Security Operating Center (SOC) staff members are often consumed with tedious manual tasks that lead to burnout and can cost organizations millions of dollars in losses due to human error. Thomas Kinsella, Co-Founder & Chief Operating Officer at Tines discusses at length the challenges faced by SOC team members and makes actionable recommendations on how to decrease burnouts, increase retention, and create a better work environment for the security analysts.
Time Stamps
01:26 -- So, before we get into the Voice of the SOC Analyst report details, Thomas, I'd like to give you this opportunity to provide some highlights of your professional journey.
03:54 -- What led to the study. What's the purpose of the study?
06:39 -- Would you like to add anything about the methodology for the study?
08:53 -- So would you say that it's mostly mid-market organizations that you all were able to tap into?
09:18 -- Let's go through each one of the findings. The first one says 71% of the analysts experience some level of burnout. This could be due to the fact that 69% are understaffed, and 60% have seen increased workloads over the past year. Was this surprising to y'all?
11:27 -- Referring to another finding which states that 64% say they are likely to switch jobs in the next year. So the turnover is going to be very high. What do you recommend organizations do to deal with this challenge?
14:05 -- Why hasn't this automation aspect been addressed yet?
19:39 -- When organizations make the decision of investing in an automation platform, what does it take to make the implementation a truly successful experience?
22:19 -- What do you think about job rotation and job enrichment? Is that done well enough to make make it a little more interesting for the staff?
24:52 -- So, talking about job rotation job enrichment. Yeah, I think this creates a great opportunity for an organization to get the security people outside their comfort zone, and expose them to other company operations. And also get people from the other business operations and bring them into the SOC center. Does that gel with you?
34:29 -- One of the first actionable takeaways from the SOC report is -- "improving time spent on reporting." What do you mean? Because I would think that you want to reduce the time that is spent, the manual hours that is spent in delivering different types of reports. Can you clarify?
36:49 -- Moving on to the second recommendation, which is: "making triage, enjoyable," how do you do that? And if you could clarify for the audience, what do you mean by triage?
41:36 -- So moving on to the third recommended takeaway or actionable item, which is -- "increasing retention by measuring and minimizing burnout." Can you expand on that?
47:53 -- Let's talk about the fourth actionable takeaway -- it's time for no-code automation. What does that mean?
50:49 --Do you have any final words for the listeners?
Memorable Thomas Kinsella Quotes
"It seems to me they (SOC team members) enjoy the work, they feel respected, but that you're just spending their time shifting from screen to screen investigating alerts that are not high enough fidelity."
"People (SOC team members) don't mind working hard if they feel like they're adding a ton of value and feeling like they're productive."
"Purchasing a tool is often equivalent to purchasing weights, or purchasing an exercise bike, they actually just look good in the corner unless you're prepared to use them."
"If you generate some challenges, and get people thinking creatively, and get people digging deeper, they remember the parts about security they really love."
"Shame is the exact opposite of what we should be doing in security, we have to be encouraging people to report and knowing that people are gonna make mistakes. That's why we have defense in depth."
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Our discussion today will revolve around
Dr. Dave Chatterjee:tackling burnout in cybersecurity, especially among
Dr. Dave Chatterjee:Security Operations Center (SOC) staff members. Thomas Kinsella,
Dr. Dave Chatterjee:Co-founder and Chief Operating Officer at Tines will share
Dr. Dave Chatterjee:thoughts and perspectives based on his experience, and also from
Dr. Dave Chatterjee:the findings of a very interesting research study
Dr. Dave Chatterjee:titled, Voice of the SOC Analyst. Welcome, Thomas.
Thomas Kinsella:Thank you very much. It's great to be on.
Dr. Dave Chatterjee:So, before we get into the Voice of the SOC
Dr. Dave Chatterjee:Analyst report details, Thomas, I'd like to give you this
Dr. Dave Chatterjee:opportunity to provide some highlights of your professional
Dr. Dave Chatterjee:journey.
Thomas Kinsella:Sure. So I think I'm a security engineer
Thomas Kinsella:through and through, I spent a little time working in
Thomas Kinsella:professional services. But then I joined eBay, PayPal, and was
Thomas Kinsella:on the technical investigations team there. So investigating
Thomas Kinsella:large scale criminal organizations, taking over huge
Thomas Kinsella:amount of accounts or committing large scale fraud on the site,
Thomas Kinsella:as well as investigating large scale intrusions for attribution
Thomas Kinsella:and prosecution. From there, I had the opportunity to join
Thomas Kinsella:DocuSign when it was relatively young, so myself and I own my
Thomas Kinsella:partner in Tines, our CEO, we joined the security operations
Thomas Kinsella:team when it was just the two of us. And we grew that team to by
Thomas Kinsella:30 people, while we went from like a Series C Company to
Thomas Kinsella:public and we were responsible for everything from incident
Thomas Kinsella:response, threat intelligence, eDiscovery, security
Thomas Kinsella:infrastructure, fraud, most things in security that weren't
Thomas Kinsella:compliance were reporting up to us. And it was really there that
Thomas Kinsella:we just felt like the same challenges that I think a lot of
Thomas Kinsella:security teams feel. So just overwhelmed. felt that the job
Thomas Kinsella:was really hard, and that there had to be a better way. I guess
Thomas Kinsella:that's where Tines came in. I'm sure we'll talk about Tines a
Thomas Kinsella:little bit later. I don't want to shell too much too much on
Thomas Kinsella:the show. I know it's not it's frowned upon a little bit. But
Thomas Kinsella:we started Tines, basically, because we believe there could
Thomas Kinsella:be a better automation platform. So it's now for a little over
Thomas Kinsella:four years old, we've got 120 people or so lots of really
Thomas Kinsella:happy customers. And yeah, it's just a super lightweight
Thomas Kinsella:automation platform and I run the customer success team. So
Thomas Kinsella:pre and post sales, engineering, we basically yeah, we're we have
Thomas Kinsella:a lot of customers that are automating loads of repetitive
Thomas Kinsella:manual security workflows.
Dr. Dave Chatterjee:Thank you Thomas. That really helps. So
Dr. Dave Chatterjee:you are the subject matter expert when it comes to SOC
Dr. Dave Chatterjee:operations. That's wonderful.
Thomas Kinsella:I won't say the, but I've certainly got a
Thomas Kinsella:little bit of experience, experience in that area, and
Thomas Kinsella:also like my day and my team's day, is talking to the best
Thomas Kinsella:security operations teams out there. I'm learning what they're
Thomas Kinsella:doing, learning how they're approaching the challenge. So
Thomas Kinsella:we've got a lot of perspectives, both from this report, but also
Thomas Kinsella:from a lot of a lot of customers and prospects and peers, I
Thomas Kinsella:suppose.
Dr. Dave Chatterjee:Sounds good. Yeah, we're all learning.
Dr. Dave Chatterjee:There is no such thing as definite expertise. It's
Thomas Kinsella:always evolving, same security. Yep,
Dr. Dave Chatterjee:I totally agree. So to set the context for
Dr. Dave Chatterjee:our discussion today, I'd like to share a couple of excerpts
Dr. Dave Chatterjee:from the study that we'll be talking about; one of which
Dr. Dave Chatterjee:says, in my 15 years of being a security practitioner, working
Dr. Dave Chatterjee:on incident response, and leading security teams, I
Dr. Dave Chatterjee:witnessed over and over again, that in the SOC, by the way, SOC
Dr. Dave Chatterjee:stands for security operations center, there's too much work
Dr. Dave Chatterjee:and not enough staff. More specifically, I saw overload
Dr. Dave Chatterjee:analysts so consumed with tedious, repetitive tasks that
Dr. Dave Chatterjee:it led not only to burn out, but to human error that could cost a
Dr. Dave Chatterjee:company millions. And this is really concerning, because you
Dr. Dave Chatterjee:can never overemphasize the importance of the work the SOC
Dr. Dave Chatterjee:team does. So to have the best and the brightest, fully
Dr. Dave Chatterjee:engaged, fully energized, is so critical. So it's not surprising
Dr. Dave Chatterjee:that the study would be conducted. But I'd like to,
Dr. Dave Chatterjee:again, ask you to share with the listeners what led to the study.
