Major organizations now deploy an average of 473 tools according to Gartner, and as security tool usage increases, sophisticated attacks rise.
In the meantime, we’re also at the beginning of understanding the full impact of Gen-AI on cybersecurity, influencing cyber threats, defense strategies and how cybersecurity professionals work on a daily basis.
Amid an industry struggling to bridge a talent gap of 3 million skilled professionals, SOC analysts must skillfully navigate these changes! What does it mean? That there’s a critical opportunity to propel SecOps careers by keeping pace with these trends!
How to adapt, develop indispensable skills, and anticipate the evolving demands around a SOC analyst role?
Anouck Teiller, Chief Strategy Officer at HarfangLab, and Jean-Baptiste Joly, Security Engineer and Lead Customer Success at Mindflow, explore the subject and offer their vision of the future of SOC.
Cybersecurity workforce today
Current studies share three main lessons regarding the cybersecurity workforce.
Shortage of cybersecurity professionals
First of all, a lack of people: the European Commission has launched a study in 2023 and they came up with the conclusion that in Europe only, the shortage of cybersecurity professionals is close to 1 million people (around 883,000).
Between 2013 and 2023, the number of cybersecurity job offers in Europe has multiplied by 5 and, inevitably, more than half of European companies have reported having issues finding cybersecurity experts.
Lack in skills adaptation
Secondly, the overall lack of workforce is also exacerbated by the lack of adaptation in terms of skills. The French National Cybersecurity Agency (ANSSI) has thus estimated that more than 70% of cybersecurity professionals do not have a formal cybersecurity background.
This means that cybersecurity professionals learn mostly during their first work experience but also that they might not acquire the skills needed to fit in the current cybersecurity landscape.
For instance, while network security remains a major issue in cybersecurity, the number of professionals needed in that particular field of cybersecurity is diminishing rapidly contrary to application security or detection and response.
A landscape in constant evolution
Finally, cybersecurity is constantly evolving: tools and technologies are diversifying and becoming more and more advanced, attackers are updating their methods, the underlying IT foundations are changing rapidly with Cloud and AI for instance.
Keeping a workforce that remains up to date is a tremendous challenge and counting only on individual curiosity and will to learn, even if it is very prevalent in the cybersecurity field, is hardly a winning strategy. Today, however, not much exists to organize and plan this continuous training that is needed in our field.
Key developments in recent years for SOCs
There were several notable evolutions in the cybersecurity landscape. These changes are reflective of broader trends in technology, cybersecurity threats, and organizational approaches to security caused by Cloud emergence.
As such, the technological foundation of SOCs has evolved significantly.
For example, back in 2016, many tools were still on-premises, with a heavy reliance on traditional security information and event management (SIEM) solutions.
By 2021, there was a marked shift towards Cloud-based platforms, integrating more advanced machine learning and artificial intelligence capabilities for threat detection and response.
Cloud and AI technologies: game changers for SOC analysts?
While the attack mechanisms have not changed, the vectors have. For example, on a PC, one can install malware to capture the PC’s network traffic. In the Cloud also,
whether it is in a Kubernetes cluster or an AWS infrastructure, one can still deploy an agent to observe the Virtual Machines network traffic. In that respect, Cloud and AI are no game changers.
However, they are definitely game changers in terms of skills: we need to shift from network and system expertise to skills related to Cloud technologies.
This has also increased the number of tools to master, APIs to know… and the next step, which has already begun, is skills related to automation.
The role of software providers in the evolution of SOCs
In any new market, the role of software providers is crucial. In the case of AI, for example, in the cybersecurity field, cybersecurity software providers create the market, just as ChatGPT created the GenAI market.
This means that providers have the responsibility to support users in their skills development, to help them go beyond tools, to deploy new methodology, to gather new insights… How does it work? Here are a few examples of the methodological points that Mindflow (No-Code & AI-driven automation and orchestration platform) and HarfangLab support their users with.
Understand and deploy automation methodology
Automation is key to easing the workload of SOC analysts, but understanding what needs to be automated and how is essential for optimal use and adoption.
Through the lens of the Pareto principle, identifying activities that “take up 80% of the time but only contribute to 20% of the value” is often an excellent place to start with automation.
This requires quantifying tasks and the time they require compared to their usefulness in terms of cybersecurity in order to prioritize automation efforts effectively, ensuring that automation is not done for the sake of automation, but making strategic choices that will enhance productivity. With this in mind, HarfangLab EDR offers connectors with tools that ease automation, such as Mindflow (of course) and Palo Alto.
This analysis is particularly facilitated when cybersecurity solutions provide visibility over their functioning (as HarfangLab EDR does for its detection and alerting, for instance), enabling them to be clearly understood, an essential prerequisite to automation.
Algorithmic thinking
Automation does not require development skills. However, a basic understanding of algorithmic logic can profoundly enhance ability to automate tasks, even in a no-code environment such as Mindflow.
A workflow essentially consists in visualizing an algorithm. It’s about setting a sequence of events: “If this happens, then that happens; if I do this, then that occurs.”
This kind of thinking enables to design more efficient and reliable automated processes!
