How security leaders can help SOC analysts adjust to working from home

RSA experts discussed how to recreate the collaborative in-person environment that security teams usually work in when there's not a pandemic.

rsasummit2020.jpg

Amy Blackshaw, director of product marketing at RSA, explained the strategic shifts security teams need to make now that working remotely may become the new norm.

Image: RSA

At the RSA Cybersecurity Summit 2020 on Tuesday, security experts explained how to rethink the security operations center when analysts are working from home instead of side by side. Two RSA leaders shared advice on how to do this during a conversation about how the shift to 100% remote work has affected security teams who have the same challenges all other remote workers have.
Michael Adler, vice president of product at RSA, said that analysts are accustomed to working in a specific physical space with multiple monitors and colleagues in the same room. 

"With everyone working from home, we don't have that investment that we put into building physical facilities that helped analysts be successful and made the SO (security operations center) more efficient," he said. "Now analysts are just like every other remote employee working from home."

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Adler said that analysts need a new set of controls and tooling designed for remote work to be as efficient as they were before the pandemic started.

Amy Blackshaw, director of product marketing at RSA and Adler's partner in the session, had five recommendations for security teams working remotely. Some of these shifts are already in process and others are accelerating:

  1. Automating workflows: Analysts should be able to collaborate and work from the same playbook especially when they are not in the same room. 
  2. Threat detection and response: The SOC should be focused on anticipating attacks that could bypass security controls, especially at the endpoint and the network, and during the reintroduction to working in the office in person.
  3. Reimagining the corporate network: Analysts should redefine what normal traffic looks like during this work-from-home phase, what it will look like as offices reopen, and what reducing risk means in both contexts.  
  4. Reevaluating behavior analytics and insider threat risk: Analytic models also need to be readjusted to understand how employees are behaving in this work-from-home world to understand what anomalies look like in the current version of normal.
  5. Visibility into cloud workloads: SOC teams need to understand third-party cloud environments and add that data into existing analytic models.

Adler said that making these shifts requires taking existing SOC tools and using them differently, including logging, network traffic analysis, and endpoint protection. For example, analysts need a way to investigate endpoints that are now often personal devices as opposed to machines provided by an employer.

"You might not be able to have direct access to the endpoint, but you can be reasonably sure that you can monitor it and have visibility into it," he said.

Adler said that another new element that analysts need to consider is how employees are accessing software-as-a-service (SaaS) tools.

"The SOC needs access to the appropriate set of logs from SaaS applications to start doing user behavior analysis and mapping out access profiles," he said.

This is an opportunity to use machine learning in the SOC to review and analyze those access logs. 
Adler also recommended applying analytics to network traffic to reset the data models, relearn normal, and spot the anomalies.

Adler said that orchestration--standardizing processes and threat responses--is one way to ensure that employees of different skill levels who are sitting apart but working together are working from the same playbook.

"That way every analyst can take advantage of best practices and follow standards and guideposts when they are working alone," he said.

Also see