Dr. Dave Chatterjee:What's the purpose of the study? Yeah. So
Thomas Kinsella:I think we were working in security operations
Thomas Kinsella:teams, we were monitoring SOX, we talked to a lot of peers on
Thomas Kinsella:how they were doing. And we Yeah, that's what led us to
Thomas Kinsella:start Tines, Tines is four years old. And I think we were out of
Thomas Kinsella:the game a little bit. We were doing a lot of we were having a
Thomas Kinsella:lot of conversations with people saying, like, Hey, here's the
Thomas Kinsella:reason we started the company. But we want to know, was that
Thomas Kinsella:still the case? We wanted to know, like, had the life of a
Thomas Kinsella:security analyst improved? Were there better tools? Were there
Thomas Kinsella:better processes? Or was it still the case that they were
Thomas Kinsella:being overwhelmed with alerts, and that they were dealing with
Thomas Kinsella:too many repetitive manual tasks? And we didn't really have
Thomas Kinsella:the answer. And rather than go out and just claim it, we said,
Thomas Kinsella:actually, this would be really interesting. And also, we wanted
Thomas Kinsella:to find out Yeah, a little bit more like, hey, what how do
Thomas Kinsella:these people that are on the frontline actually feel? It's
Thomas Kinsella:not good enough to say like, Hey, the managers think that
Thomas Kinsella:they're overwhelmed. It's like, what do they feel? And how do
Thomas Kinsella:they do they enjoy the work? are they passionate about it? What
Thomas Kinsella:are their biggest frustrations? What are the things that they
Thomas Kinsella:loved the most? What would they do if they had more time? So we
Thomas Kinsella:went away, and we came up with a list of questions that we
Thomas Kinsella:thought would be super interesting to find out. And
Thomas Kinsella:yeah, we conducted the study, but really was the aim of it was
Thomas Kinsella:to see whether or not our like, our initial thoughts still held
Thomas Kinsella:true, and gathered some really interesting information that
Thomas Kinsella:could be useful for not just SOC teams, but also like CISOs, who
Thomas Kinsella:are making decisions and information security
Thomas Kinsella:professionals and managers around around the world.
Dr. Dave Chatterjee:Sounds great. Sounds great. So so as
Dr. Dave Chatterjee:far as the methodology and participant demographics go, let
Dr. Dave Chatterjee:me share with the listeners a couple of highlights here. 468,
Dr. Dave Chatterjee:full-time security analysts were surveyed, they worked at
Dr. Dave Chatterjee:companies with 500 or more employees. The survey was
Dr. Dave Chatterjee:conducted online via poll fish using organic sampling. And 45%
Dr. Dave Chatterjee:of the surveyed security analysts work in the technology
Dr. Dave Chatterjee:sector. In addition, manufacturing, healthcare,
Dr. Dave Chatterjee:finance, education, utilities, insurance, services, state and
Dr. Dave Chatterjee:local government, retail and federal, were the other industry
Dr. Dave Chatterjee:sectors represented in the sample. So the survey really is
Dr. Dave Chatterjee:representatives of what's going on in a wide range of
Dr. Dave Chatterjee:industries. So that's really a major strength of this
Dr. Dave Chatterjee:particular survey. Yeah. Before you get to the findings, Thomas,
Dr. Dave Chatterjee:would you like to add anything to this, methodology?
Thomas Kinsella:Yeah, maybe just maybe one or two things.
Thomas Kinsella:The first is that we only survey people in the United States. So
Thomas Kinsella:we didn't survey for example, people who were working on a lot
Thomas Kinsella:of organizations have like eight sourced security operation
Thomas Kinsella:centers in India, for example, or in the Philippines, we didn't
Thomas Kinsella:study those, we felt they're a little bit different. And a
Thomas Kinsella:little bit out of the scope of what we were what we were
Thomas Kinsella:looking at. And the second thing was just in terms of the number
Thomas Kinsella:of employees, we tried to split it up roughly as best as we saw
Thomas Kinsella:the the market. So I think it's 50% or so are in that mid market
Thomas Kinsella:500 to 1000 person company, I think 30% or so are in the one
Thomas Kinsella:to 5000, and then 20% are above 5000, a lot more enterprise
Thomas Kinsella:category. So it's pretty broad, but it is a little bit skewed
Thomas Kinsella:path, skewed may not be the word, but there's certainly a
Thomas Kinsella:lot of ways in not, you know, 500 to 1000 person or some
Thomas Kinsella:company just for reference. Now we have the data, we've broken
Thomas Kinsella:it down, we've pivoted on on a bunch of different ways.
Thomas Kinsella:Honestly, it's very consistent throughout, as you'd expect. But
Thomas Kinsella:even still, it's just worth noting,
Dr. Dave Chatterjee:Thanks for sharing that. So So would you
Dr. Dave Chatterjee:say that it's mostly mid-market organizations that you all were
Dr. Dave Chatterjee:able to tap into?
Thomas Kinsella:Well, 20% or enterprise? obovata? Oh, 5000.
Thomas Kinsella:So there's certainly there's certainly a lot there. Um, as I
Thomas Kinsella:said, the the findings were very consistent, but yet that I think
Thomas Kinsella:that it's fair to say I'd like between, like if 80% are between
Thomas Kinsella:500 and 5000, that makes it, makes it mostly that mid-market
Thomas Kinsella:section.
Dr. Dave Chatterjee:Okay, fantastic. So now getting to the
Dr. Dave Chatterjee:key findings. Let's go through each one of these. The first one
Dr. Dave Chatterjee:says 71% of the analysts experience some level of
Dr. Dave Chatterjee:burnout. This could be due to the fact that 69% are
Dr. Dave Chatterjee:understaffed, and 60% have seen increased workloads over the
Dr. Dave Chatterjee:past year. Was this surprising to y'all?
Thomas Kinsella:Not particularly surprising to me,
Thomas Kinsella:but I think there were some adjacent findings to it that
Thomas Kinsella:were a little bit surprising. So I think the SOC staff felt
Thomas Kinsella:burned out is like if you go to a conference or you talk to
Thomas Kinsella:people, like online or if you interview people for jobs,
Thomas Kinsella:they'll say, Yeah, I'm just overwhelmed or not, not
Thomas Kinsella:everybody, but most so that that finding wasn't that wasn't too
Thomas Kinsella:surprising. But there were definitely like the fact that
Thomas Kinsella:69% say they're understaffed. Again, that's not too
Thomas Kinsella:surprising, 60% seeing increased workloads over the last year was
Thomas Kinsella:a little surprising, you would think that things were getting a
Thomas Kinsella:little bit better. But there were some I suppose, adjacent
Thomas Kinsella:findings, just arraign that in relation to them, burning out.
