Data Avalanche

Data Avalanche

Mike Armistead Mike Armistead

Mike Armistead

Published Aug 4, 2017
+ Follow

The Backlash of Security Data Volume and Scope When It Outstrips the SOC’s Capacity

In our previous article “The Ramifications of SOC Analyst Scarcity,” Chris Calvert noted that a huge percentage of security alerts get funneled out of Security Operation Center (SOC) investigations partly due to a shortage of capable security analysts that can perform those investigations. 

But what about the other side of this equation? 

The volume and scope of security data is far outstripping a SOC’s capacity. The very technologies that were deployed to stop the numerous threats all generate their own signals. 

The often quoted “every SOC averages 40-60 vendor products installed” illustrates this factor. For good reasons, SOCs have a lot of tooling – but because these devices were built to send alerts when something looks fishy, they both help and exacerbate the SOC’s ability to meet its objectives. 

And, it isn’t just the volume that is the problem. With every new tool comes necessary expertise to understand its output and engineer its on-going efficacy. With limited resources to become experts at all those tools, some inevitably fall by the wayside.

It’s no wonder that SOCs don’t want another alert. 

This isn’t a new problem. SOCs have been fighting data overload since they were first built. In fact, the promise most associated with the now decades-old SIEMs category - bequeathed to Security Analytics and now machine learning products - is that technology will gather logs/data from security devices and contextual sources far and wide, correlate results and provide answers from this avalanche of data. Unfortunately, the scale, variety of alerts and, of course, the shortage of people that can do the data science, engineering and analysis, makes delivering on this promise out of reach for most every SOC.  

We see the gap widening due to exponential data growth and the scarcity of skilled security professionals who could use the data to be effective. The solution isn’t clear cut and we believe demands that the industry re-think the current approach. 

We’d love to hear what your own experience is here, invite you to play a part in this dialog and welcome your comments. 

By Mike Armistead, CEO/Co-Founder, Respond Software


Our next post will address “Why Static Rules Based Systems Can’t Keep Up” so please stay tuned. 

If you’d like to learn more about Respond Software, please visit our website and follow us on LinkedIn and Twitter.  

To view or add a comment, sign in

More articles by Mike Armistead

  • Did Your SOC Catch a Bad Guy Today?
    Aug 2, 2017

    Did Your SOC Catch a Bad Guy Today?

    Over the next few weeks, our team at Respond Software will be writing a series of articles on topics critical to…

    1 Comment

Others also viewed

Similar topics

Explore content categories