No more tiers

These days, I see more SOCs moving in a direction where tiers within the SOC have a less prominent role or are disappearing altogether. Tiers were introduced to split the workload based on skill level and have alarms handled at the appropriate level. But is a tiered SOC still a good match for modern security operations? Deloitte and Google Chronicle have written a report on a SOC based on skills rather than tiers. In this article, I explore the 3 major components of moving away from traditional tiers into a tier-less role architecture for SOCs.

The traditional tiering system has its limitations, especially if you are a tier-1 analyst. In too many cases, the job mostly consists of dealing with false-positives and repetitive tasks. The most interesting work is dealt with at tier-2 and tier-3, which provides limited opportunities for growth in tier-1. Continued automation is also threatening the tier-1 job, although it’s unlikely to fully replace it soon (see additional reading).

The traditional 3-tiered analyst model can be depicted as follows:

A security monitoring platform (typically a SIEM) collects events and generates a large number of alarms (including many false-positives) that require further analysis. It is the analyst task to deal with that alarm flow by analysing, contextualising and identifying false-positives. If an alarm is deemed to be malicious, or if tier-1 runbooks are exhausted, the alarm or incident gets moved up the tiering chain to tier-2. More complex cases and bigger incidents are dealt with at the tier-3 level.

Moving from this traditional SOC structure to a tier-less (or a the very least reduced tiering) approach is built on 3 pillars:

1.?Automation. Automation must be applied to reduce the number of manual activities conducted by analysts. Automation can be used to automate playbook activities, automate event contextualisation, automate remediation standardise follow-up. A dedicated team of automation engineers can help to accelerate the automation initiative, supported by SOAR tooling. Opportunities for automation can be identified by SOC analysts and using metrics in the incident response process. For example, metrics can point out which steps in playbooks take the most time to complete and which types of alarms take the longest to resolve. Taking these metrics and determining the root cause for those can provide valuable insights for automation opportunities that can be put on the automation backlog.

2.?Continuous tuning. False-positives are a well-known by-product of SIEM solutions. While EDR or XDR provides a higher level of alert accuracy, log-based monitoring through SIEM still plays a major part in completing the SOC visibility triad and providing full visibility in the network. Continuous tuning and enhancement of the detection analytics is required to reduce false-positives and increase coverage for detection of known attack techniques. A dedicated team of detection engineers is helpful in gaining the upper hand against false-positives quickly and improving both visibility and coverage against known attack techniques. Again, analysts and metrics play a vital role in determining opportunities for automation. Metrics to consider are top-firing rules and closure codes for completed analysis.

3.?Shift left. Just automation and tuning will reduce the number of alarms feeding from your technology. But that in itself is not sufficient to move to a role architecture without tiers. This requires a shift left strategy. The essence of the shift left strategy is to move activities down the chain to less senior functions. This requires a number of elements to be put into place, including job rotation, continuous training & exercises and active knowledge transfer as part of your knowledge management process.

The figure below shows these pillars and corresponding roles in a modern role architecture.

In this figure, tier-1 has been reduced (and transformed into junior SOC analyst) but not completely removed. This can be considered an initial state. Over time, further automation and tuning, as well as skill and knowledge transfer from the shift left strategy will further reduce the differences between the tiers. Ultimately, this will result in a tier-less SOC role architecture. ?Note that there can be many additional SOC roles (forensic analyst, CTI analyst, vulnerability analyst, threat hunter, etc.) that are not included in this figure, as the focus of this article is solely on the analyst dealing with alerts.

In a tier-less role architecture, there will still be junior, medior and senior analysts based on knowledge and skill levels. The major difference between this role architecture and a tiered architecture is that the split of responsibilities is much less formal. Instead, knowledge and skill exhaustion will be the reason for including more senior analysts, rather than exhaustion of predefined workbooks or task limitations. This will also provide analyst empowerment, and encourage junior analysts to cooperate closer with their more senior peers to quickly gain the knowledge and skills to handle such tasks themselves. This, in itself, will make the analyst job at any level more challenging and more fulfilling, making talent acquisition and retainment easier in a scare market. It will, however, require a redefinition of your SOC analyst profiles and role description.

A final note: as with any architecture or design, this role architecture may not be a fit for all organisations. Organisational culture, service design, service agreements and whether or not you are an MSSP or in-house SOC all play a role in deciding if this architecture is a good match. In any case, introducing detection engineer and automation engineering as roles or functions in the SOC is always beneficial to optimize SOC performance, even in a tiered SOC architecture.

?

Additional reading:

Risk of your job getting automated: https://lis2.epfl.ch/resiliencetorobots/#/profile and https://willrobotstakemyjob.com/information-security-analysts

Deloitte and Google on a skill-based SOC: Deloitte_and_Chronicle_Future_of_the_SOC-Skills_Before_Tiers.pdf

A section on tiering ( “to tier or not to tier”, p. 65) from Mitre 11 strategies of a worldclass cyberSOC: https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf

Several interesting resources on automation:

-?The SOCCRATES project vision whitepaper for SOC automation and decision support: https://www.soccrates.eu/wp-content/uploads/2022/05/soccrates_vision_paper_downloadable.pdf

-?The ASOP whitepaper for and open source modular automation platform: https://publications.tno.nl/publication/34637522/fC15nT/TNO-2020-public.pdf

-?The Google whitepaper on 10X SOC: https://services.google.com/fh/files/misc/googlecloud_autonomicsecurityoperations_soc10x.pdf