Thomas Kinsella:So there were some interesting things like 69% of them said
Thomas Kinsella:they were satisfied with their job. And 68% said they were very
Thomas Kinsella:engaged. And another same 69% said, they felt respected by
Thomas Kinsella:their peers outside the SOC. What you normally get with, not
Thomas Kinsella:always what what burnout, it's kind of a combination of a
Thomas Kinsella:combination of factors, there's, you can deal, you can deal with
Thomas Kinsella:things and you just want to you want to quit, you feel like it's
Thomas Kinsella:not worth it. But in this, it kind of suggests that there's
Thomas Kinsella:actually a certain element of, they really do want to do a good
Thomas Kinsella:job, that it's not just like they want to, they want to quit,
Thomas Kinsella:they want to give up that forget about it. It's that they
Thomas Kinsella:actually they even to some extent, really enjoy doing their
Thomas Kinsella:job, they feel respected, they get a lot of worth out of doing
Thomas Kinsella:it. So that was really the fact that that those two kind of
Thomas Kinsella:clash is really it's just a really interesting, it's really
Thomas Kinsella:interesting tension between the between the points, but no,
Thomas Kinsella:initially definitely, like that confirmed our suspicions the
Thomas Kinsella:fact that 70% or so felt burnt out is not it was not really it
Thomas Kinsella:was not very surprising.
Dr. Dave Chatterjee:Yeh, just to build on what you said about
Dr. Dave Chatterjee:that interesting tension that security analysts are by nature
Dr. Dave Chatterjee:excited, energized, passionate, yet, they are feeling burnt out.
Dr. Dave Chatterjee:And again, referring to another finding which states that 64%
Dr. Dave Chatterjee:say they are likely to switch jobs in the next year. So the
Dr. Dave Chatterjee:turnover is, is going to be very high. So what do you recommend
Dr. Dave Chatterjee:organizations do to deal with this challenge?
Thomas Kinsella:Well, I think that just to highlight, to
Thomas Kinsella:thread on something there, 64% say they intend to leave their
Thomas Kinsella:jobs. That's not to say that they will actually leave their
Thomas Kinsella:jobs, I think they definitely intend to. But yeah, even with
Thomas Kinsella:the best intentions, you may a) may not find a job or b) maybe
Thomas Kinsella:things will get better or c) it's hard to find the time and
Thomas Kinsella:d) this was also taken earlier this year, and the economy's
Thomas Kinsella:shifted a little bit, so I don't know how risk-averse or
Thomas Kinsella:risk-prone people will be. But certainly a lot of people said
Thomas Kinsella:they intend to do that. In terms of I suppose looking at
Thomas Kinsella:recommendations, I think I think you have to drill into the data
Thomas Kinsella:a little bit more to kind of understand some of the pain
Thomas Kinsella:points that people are people are seeing. So when we asked,
Thomas Kinsella:like, I can't say, Hey, here's a recommendation without trying to
Thomas Kinsella:try to say like, actually, what are what are the challenges? And
Thomas Kinsella:when we asked people what some of their most frustrating
Thomas Kinsella:aspects of work, this was the like, this is a multiple choice
Thomas Kinsella:question. But over 50% of people said spending time on manual
Thomas Kinsella:work was one of the most frustrating aspects of their
Thomas Kinsella:work. The second highest a 37% was the high false positive
Thomas Kinsella:rates. And the third highest was 35%, too many different consoles
Thomas Kinsella:and tools to investigate incidents. So it really is that
Thomas Kinsella:it seems to me they enjoy the work, they feel respected, but
Thomas Kinsella:that you're just spending your time shifting from screen to
Thomas Kinsella:screen investigating alerts that are not high enough fidelity.
Thomas Kinsella:And as a result, you're you're switching context, you're you
Thomas Kinsella:don't like that it's you're not feeling productive. So even
Thomas Kinsella:though like people don't mind, my experience, people don't mind
Thomas Kinsella:working hard if they feel like they're adding a ton of value
Thomas Kinsella:and feeling like they're productive. In this case, people
Thomas Kinsella:can see the importance of the work. But I think it's just like
Thomas Kinsella:automatable, manual, boring, trivial. And I can see why that
Thomas Kinsella:really leads to burnout and leads to leads to you wanting to
Thomas Kinsella:move to an organization that's better that has better tools or
Thomas Kinsella:that has better processes. So I think there's a lot of things
Thomas Kinsella:that we can do. But those are certainly the highlights that I
Thomas Kinsella:would say that we can if we want to if if we want to fix things,
Thomas Kinsella:there are some of the challenges that we can we can address.
Dr. Dave Chatterjee:Thanks for sharing. So as you were
Dr. Dave Chatterjee:describing the challenges one thought comes to mind is why
Dr. Dave Chatterjee:hasn't this automation aspect been addressed yet? Because as
Dr. Dave Chatterjee:we know that from time to time, intelligence is either not
Dr. Dave Chatterjee:detected, or intelligence is not acted upon. So lots of misses
Dr. Dave Chatterjee:happen. And it takes one mistake that could lead to a huge
Dr. Dave Chatterjee:breach. So the the work of the security operations center, I
Dr. Dave Chatterjee:would think is mission critical. So, why isn't priority given to
Dr. Dave Chatterjee:review the workflow, make assessments and bring about
Dr. Dave Chatterjee:process improvements, which includes automation. I'm just
Dr. Dave Chatterjee:trying to understand, what's the rationale behind not doing
Dr. Dave Chatterjee:something about it yet.
Thomas Kinsella:I think some I think a lot of first of all, a
Thomas Kinsella:lot of organizations have a lot of organizations have embraced
Thomas Kinsella:automation clearly, like, in my opinion, not enough. But also
Thomas Kinsella:sometimes it's really hard to find the like, if you're
Thomas Kinsella:overwhelmed with alerts, it can kind of be hard to find the time
Thomas Kinsella:to put your head above the parapet to actually start taking
Thomas Kinsella:out taking action. So if you don't have time to, to audit,
Thomas Kinsella:like if you're the analogy that we we normally normally give,
Thomas Kinsella:and I'm not I'm not a huge sports person, I'm also from
Thomas Kinsella:Ireland. So I'll probably butcher this analogy. But if you
Thomas Kinsella:imagine in American football, if your team are on the field
Thomas Kinsella:playing defense all the time, the answer is do you need a
Thomas Kinsella:better defense or actually probably need a better offense.
Thomas Kinsella:And I think that the challenge is that they probably need to
Thomas Kinsella:hire some people and train them up to be, hey, here's how we
Thomas Kinsella:automate or use a super lightweight tool like Tines and
Thomas Kinsella:allow people the time. But if you're spending all your time
Thomas Kinsella:responding to alerts, it's really hard to it's really hard
Thomas Kinsella:to find that time. The second part and this is kind of ironic,
Thomas Kinsella:but the better you get at detecting, the more you have to
Thomas Kinsella:respond to. So if you purchase a new tool, all of a sudden, it's
Thomas Kinsella:like, brilliant, we've got better, I've got better
Thomas Kinsella:visibility into our environment, to a certain extent, you can
Thomas Kinsella:tune your alerts better, absolutely. But if you purchase
Thomas Kinsella:a new EDR tool, it's not as a pure alerts, you're gonna go
Thomas Kinsella:down. Sorry, EDR is Enterprise Detection Response tool. So
Thomas Kinsella:sorry, Endpoint Detection Response tool. So a tool like
Thomas Kinsella:CrowdStrike, or Carbon Black or SentinelOne or something like
Thomas Kinsella:that. If you purchase a tool like that, you all of a sudden,
Thomas Kinsella:just by definition, have to respond to alerts, and then you
Thomas Kinsella:have to tune in them. So it takes a long time to, I suppose
Thomas Kinsella:get to a stage that you're ready to, you're not that you're ready
Thomas Kinsella:to automate, you can always be ready to automate. But it can
Thomas Kinsella:can actually take a lot of work. The analogy that I sometimes
Thomas Kinsella:give for that is that purchasing a tool is often equivalent to
Thomas Kinsella:purchasing weights, or purchasing an exercise bike,
Thomas Kinsella:they're actually they're good, but they actually just look good
Thomas Kinsella:in the corner unless you're prepared to use them. So you
Thomas Kinsella:have to put in the work to use them to tune them to get the
Thomas Kinsella:value out of them. And I think that's the case with with
Thomas Kinsella:automation and with a lot of other products as well, that
Thomas Kinsella:people find it too difficult. And that's kind of why we
Thomas Kinsella:created Tines, again, don't want to don't wanna shill. But yeah,
Thomas Kinsella:we tried to make it super lightweight automation platform
Thomas Kinsella:so that those analysts that are on the front line that don't
Thomas Kinsella:have that engineering experience, or that don't know
Thomas Kinsella:how to code that they can automate the workflow. So they
Thomas Kinsella:know code, they know how to investigate a suspicious IP
Thomas Kinsella:address, they know how to investigate a suspicious file.
