There is no shortage of interesting research characterizing the challenges faced by SOC teams. Two recent reports from Exabeam and Devo/Ponemon include all the well known stats reminding us that SOCs suffer from too many tools, not enough people, and ongoing challenges with key metrics like MTTD and MTTR. Both reports also include a few unique perspectives on data related challenges SOC teams face today.
Exabeam’s research frames challenges around inefficiency in the SOC. While “inexperienced staff”, “out-of-date systems/apps,” and “time spent on reporting/documentation” are included as common problems, the research also points to data issues.
These data issues include lacking asset lists and finding system owners as inefficiencies that most SOC teams experience. The research suggests that while these issues sound straightforward, they have a meaningful impact on a SOC’s capability for TTA (time to answer) since it may only take a few minutes to look up an owner of a system, but in aggregate, these manual activities cause material lags during investigations.
The research by Devo/Ponemon portrays an alarming state of job satisfaction in the SOC with nearly 80% of respondents reporting that “working in a SOC is painful” and nearly as many admitting they had considered changing careers or at least leaving their current job during the last year. Much of the pain stems from inefficiency with respondents reporting that data acquisition is the most time consuming task in the SOC; managing threat intelligence and waiting on tools to respond to operations were two specific examples shared.
Both reports illustrate that while the breadth and depth of data available to SOC teams is unprecedented, having the right data at the right time is a challenge that can affect teams trying to make informed decisions and act with speed. The Devo/Ponemon research even goes as far as linking data challenges with job satisfaction.
Data is changing the world, but only for those who are equipped to use it for making decisions and taking action. Top performing SOC teams have a comprehensive understanding of their data, knowing how to access the best data available, having the context to see how it is relevant to their work, and seamlessly sharing it between teammates. Still, as evidenced by the research simply knowing what data is available and why it is relevant does nothing if you are unable to quickly find it and put it to use.
Unfortunately, security teams are often forced to balance between being thorough and getting the job done quickly. The image below illustrates this relationship. Consider the analyst who thoroughly investigates every detail (i.e. upper left quadrant); fully aware by the time he finishes the job, but too late to act soon enough to make a difference. Similarly, there is the analyst who works on intuition. She speeds through the investigation (i.e. lower right quadrant), recalling some details, but missing others that may be important to the investigation.
Polarity overlays contextual information as you work for superhuman Data Awareness and Recall. Software-based Augmented Reality gives you the right data at the right time to make informed decisions and take action with speed (i.e. upper right quadrant). With Polarity, teams are no longer forced to balance between being thorough and getting the job done quickly.
Polarity provides Data Awareness and Data Recall by enabling users to annotate data with details they want to remember from their own investigations, view details a teammate has shared, or details from products like Carbon Black, Cisco, Flashpoint, ReversingLabs, ServiceNow, Shodan, Splunk, ThreatQuotient, VirusTotal or any of the more than 100 open-source integrations that connect Polarity to the most popular tools used by security teams today.
While many teams rely on Polarity to address the common challenges outlined in the research by Exabeam and Devo/Ponemon including having too many tools, not having enough people, and failing to improve MTTD and MTTR, teams also value the benefit of using data to make better informed decisions because they have important contextual information available, and make faster decisions because they can improve the efficiency of their analysis and collaboration.
See Polarity in Action
Want to learn more? For a deeper understanding, watch our CEO demo Polarity.