In one of our earlier webinars, a guest asked: “How can I know if one of our SOC analysts has gone bad?”
That is a brilliant question! You trust your Security Operations Center (SOC) to watch your environment, identify anomalies, stop the bad guys before they can do any harm, and coordinate the effort to remediate in the wake of an incident. It’s a tough job with a lot of responsibility and a matching amount of stress. In fact, a lot of organizations have found that their SOC team is stressed, over-loaded with information and responsibility, and underappreciated. It’s no wonder this particular role suffers a high turnover rate.
We need to trust our SOC, and we normally can. SOC analysts are security professionals who’ve accepted the role and the responsibility that goes along with it. But they can still go bad. Too much stress and not enough support can lead someone to ponder doing some of the things that analyst is there to stop. It could lead one to do things they’d never even consider – if things were normal.
But things aren’t normal.
With a global pandemic that’s still out of control (at least in the United States), the SOC teams are having to deal with a whole new set of problems. They are faced with a newly remote workforce, new attacks against their infrastructure and assets, and are having to take a range of precautions to keep themselves safe.
While it’s unlikely that someone on the SecOps team will turn to the dark side, the increase in stress and distributed work has presented both motive and opportunity.
The lone wolf analyst is really just a subset of the Insider Threat family. Most organizations have other people in positions that have easier access, less scrutiny, and more opportunity to go bad. This puts the risk from SecOps team much lower on the scale of concern.
After all, the folks in the SOC are working together, often quite literally shoulder to shoulder as they work an event. This makes it much harder to hide bad behavior. They also have tools that are looking for that very sort of bad behavior, which makes illicit activity quite visible. And, honestly, the job tends to attract people who want to be the good guys.
Organizations are probably looking at more risk from executives, engineers, project managers, or even staff associates, than they are from their SOC analysts. But what if that worst case scenario happened? What if someone in Security Operations went bad and leveraged their position in the SOC for personal gain? Would your organization know what to do? Would you be able to identify the one rogue analyst before they did any damage?
Gurucul’s Unified Security and Risk Analytics (USRA) can. By leveraging all the organization’s incoming security data streams to create a vast data lake for analysis, USRA can deliver a single unified risk score for every entity in the environment. The entity can be a compromised server on the edge, or an analyst who’s become an insider threat. The machine watches the watchers, as well as keeping an eye on everything else that’s going on.
Watch Our Webinar
Check out the link below to watch our on demand webinar where we cover how advanced analytics can Watch the Watchers and help protect an organization from insider threats.