Thomas Kinsella:That's what they're doing all day, every day. So we give them
Thomas Kinsella:the tools to investigate that and automate that themselves. So
Thomas Kinsella:that they don't have to call in and other teams do.
Dr. Dave Chatterjee:Yeah, absolutely. So we're basically
Dr. Dave Chatterjee:talking about a thoughtful automation and not mindless
Dr. Dave Chatterjee:automation, which is, which happens a lot, I can refer to
Dr. Dave Chatterjee:say the whole ERP system phenomenon, enterprise resource
Dr. Dave Chatterjee:planning systems where companies invest in an ERP, but they're
Dr. Dave Chatterjee:not ready to fully leverage all the functionalities for a
Dr. Dave Chatterjee:variety of reasons -- procedural, people-related,
Dr. Dave Chatterjee:structural, cultural. So whenever you're trying to
Dr. Dave Chatterjee:implement a new technology, a new solution, the organization
Dr. Dave Chatterjee:should be prepared, there should be a certain level of readiness.
Dr. Dave Chatterjee:And I'm sure that applies to this particular automation that
Dr. Dave Chatterjee:that you're talking about.
Thomas Kinsella:You it's really hard to automate a process if
Thomas Kinsella:you don't have a process is the is the answer.
Dr. Dave Chatterjee:And often times, you want to better the
Dr. Dave Chatterjee:process before you apply technology to it right. You
Dr. Dave Chatterjee:don't want to automate an inefficient process.
Thomas Kinsella:like that manual work, day in day out.
Thomas Kinsella:They do know how to like process a phishing email, they know,
Thomas Kinsella:okay, we analyze the headers in this particular tool, we check
Thomas Kinsella:out the URLs in this particular tool, we upload the files to
Thomas Kinsella:this sandbox, we add all the results to our case management
Thomas Kinsella:system. And then an hour later, we reply to the end user saying
Thomas Kinsella:thank you for reporting this mail. It was malicious. That's a
Thomas Kinsella:process. And even though in your head, that's only three or four
Thomas Kinsella:steps, it's probably 50 or 60 steps, because you take
Thomas Kinsella:different steps, if they're the CEO of the organization; you
Thomas Kinsella:take different steps if it looks like it's benign, immediately,
Thomas Kinsella:you take maybe it's failed decam or something and you take
Thomas Kinsella:another step. So there's there's a lot of different steps, but
Thomas Kinsella:the analyst usually knows that. So it's about enabling, enabling
Thomas Kinsella:that person who knows that process to automate that
Thomas Kinsella:automate that task. Okay.
Dr. Dave Chatterjee:And so when organizations, let's say they
Dr. Dave Chatterjee:make the decision of investing in an automation platform, yeah.
Dr. Dave Chatterjee:What else goes with it? Yeah, make that a truly successful
Dr. Dave Chatterjee:experience.
Thomas Kinsella:I think there's, there's, there's a lot
Thomas Kinsella:of different things. Obviously, you have to assign people to do
Thomas Kinsella:some work on it. But there's also important things that you
Thomas Kinsella:should be thinking about when you're enabling your team just
Thomas Kinsella:in general, right? So one thing that you should always be
Thomas Kinsella:considering is, this isn't something you'll do with your
Thomas Kinsella:automation platform. But it's tracking the tracking the alerts
Thomas Kinsella:by the user, just like by the, you should be tracking the MTTR
Thomas Kinsella:mean time to respond, you should be tracking mean time to detect,
Thomas Kinsella:but also like, who's responding and who's building these. So
Thomas Kinsella:that who's building is important, because what you're
Thomas Kinsella:identifying is, hey, do we have a single point of failure here
Thomas Kinsella:who's absolutely critical, maybe she's a rockstar, and she's
Thomas Kinsella:built 10 workflows, you probably a) need to keep that person b)
Thomas Kinsella:you need to train somebody else up who knows your workflows,
Thomas Kinsella:because she leaves she's kind of take the team with her. And the
Thomas Kinsella:second part is the tracking who's responding to those
Thomas Kinsella:alerts, even if they're enriched, and there's automated,
Thomas Kinsella:there's still some response. Because it can all you can still
Thomas Kinsella:have people that are left behind that are doing that manual,
Thomas Kinsella:boring work. And what you want to do is you want to make that
Thomas Kinsella:triage fun again, you want to get people automating the
Thomas Kinsella:boring, but also keeping the really exciting parts of
Thomas Kinsella:security. Security is an incredibly exciting area. It's
Thomas Kinsella:growing really fast. There's a never ending number of threats.
Thomas Kinsella:That's why a lot of us got into it, that you have an opportunity
Thomas Kinsella:to grow your career and learn very, very fast. But you don't.
Thomas Kinsella:You're Yeah, analyzing adware all the time. And you don't come
Thomas Kinsella:across a new breed of malware. Or you see people on Twitter
Thomas Kinsella:talking about, oh, look, there's this macro enabled malware
Thomas Kinsella:that's hitting em, I'm not sure was it MTD dot exe or whatever,
Thomas Kinsella:then you add the new the new ballgame in Microsoft was or
Thomas Kinsella:bypass and Microsoft in Windows was, if you can't investigate
Thomas Kinsella:that, it's pretty frustrating. So you want to make it so that
Thomas Kinsella:you can they these people can have some fun. The next thing
Thomas Kinsella:that you want to you want to be investigating just in general is
Thomas Kinsella:how much time people are taking off. So are they actually
Thomas Kinsella:overwhelmed? Are they spending enough time here? Are they
Thomas Kinsella:spending enough time like taking holidays? Or are they working
Thomas Kinsella:all the time? Are they working overtime? How many times have
Thomas Kinsella:they been paged? How many times? How much time are they spending
Thomas Kinsella:on call, because that's another measure of how quickly people
Thomas Kinsella:will leave the organization or how happy they are in the
Thomas Kinsella:organization. If they're on call all the time. They're getting
Thomas Kinsella:paged all the time, you're not doing it, you're not doing it
Thomas Kinsella:right. And in many ways you have to you have to shift left and
Thomas Kinsella:reduce the risks in your in your organization. There's a whole
Thomas Kinsella:lot of other things, but there's some of the things that I can
Thomas Kinsella:I'd recommend.
Dr. Dave Chatterjee:Sure. Now, what do you think about job
Dr. Dave Chatterjee:rotation and job enrichment? In the context of, is that done
Dr. Dave Chatterjee:well? is that done well enough to make make it a little more
Dr. Dave Chatterjee:interesting for the staff?