Understanding and utilizing APIs
Lastly, a fundamental skill in today’s cybersecurity automation is understanding and utilizing APIs. Knowing what an API is, how to call it and the associated authentication methods is critical. Using a tool’s front end is vastly different from calling its API. The fields, names, and methodologies differ, requiring a different approach. This also means that cybersecurity solutions providers must make their solution APIsable to optimize SOC processes – also a point taken into account by HarfangLab EDR.
Learning to interact with APIs not only broadens SOC’s toolset but also opens up a new realm of automation possibilities. It allows to integrate and automate tasks across multiple platforms, enhancing SOC’s efficiency and responsiveness.
To sum up, embracing automation is not just about changing skills set, it is an entirely new operational philosophy; and SOC analysts need to be supported through this transition. Cybersecurity providers ought to be providing SOC analysts both the tools and the knowledge needed to succeed.
Now, with the development of automation in cutting-edge IT security tools… in the future, as automation continues to grow, could SOC disappear?
SOC analysts facing a future made of automation and AI
We will always need the expert eyes of SOC analysts to assess threats and alerts, and to react appropriately, even with automation and Artificial Intelligence.
However, their jobs will change, they will need to adapt and acquire new skills.
More advanced configuration and supervision of technologies
SOC analysts will certainly intervene less in the triage and the monitoring of single alerts but more in advanced configuration of supervision technologies.
Today, sorting through alerts and defining their criticality represents the main role of a SOC analyst. It is at the core of their daily routine.
AI and automation as well as improvement of cybersecurity tools will dramatically reduce this load. The role of a SOC analyst will therefore probably refocus on being able to properly implement an automated detection and response strategy. SOC analysts will have a key role in configurating all the relevant tools: setting up the proper whitelists and blacklists, creating the relevant alert levels faced with specific threats, ensuring that their cybersecurity tools communicate well together…
They ought not to be left alone in this redefinition of their role, and cybersecurity vendors have the responsibility to provide tools that allow for these configurations.
This is exactly the reason why HarfangLab chose to have a 100% transparent and fully APIsable EDR, in order to match SOC analysts’ needs and facilitate their work, knowing fully well that they cannot be replaced.
More versatility, from monitoring to investigation and response
SOC analysts will also need to be more versatile. This means being able to:
- jump from monitoring to investigating and even to proper incident response,
- provide operational insights on the organization’s cybersecurity,
- interconnect and deploy additional cybersecurity tools and build a state-of-the-art cybersecurity stack.
These are all additional tasks that SOC analysts might be more and more required to take on and SOC analysts should acquire to remain performing in the current job market.
Also an interesting change that could occur is that seniority among analysts will grow as time passes and as some analysts gain more skills and experience. Nowadays, SOC analysts are mostly under 40 and they do not remain SOC analysts more than a few years due to the very real constraints of this job. The current evolution of the role could be a game changer in that way: with the role being more automated and the tasks more diverse, SOC analysts could gain seniority and remain longer in the SOC sphere of cybersecurity.
Even if the changes to come are challenging, one thing remains for sure: cybersecurity will remain based on the expertise of humans, some of them SOC analysts, and this is not about to change.
We talked earlier about solutions providers role, and it is also their responsibility to make sure that tools and technologies benefit everyone and not just a few. It’s on them to keep things transparent, ethical, accountable and fair!
In conclusion, which skills to focus on and to evaluate for SOC analysts?
Knowledge remains fundamental in succeeding in cybersecurity: understanding the threats, the technologies to protect, the tools to secure IT, and the theoretical approaches on which cybersecurity is built is paramount and should be a priority skill for any cybersecurity professional.
Coming to SOC analysts, some skills should be sought as a priority.
Automation (or at least no-code automation)
A major source of frustration for SOC analysts is manual work, from triage to reporting. Nonetheless, SOC analysts are the only ones that can properly tackle this issue and develop automation to lighten their burden in an efficient manner.
This implies that they should know how to use automation and API configuration to develop relevant playbooks.
While technologies can help this change, SOC analysts should have the skill to head such projects.
Tool configuration
Being able to harness the potential of cybersecurity tools with proper configuration and interconnexion is an essential skill for a SOC analyst.
Only deploying an off-the-shelf cybersecurity tool will not bring the desired cybersecurity level as it will not be adapted to the organisation’s environnement and the threats it faces.
It means that SOC analysts should be able to undertake this configuration… and choose cybersecurity tools that allow for such configuration.
Reporting
Reporting remains one of the main task of SOC analysts. Being able to build reports that are relevant to different types of stake holders from operational level of another cybersecurity team, be it the CERT or the infrastructure team, to the C-level in case of a breach or an attack, is an additional value that SOC analysts should bring.
Soft skills: curiosity and adaptability
Rapid changes in the cybersecurity field as well as in the digital world have upended many roles of the SOC analyst. This will not stop!
A SOC analyst must show a high sense of adaptability: being able to master new tools rapidly, to propose new methods, to integrate new roles.
And once again, this is the role of solution providers to offer tools that facilitate their work and enable them to meet these new challenges.
Pro tip
How to develop soft skills, network and knowledge?
- Join a community
- Join a CERT
- Share knowledge with peers
Watch the webinar here: