Six Key Mistakes Leading to SOC Burnout

Six Key Mistakes Leading to SOC Burnout.

If you work in a SOC in any way, this post is highly recommended for you…

Mistake #1 – Underestimating the impact the phishing threat has on your SOC 

Mistake #2 – Thinking you can’t do better than your existing email security provider

Mistake #3 – Thinking all AI/ML are the same.

Mistake #4 – Using chopsticks to catch a fly

Mistake #5 – Failure to consider phishing training policies implications on the SOC

Mistake #6 – There’s no silver bullet

We know the statistics. The number one threat impacting is breaches. It’s a little over 90% of breaches that start with email. Some 30% of phishing attacks are opened by end-users. The cost of successful phishing attacks can be in the millions. 

Yet the daily impact is just as big, if not bigger. It’s impacting the people that are responsible for securing an organization. Based on our research and experience there are six key mistakes that we see organizations making that impact their SOC.

Mistake #1 – Underestimating the impact the phishing threat has on your SOC.

Avanan recently released a survey that found that managing the email threat takes up 22.9% of the SOC’s time. That comes out to about 2-3 hours a day, chasing bad emails. In some environments, that number is even higher. Of the time they spend managing the email threat, 47% of that time is spent investigating suspected phishing emails reported by end-users and 27% responding to actual phishing emails.   

The common wisdom is when we “see something, say something.” This is reinforced by KPIs that require end-users to report to the SOC a set number of suspicious emails each month. Someone’s going to pay the price for this, and generally, it’s the SOC. As it turns out, each end-user request takes more than seven minutes each to investigate if done manually. 

With hundreds of suspicious alerts reported each day, no wonder there’s now a term called “SOC Burnout”. In a recent study by Devo Technology, they found that “60% of SOC team members are still considering changing careers or leaving their jobs due to burnout.”

Mistake #2 – Thinking you can’t do better than your existing email security provider.

Many organizations have become complacent with their existing email security provider. They stopped believing there is better security primarily because  Microsoft and legacy gateways have failed so badly at securing cloud-based email. It’s become an adage: “If [Microsoft, Proofpoint, Mimecast] can’t stop these attacks, then maybe nobody can”.   

But enterprises are still early in adopting advanced cloud email security solutions. That’s typical for large enterprises because they tend to only adopt newer technologies later in the lifecycle. But email security’s been around for a while, right? Yes, much like cars have been around for a while. But the Model-T is drastically different from a Tesla and comparing the two just because they each have four wheels and get you from Point A to Point B doesn’t make sense. 

When you consider legacy gateway security solutions like Proofpoint or Mimecast, they were built to secure email when it was on-prem. Their foundation was to secure “Exchange Server” and not Office 365 or Gmail. They are not API or AI-enabled and, because of that, less effective in today’s environment as proven by our our latest analysis here and customer reviews here.  

Mistake #3 – Thinking all AI/ML are the same.

Reducing the threat, and ultimately reducing the burden on your SOC, comes down to implementing advanced AI/ML technologies that are trained to stop today’s threat. 

But unfortunately, it’s not like slapping an “organic” sticker on your packaging.  The best way to tell the haves and have nots apart is to test them side by side.  Unfortunately, that’s not always possible and if not, then just ask them to explain their AI. It’s a simple question. When they stumble around, ask them what algorithms are they using? Which dataset do they use to train their algorithms?  Why is their dataset better than others? What you’ll find if you ask these questions is that for many, AI is a phrase on their website or sales deck, the equivalent of an “organic” moniker. To Avanan, it’s our foundation and having a foundation built on AI and ML is just the first step. 

The second step is having the best dataset to feed the AI so it can be properly trained. And this is why it’s so critical that any next generation of email security is embedded within the cloud SaaS suite via APIs. Once embedded, the dataset of cloud email security solutions like Avanan is much better because it’s much richer. Gateways that exist in front of the suite have a myopic view. A single email at a single point in time. With this view, they lack the situational awareness that is required to understand and stop the advanced threat and fully secure the suite.  Being embedded gives Avanan a chance to understand who the people being emailed are(titles), social graph, internal email, geo-suspicious login events, activity within OneDrive/SharePoint and Teams and much more. It’s this situational awareness that feeds the AI/ML algorithm that determines its overall effectiveness.