Thomas Kinsella:definitely can be definitely can be done. And
Thomas Kinsella:especially a lot of people who are younger in their careers
Thomas Kinsella:actually valued that to a certain extent over they know,
Thomas Kinsella:and rightly so they view their careers as like, I'll be working
Thomas Kinsella:here for Barbie working for 40 years, I want to try out a few
Thomas Kinsella:different things, rather than choosing my career, I'd like
Thomas Kinsella:sticking with it for the rest of the rest of my life. So a lot of
Thomas Kinsella:people will really value that. So if you get the opportunity,
Thomas Kinsella:or if you offer people the opportunity to grow, that could
Thomas Kinsella:be like go deeper into malware analysis. But if you give them
Thomas Kinsella:the opportunity to work in compliance, or work on the Red
Thomas Kinsella:team, or do a shift in IT, and vice versa, you're also you're
Thomas Kinsella:you're you're retaining your staff, and you're keeping them
Thomas Kinsella:at you're keeping them happier. The next thing is that that's
Thomas Kinsella:actually really important for diversity. So a lot of people, a
Thomas Kinsella:lot of organizations, they they'll the people that they
Thomas Kinsella:hire are that are experienced, they'll be coming from like,
Thomas Kinsella:they'll be privileged white men basically. And if you enable a
Thomas Kinsella:job rotation, you're able to enable internships, you're able
Thomas Kinsella:to get people with a different background in who you may not
Thomas Kinsella:have traditionally thought had the skill set to perform SOC
Thomas Kinsella:duties or to work on a security operations team. If you allow,
Thomas Kinsella:if you like, job rotation, not only are you getting people from
Thomas Kinsella:different backgrounds, you're getting people from different
Thomas Kinsella:skill sets, and you're expanding the pool of candidates that you
Thomas Kinsella:want. That's so important. Like right now, this isn't anything
Thomas Kinsella:to do with the report, but it's not a it's not something we
Thomas Kinsella:found in the report. But there's something like 1.8 people for
Thomas Kinsella:every single job that's needed in security in the United
Thomas Kinsella:States, there's 600,000 vacancies, we're not going to
Thomas Kinsella:fill that by just by by continuing with the same, ah
Thomas Kinsella:well we'll hire out of the cybersecurity programs in these
Thomas Kinsella:20 universities. The way we're going to fill it is by having a
Thomas Kinsella:lot of people from a whole diverse, diverse range of
Thomas Kinsella:backgrounds, get interested in cybersecurity and be exposed to
Thomas Kinsella:cybersecurity. So the best teams are doing that and they'll
Thomas Kinsella:they'll find like a lot of diamonds in there they'll find a
Thomas Kinsella:lot of real gems that like are super super smart in information
Thomas Kinsella:security and can add a whole load, and aren't more
Thomas Kinsella:importantly just coming from that same mode of thinking, they
Thomas Kinsella:will question things, they will question processes. Yeah, that's
Thomas Kinsella:definitely effective.
Dr. Dave Chatterjee:Fantastic. So there is another thought
Dr. Dave Chatterjee:here. So, talking about job rotation job enrichment. Yeah, I
Dr. Dave Chatterjee:think this creates a great opportunity for an organization
Dr. Dave Chatterjee:to get the security people outside their comfort zone, and
Dr. Dave Chatterjee:expose them to other company operations. And also get people
Dr. Dave Chatterjee:from the other business operations and bring them into
Dr. Dave Chatterjee:the SOC center. So they have a sense of what the analysts do,
Dr. Dave Chatterjee:and what goes on, because by engaging in this kind of an
Dr. Dave Chatterjee:exercise, which I would like to call it a little out-of-the box
Dr. Dave Chatterjee:exercise, and which might seem going against the grain of
Dr. Dave Chatterjee:focusing on expertise, but what it does, it sensitizes, the
Dr. Dave Chatterjee:entire organization, to the importance of the work the
Dr. Dave Chatterjee:analysts do, the security analysts do, and also to the
Dr. Dave Chatterjee:challenges. So this way, the knowledge is spreading, it is
Dr. Dave Chatterjee:getting to the ears of the top management and other decision
Dr. Dave Chatterjee:makers. And at the same time, it's also enhancing the level of
Dr. Dave Chatterjee:awareness and skill sets of the folks who didn't intend on
Dr. Dave Chatterjee:having a career in security analytics. So by taking this
Dr. Dave Chatterjee:approach, you're broadening the pool, you might be able to
Dr. Dave Chatterjee:attract talent from within the organization, like you said,
Dr. Dave Chatterjee:there is a scarcity of talent in general. So maybe you can tap
Dr. Dave Chatterjee:into some some talent within the organization. And that kind of
Dr. Dave Chatterjee:talent is useful because they understand the business. And
Dr. Dave Chatterjee:they also understand the security. The second point I
Dr. Dave Chatterjee:wanted to make it goes back to my experience in corporate. When
Dr. Dave Chatterjee:I started my career, and I was in audit and I was in systems
Dr. Dave Chatterjee:audit, I often wondered that I do this work, who really cares?
Dr. Dave Chatterjee:Who does it impact, because you are again, focused in a small
Dr. Dave Chatterjee:area, and you are not seeing the big picture. And that creates
Dr. Dave Chatterjee:disillusionment. And I wouldn't be surprised if that happens in
Dr. Dave Chatterjee:this particular context, as well. So to be able to offer the
Dr. Dave Chatterjee:security operating center team, the staff members, that be
Dr. Dave Chatterjee:exposed them to show them that how their work is valued, how it
Dr. Dave Chatterjee:relates to the top line and the bottom line. That reinforcement
Dr. Dave Chatterjee:that awareness, again, is very helpful. It makes you feel that
Dr. Dave Chatterjee:yes, I am in security which is seems like a staff function. But
Dr. Dave Chatterjee:what I do is equally valuable and important, as the line
Dr. Dave Chatterjee:folks. Does that gel with you?
Thomas Kinsella:Yeah, 100%, there's so much that you've had
Thomas Kinsella:that you've shared there. That's yeah, it's good wisdom. There's
Thomas Kinsella:a great book of 20 things. And there's a great book called
Thomas Kinsella:Delivering Happiness by Tony, I'm not going to pronounce his
Thomas Kinsella:surname correctly, Tony, I think it's Hsieh but I'm not sure. And
Thomas Kinsella:it's about his journey to start the shoe company Zappos. It's
Thomas Kinsella:absolutely fascinating. One of my favorite books, I'd recommend
Thomas Kinsella:that every every listener read it or listen to us. But he talks
Thomas Kinsella:about, like company culture, there are some really out their
Thomas Kinsella:ideas in terms of matrix org structures for the organization.
Thomas Kinsella:But one of the things that every single person who joins the
Thomas Kinsella:organization must do is spend the first two weeks or the first
Thomas Kinsella:two weeks in training. But after that two weeks, on the phone
Thomas Kinsella:with customers, so their biggest problem is Delivering Happiness.
Thomas Kinsella:They're Delivering Happiness to every single one of their
Thomas Kinsella:employees, sorry, to one of their employees to one of their
Thomas Kinsella:customers. So as a result, everybody from the new VP, the
Thomas Kinsella:new CEO, all the way down to obviously somebody working in
Thomas Kinsella:customer service, they have to begin their journey on the
Thomas Kinsella:customer floor talking to customers and it's so so
Thomas Kinsella:impactful. In that it means that everybody understands the
Thomas Kinsella:importance of that job. And also the perspective of actually
Thomas Kinsella:we're delivering delivering to like the top line as well as the
Thomas Kinsella:as well as the bottom line. It's already it's really impressive.
