage our kids because school is closed, or long lines and waits at the grocery store, or delays in getting things done that take a lot longer now. All of this takes away an employee’s time, energy, or focus on key security tasks,” he says.

“People are distracted. And people are tired during times like these. What’s the likelihood they’re going to do a good job while tired and under stress? Especially a tedious job like security monitoring? Wouldn’t we be better off giving these tasks to machines if capabilities exist?”

In the long run, he argues, this could even accelerate the adoption of automation within SOCs.

“I think we’ll see more adoption of automation of human tasks, like security monitoring, [such as] with the Respond Analyst. This is inevitable. Outbreaks like this just make it even more obvious.”

Read more: Remote working could make businesses “sitting ducks” for cyberattacks

Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,