Mistake #4 – Using chopsticks to catch a fly.

In the movie Karate Kid, Mr. Miyagi attempts to try to catch a fly using chopsticks.  While certainly a great challenge, it’s not the most effective approach and it will certainly never scale once someone leaves the door open. When it comes to the phishing threat, many organizations are opting for Mr. Miyagi’s approach. Rather than shutting the door, adding new screens, etc, many are opting to first train the masses and catch a fly with chopsticks.

Just to be clear: end-user phishing training is absolutely 100% critical.  Implementing response tools and processes for the SOC is absolutely 100% critical. But don’t mistake these capabilities as mass protections. There are exception handlers to account for phishing emails that slip past your security defenses and into your user’s inboxes. When you first reduce the attack surface through the implementation of advanced security, you make it much easier to design and implement an end-user training program to deal with the exceptions. And with Avanan, that amounts to a 99.2% reduction overnight.

Mistake #5 – Failure to consider phishing training policies implications on the SOC.

As discussed above, SOC Burnout is real. We know this through our own experiences, research and articles all pointing to the fact that the SOC is spending significant time managing the email threat. 

When organizations implement new policies around phishing training and reporting, you must absolutely take into consideration what’s downhill. Generally at the bottom of the hill is the SOC.  Each end-user suspicious email report takes about seven minutes to analyze. This doesn’t even take into consideration the time required for clean up if the email is phishing or remediation required if the workstation is infected. Organizations must be cognizant of any policy decisions that results in a notification to the SOC. In extreme examples, we have seen organizations mandate employees to report a certain number of emails per month or face punitive actions. One such case resulted in 16,000 emails reported to the SOC in a single month. 

In general, the average number of emails reported to the SOC for a 10,000 user organization is about 505 a month, costing about 707 hours per year in analysis time alone.  Fortunately or unfortunately, it turns out only 33.8% of those alerts are actually malicious. We say fortunately because it’s a job well done by end users. We say unfortunately because those malicious emails made it to them and probably dozens of others. 

The key to avoiding SOC burnout while improving security starts with better protection. In Avanan’s customer’s cases, better protection means a reduction in the number of malicious emails that reach end-users by 99.2% with a decrease in end-user investigation reports to the SOC by 71%.

Mistake #6 – There’s no silver bullet.

Nope. But at the end of the day it comes down to three things: Advanced protection, improved response capabilities, and better training. 

Advanced security is there to stop the malicious emails from hitting your end-users. In the case of Avanan’s customers, they see a 99.2% reduction in attacks reaching their end users overnight.  Because there is no silver bullet, you must arm the IT, SOC and Help Desks with the resources necessary to help respond to the threats quickly and efficiently.  And finally, end-user training is there to help ensure end-users know how to spot and report a malicious email.

Avanan Case Study

When implementing Avanan, our customers see a 99.2% reduction in phishing attacks that reach their end-users.  

Consider this case study with one of Avanan’s customers. They are a Fortune 500 company with over 11,000 mailboxes.

They had two problems. First, they were being inundated with phishing attacks. Second, the SOC was getting tons of end-user requests. It was an unsustainable pace for the SOC team members.

Within days of deploying Avanan, however, something dramatic happened:

The numbers are staggering. The company saw a 99.2% reduction in phishing attacks. They also saw a 71% reduction in end-user requests to the SOC.

There’s no doubting that working in the SOC has been more challenging than ever. The only way to combat that is by reducing the number of malicious emails that come in.

Only Avanan has proven to do that, and at scale. Don’t take my word for it, let’s set up an evaluation so you can either confirm or debunk the claims made here. It takes less than FIVE (5) minutes to set up Avanan platform. Reach out via [email protected] if interested.