Thomas Kinsella:The second part in terms of the security team feeling, I suppose
Thomas Kinsella:disillusion because they don't feel that love. And they don't
Thomas Kinsella:feel that like if you're separate from the organization,
Thomas Kinsella:it's so rare to see. And this is where like automation can come
Thomas Kinsella:in. But it's also where like delivering interesting threat
Thomas Kinsella:research or spending time outside of that analyst job can
Thomas Kinsella:do it. It's so rare to see in an organization or security
Thomas Kinsella:organization, like do anything innovative in a company that
Thomas Kinsella:often they are just seen as wow they are protecting us from this
Thomas Kinsella:threat. But in reality, first of all, many companies and in many
Thomas Kinsella:institutions, the security and the organization's reputation is
Thomas Kinsella:critical, right. If you get breached, it's a devastating
Thomas Kinsella:impact to your your team to your get to your staff, to your
Thomas Kinsella:customers to your get to do to every single person involved and
Thomas Kinsella:potentially add it to your stock price. or to the reputation of
Thomas Kinsella:your university or your organization. But that doesn't
Thomas Kinsella:mean that like security analyst feel that often they feel that
Thomas Kinsella:as a pressure. On the other hand, what we seen when people
Thomas Kinsella:start implementing Tines or other automation platforms, it's
Thomas Kinsella:incredible to see a CISO be able to brag about like, Hey, here's
Thomas Kinsella:how much work we've automated. We've automated 72 hours of
Thomas Kinsella:manual work that we would normally be spending every
Thomas Kinsella:single week, we've automated that. But what's even cooler is
Thomas Kinsella:when the CISO talks about, "here, we're able to offboard
Thomas Kinsella:employees in five minutes using this using this platform." And
Thomas Kinsella:what you'll see is IT be like, "hold on a second, it takes us
Thomas Kinsella:like eight hours to onboard these employees on the Sunday
Thomas Kinsella:before they join and set them up with all these tools. How did
Thomas Kinsella:you do that? And the CISO is like I am using this tool. Or
Thomas Kinsella:you see the like the the security team in the middle of
Thomas Kinsella:an incident start pain indicators enriched into a Slack
Thomas Kinsella:channel that's been set up and everything has been archived for
Thomas Kinsella:compliance purposes. There's an audit trail of every single
Thomas Kinsella:thing that's happening. And meanwhile, the site reliability
Thomas Kinsella:engineering team or the tech ops team are in the same chat, or on
Thomas Kinsella:the same zoom or incident meeting. They're like, hold on a
Thomas Kinsella:second, how are you doing this? How are you monitoring these
Thomas Kinsella:things? This is crazy. This takes us, you know, hours to do,
Thomas Kinsella:how are you moving so fast that like, Oh, we're doing this,
Thomas Kinsella:we're using this tool. And it's so exciting to see that because
Thomas Kinsella:all of a sudden the CISO is adding value, but also getting
Thomas Kinsella:credit in the organization and being like, wow, you've you've
Thomas Kinsella:done an incredible job here. This is this is really exciting.
Thomas Kinsella:And that is yeah, like the CISOs job is normally like delivering
Thomas Kinsella:bad news and fighting fires, it's very rarely Yep, check it
Thomas Kinsella:out, check out the awesome things that I'm doing. So that's
Thomas Kinsella:really exciting. And that swagger that they can have
Thomas Kinsella:afterwards. It goes so far to building those relationships
Thomas Kinsella:with the IT team or with the tech ops team, with the
Thomas Kinsella:engineering team. They're like why these these people know what
Thomas Kinsella:they're talking about. And you start being able to move from
Thomas Kinsella:that organization or that team that's just bring us problems to
Thomas Kinsella:these these folks know what they are doing. And like, yeah,
Thomas Kinsella:she's, she's an amazing leader. So that's it's really exciting
Thomas Kinsella:to see that sort of thing happen.
Dr. Dave Chatterjee:Very true. In an earlier podcast, I was
Dr. Dave Chatterjee:talking to the CEO of a billion dollar company, insurance
Dr. Dave Chatterjee:company. And I made a statement I said, the more I think about
Dr. Dave Chatterjee:it, the job of a CISO is kind of a thankless job. Yeah. Because
Dr. Dave Chatterjee:you don't get recognized in general if things are going
Dr. Dave Chatterjee:well. But if something goes wrong, and you're breached,
Dr. Dave Chatterjee:obviously, that person is under gets the all the spotlight, the
Dr. Dave Chatterjee:focus and probably can lose their job. In reacting to that,
Dr. Dave Chatterjee:this gentleman very articulate, said, Dr. Chatterjee, I, I beg
Dr. Dave Chatterjee:to disagree. I think it's a very important job. It's not a
Dr. Dave Chatterjee:thankless job. And I said, You know what, I couldn't agree with
Dr. Dave Chatterjee:you more, I definitely the C suite, the CEO, the CEO of the
Dr. Dave Chatterjee:company, senior leadership should remember that should
Dr. Dave Chatterjee:recognize that and accordingly, empower the function. So that is
Dr. Dave Chatterjee:one aspect, because after all, that empowerment percolates
Dr. Dave Chatterjee:right to teams such as the SOC, because how the CISO is viewed
Dr. Dave Chatterjee:and valued in the organization will have an impact on how the
Dr. Dave Chatterjee:SOC team feels about their work and the importance of their
Dr. Dave Chatterjee:work. So it's an interesting dynamic, but that's something
Dr. Dave Chatterjee:that organizations to be must be sensitive to. And it again, goes
Dr. Dave Chatterjee:speaks to the point that automation is not the entire
Dr. Dave Chatterjee:solution. No, no, definitely not. But automation needs to be
Dr. Dave Chatterjee:supported by appropriate structure, right kind of
Dr. Dave Chatterjee:processes, right kinds of people. Sorry, you wanted to say
Dr. Dave Chatterjee:something?
Thomas Kinsella:Yeah, no, just just definitely like it's not
Thomas Kinsella:it's definitely not it's certainly not the only solution.
Thomas Kinsella:There's a ton of a ton of things you can be doing. But also that
Thomas Kinsella:it's even though something can be an extremely important job,
Thomas Kinsella:that doesn't refute that it can be thankless, like it doesn't
Thomas Kinsella:like it's still really, really hard. And it's not, it's not
Thomas Kinsella:it's not not too surprising. The average tenure of a CISO is
Thomas Kinsella:something like 18 months. That's like, I don't think that's their
Thomas Kinsella:choice. Most of the time. I think it's it's really hard to
Thomas Kinsella:come in and be effective. And oftentimes there's yeah,
Thomas Kinsella:resistance to to how effective they can be. Yep,
Dr. Dave Chatterjee:True! So, reverting back to the actionable
Dr. Dave Chatterjee:takeaways from the report, I like to share with the
Dr. Dave Chatterjee:listeners, four of them. And then I have a couple of
Dr. Dave Chatterjee:questions. The first one says -- improving time spent on
Dr. Dave Chatterjee:reporting, the second one is -- making triage enjoyable. The
Dr. Dave Chatterjee:third one -- increasing retention by measuring and
Dr. Dave Chatterjee:minimizing burnout, and the fourth --it's time for no code
Dr. Dave Chatterjee:automation. My first question here is, when it is stated
Dr. Dave Chatterjee:improving time spent on reporting, what do you mean?
Dr. Dave Chatterjee:Because I would think that you want to reduce the time that is
Dr. Dave Chatterjee:spent the manual hours that is spent in delivering different
Dr. Dave Chatterjee:types of types of reports. Can you clarify?
Thomas Kinsella:Yeah, I think there's, I think there's a few
Thomas Kinsella:things that that that came from that came from this. So it's
Thomas Kinsella:probably a little bit it's definitely a little bit
Thomas Kinsella:confusing. The first is, it's where they spend a huge amount
Thomas Kinsella:of their time on like time consuming tasks. So I think it
Thomas Kinsella:was literally the place, they said they spent the most tasks
Thomas Kinsella:was like capturing notes, capturing metrics, filling out
Thomas Kinsella:tickets, all that sort of stuff. So I think improve is make that
Thomas Kinsella:like faster and make sure that you're like you're actually
Thomas Kinsella:adding value as opposed to just copying and pasting. So I think
Thomas Kinsella:that's, that's one thing that you can definitely do. So
Thomas Kinsella:basically, don't be filling out the same IP address 10 times get
Thomas Kinsella:as much information into a ticket beforehand. And then like
Thomas Kinsella:track, yes track what incidents are coming up all the time, and
Thomas Kinsella:add value to that reporting. So adding value to that reporting
Thomas Kinsella:could be actually this alert is super noisy, and is a false
Thomas Kinsella:positive 95% of the time, so it needs to be tuned. Or as I said,
Thomas Kinsella:this person is answering 95% of the tickets, or maybe it's not
Thomas Kinsella:like actually, this alert is super high fidelity, maybe we
Thomas Kinsella:should be looking into building out building a few, a few more
Thomas Kinsella:of these. So I think that's some of the things that we talked
Thomas Kinsella:that we were recommending, were saying improving time spent on
Thomas Kinsella:reporting is like actually just making it more valuable, rather
Thomas Kinsella:than just Yeah, filling out an employee's job title and a
Thomas Kinsella:ticket, that that is not something that you that you
Thomas Kinsella:need. It's something that's actually really important, but
Thomas Kinsella:it's not something that you should be doing manually.
Dr. Dave Chatterjee:Okay. That's good to know. And then
Dr. Dave Chatterjee:moving on to the second recommendation, which is: making
Dr. Dave Chatterjee:triage, enjoyable, how do you do that? And if you could clarify
Dr. Dave Chatterjee:for the audience, what do you mean by triage here?
Thomas Kinsella:Yeah, so triage is that process of investigating
Thomas Kinsella:and alert when it comes in? So if you think of a suspicious
Thomas Kinsella:login alert, this is probably the most common it's the process
Thomas Kinsella:of taking that IP address and saying, Hey, have we where is
Thomas Kinsella:this We got an alert that Steve logged in from Egypt. Okay,
Thomas Kinsella:like, let's take that IP address. Is it on any known
Thomas Kinsella:threat intel lists has it been seen as bad before? Is Steve
Thomas Kinsella:actually in Egypt? Is it possible that Steve's on
Thomas Kinsella:holidays? Where's Steve normally based? Does Steve use a MacBook
Thomas Kinsella:because it looks like this was a login login from a Windows. That
Thomas Kinsella:process of triaging an alert is just basically investigating the
Thomas Kinsella:steps involved, it could be looking in your threat intel
Thomas Kinsella:tool, or it could be looking in your in your Sim for additional
Thomas Kinsella:logs, or it could be investigating on your in your
Thomas Kinsella:EDR tool or in your Cloud console in AWS, it doesn't
Thomas Kinsella:really it doesn't really matter. The problem with this one, when
Thomas Kinsella:we say make triage more enjoyable, is that bad triage is
Thomas Kinsella:that repetitive analysis for duplicate alerts following the
Thomas Kinsella:screen, same script over and over again. It's noise. It's
Thomas Kinsella:easy. It's mundane, it's boring. But even worse than that, it's
Thomas Kinsella:error prone. If you're doing this day in day out for your
Thomas Kinsella:organization, you're not adding any value. But you're also going
Thomas Kinsella:to be like, Ah, I think this I think I've seen that IP address
Thomas Kinsella:before or I think yeah, I think I saw that Dave was in Egypt.
Thomas Kinsella:And that's not that's not something you want to do. So
Thomas Kinsella:making it more fun, is that process of like being a
Thomas Kinsella:detective, that's what people really enjoy about security is
Thomas Kinsella:that like, ha, I'm detecting something good. Like, this is
Thomas Kinsella:really interesting. And I remember, so when I worked in,
Thomas Kinsella:in one of my organizations, we were seeing a load of malspam
Thomas Kinsella:campaigns. So that's malware campaigns being delivered
Thomas Kinsella:through phishing. And if you're familiar with those, you'll see
Thomas Kinsella:the standard names like Emotet, or TRickBot or Hancitor, there's
Thomas Kinsella:loads of them. And they're really like, they're insidious,
Thomas Kinsella:you'll get hit with them, like loads of times every single day.
Thomas Kinsella:But we have a lot of fun in my organization, when we initiated
Thomas Kinsella:a policy -- the first person to track the fruit or that the
Thomas Kinsella:first Hancitor email of the day, the first person that can post
Thomas Kinsella:that in Slack, like won a prize. Basically, there was just a
Thomas Kinsella:competition to investigate that. And what that meant was that
Thomas Kinsella:every single mail you were immediately on it. Like, okay,
Thomas Kinsella:what is this? But the next part about it was that you actually
Thomas Kinsella:started noticing the patterns here, like actually, I don't
Thomas Kinsella:think Hancitor ever used a Ring Central team before. Probably
Thomas Kinsella:not Hancitor. Or it's like, oh, yeah, Hancitor, they recently
Thomas Kinsella:shifted up their techniques to use this dot doc file, like this
Thomas Kinsella:probably is them. So you start getting people to go deeper, but
Thomas Kinsella:also making people a little bit more excited about like the work
Thomas Kinsella:that they're doing and not just adding, not just adding that
Thomas Kinsella:boring stuff day in, day out. It's hard to do, but honestly
Thomas Kinsella:you can do it and if you like if you If you make a, generate some
Thomas Kinsella:challenges, and you, you get people thinking creatively, and
Thomas Kinsella:get people digging deeper, they remember the parts about
Thomas Kinsella:security, they really love to tell I'm getting excited about
Thomas Kinsella:thinking about it. Now that that was fun. But honestly before
Thomas Kinsella:that, like when we just saw 20 mails come in, that wasn't
Thomas Kinsella:funny. This is hard you know. So it's making making that triage
Thomas Kinsella:process running. And, and there's a lot of things that you
Thomas Kinsella:can do that you can do for that. So you need to design your team
Thomas Kinsella:to around I suppose, minimizing those noisy, easy, mundane
Thomas Kinsella:alerts and maximizing those like being indicative of those
Thomas Kinsella:creative alerts and creative processes that are hard, but
Thomas Kinsella:also really worthwhile? You know?
Dr. Dave Chatterjee:Absolutely. So one thing that is coming
Dr. Dave Chatterjee:through very clearly, from your articulation is one of the
Dr. Dave Chatterjee:challenges and success factor is to be able to tease out and
Dr. Dave Chatterjee:emphasize the creative aspects of the job, while automating the
Dr. Dave Chatterjee:non- creative aspects.
Thomas Kinsella:Exactly that that like that if that. And
Thomas Kinsella:honestly, the non creative aspect is, is all automatable.
Thomas Kinsella:That's like, that's why that's why people find it boring. Like,
Thomas Kinsella:if you're looking up an IP address, and five different
Thomas Kinsella:tools are looking at the hash in 10 different tools or asking a
Thomas Kinsella:user Hey, do you are you on holidays? Or asking a manager,
Thomas Kinsella:"did you assign these permissions to this person,"
Thomas Kinsella:that's the stuff that you're gonna burn out on. But all of
Thomas Kinsella:that is actually very easy to do in automation. They're all just
Thomas Kinsella:simple API calls, or they're simple tasks, like sending an
Thomas Kinsella:email or sending user message in teams or slack.
Dr. Dave Chatterjee:Okay, fantastic. So moving on to the
Dr. Dave Chatterjee:third recommended takeaway or actionable item, which is --
Dr. Dave Chatterjee:increasing retention by measuring and minimizing
Dr. Dave Chatterjee:burnout. Can you expand on that?
Thomas Kinsella:Yeah, so I think with this that, there's a
Thomas Kinsella:lot of like, burnout is not lack of support, it's taking on more
Thomas Kinsella:that you can handle. It's poor self care. And I think what when
Thomas Kinsella:we measure the achievements of a SOC, we do measure, like the
Thomas Kinsella:mean time to investigate, the mean time to detect, but what
Thomas Kinsella:we're not tracking is, I suppose, how our employees are
Thomas Kinsella:doing as part of that, or if we are sometimes just the number of
Thomas Kinsella:tickets that they've answered, which doesn't tell you hey, how
Thomas Kinsella:hard those tickets were or even, like, yeah, if they're working
Thomas Kinsella:overtime, or if they're, if there's any indicators of
Thomas Kinsella:burnout. There's some people that have done a lot of great
Thomas Kinsella:work on this MongoDB have great articles on this on their on
Thomas Kinsella:their website, if you want to check it out. But things like
Thomas Kinsella:measuring who is taking their holidays. So if you're, if
Thomas Kinsella:you've got somebody who's worked 50 of the last 52 weeks, and has
Thomas Kinsella:also worked several weekends been paged? That person's
Thomas Kinsella:definitely burning out. Like there's they haven't had the
Thomas Kinsella:time to to reflect and get time aid from the organization. Yeah,
Thomas Kinsella:so who's working weekends who's working overtime? And employee
Thomas Kinsella:satisfaction reports, but also considering those like recurring
Thomas Kinsella:employees satisfaction reports, but also like management
Thomas Kinsella:one-on-one. So spending individual time as a manager
Thomas Kinsella:with each of your employees? And asking them genuinely, Hey, how
Thomas Kinsella:are you doing? What do you want to work on? What are your goals
Thomas Kinsella:for the next three months, and then reviewing those goals after
Thomas Kinsella:those three months standard management stuff, but again, it
Thomas Kinsella:doesn't happen when you're slammed with alerts. But those
Thomas Kinsella:are I think, those are some of the things that we that we
Thomas Kinsella:recommend that it's just not good enough to, just not good
Thomas Kinsella:enough to measure this the standard things in a SOC, in
Thomas Kinsella:order to keep your team and this time you, you have to start
Thomas Kinsella:measuring, measuring how they're performing, and not just how
Thomas Kinsella:many tickets they've opened. But more importantly, like, hey, you
Thomas Kinsella:know, how they're actually performing and how their mental
Thomas Kinsella:health is performing. It's a really tough job. So we need to
Thomas Kinsella:track it. The last part about that, sorry, I should have said
Thomas Kinsella:this at the start. It's important to be really open
Thomas Kinsella:about your mental health and talk about normalizing the
Thomas Kinsella:conversation and saying, this is a tough job. It's okay, if
Thomas Kinsella:you're struggling, it's okay if you find this overwhelming. And
Thomas Kinsella:offering in place, you can talk to me, you can talk to your
Thomas Kinsella:manager, you can talk to your peers, or you can talk using the
Thomas Kinsella:employee assistance program if you have it in place. But in
Thomas Kinsella:managers, normalizing that conversation saying I've been
Thomas Kinsella:burnt out at work, or I've experienced these challenges
Thomas Kinsella:with my mental health is really, really important to share.
Thomas Kinsella:Otherwise, you're, you're you're kind of saying like, ya know,
Thomas Kinsella:like, I'm sure you're burnt out, but I've never shown any
Thomas Kinsella:experience of like, of noting that's only weak people are, you
Thomas Kinsella:can't do that. It's like incredibly strong and incredibly
Thomas Kinsella:just intelligent people. Everybody gets experiences. It's
Thomas Kinsella:not something that you're doing wrong. It's the same as breaking
Thomas Kinsella:a leg playing sports or something like that. It can
Thomas Kinsella:happen to everybody.
Dr. Dave Chatterjee:I'm so glad you said what you said because
Dr. Dave Chatterjee:it's so important to have that candid conversation, or to
Dr. Dave Chatterjee:create an environment of honesty and candor where somebody can
Dr. Dave Chatterjee:just go to their manager or to their peers and say, Look, I'm
Dr. Dave Chatterjee:experiencing this I could do with some help and offer that
Dr. Dave Chatterjee:help without treating it as some kind of inability, it is not an
Dr. Dave Chatterjee:inability, like you said it can happen to everyone. And this
Dr. Dave Chatterjee:reminds me of something from another episode where this CISO
Dr. Dave Chatterjee:takes this approach, where when a particular user fell victim to
Dr. Dave Chatterjee:a phishing attack, and confessed and said, Look, yes, I was
Dr. Dave Chatterjee:trained, but I messed up. I'm sorry about it. Recognizing the
Dr. Dave Chatterjee:honesty of it, and using that user, as an example, of somebody
Dr. Dave Chatterjee:quickly reporting the breach, alerting everyone and not trying
Dr. Dave Chatterjee:to hide and trying to fend off investigations, and rewarding
Dr. Dave Chatterjee:that kind of honest behavior, and then supporting it with any
Dr. Dave Chatterjee:other kinds of educational programs. That is so very
Dr. Dave Chatterjee:critical. And I'm glad that you all are talking about it in as
Dr. Dave Chatterjee:one of the takeaways. So we are running out of time.
Thomas Kinsella:Can I add really I know we're running out
Thomas Kinsella:of time but really quickly to that. I had a fantastic
Thomas Kinsella:experience, where we had a we had an incident in again, in my
Thomas Kinsella:career where we had a an executive assistant, so a
Thomas Kinsella:C-level staff member's executive assistant, report a phishing
Thomas Kinsella:email, didn't click on it, just reported. We said, Oh, wow,
Thomas Kinsella:okay, this looks targeted, like the fact that a C-level staff
Thomas Kinsella:member is receiving a phishing email or an executive assistant
Thomas Kinsella:receiving phishing email, this is bad, we look to see had
Thomas Kinsella:anybody clicked on the link. And we detected three people had
Thomas Kinsella:clicked on the link. And when we look to see who received the
Thomas Kinsella:email, five people, in addition to the executive assistant had
Thomas Kinsella:received it; all executive assistants. So at this point, we
Thomas Kinsella:had like, not whatever, six recipients, three people clicked
Thomas Kinsella:on that link, we contacted those three people, two of them had
Thomas Kinsella:entered their credentials, we locked their accounts
Thomas Kinsella:immediately, like investigated, we saw a failed login to their
Thomas Kinsella:failed logins to their accounts by 30 minutes later. And the
Thomas Kinsella:only reason we detected it was as a result of that one
Thomas Kinsella:executive assistant reporting. It was incredible. We like we
Thomas Kinsella:gave her loads of loads of loads of props, as you'd expect, but
Thomas Kinsella:it really was an indication of I'd much rather you report
Thomas Kinsella:those, every even if you're unsure, report that phishing
Thomas Kinsella:email, because without her, we would have had a major major
Thomas Kinsella:incident on our hands. Because all of those have like, well,
Thomas Kinsella:they've got access to a lot of sensitive information anyway.
Thomas Kinsella:But they also have access to their C level staff members
Thomas Kinsella:mailboxes. So it was really, really important, but super
Thomas Kinsella:critical. So definitely, shame is the exact opposite of what we
Thomas Kinsella:should be doing in security, we should be like, it's so hard to
Thomas Kinsella:get right. We have to be encouraging people to report and
Thomas Kinsella:knowing that like, people are gonna make mistakes. That's why
Thomas Kinsella:we have defense in depth.
Dr. Dave Chatterjee:Absolutely. Thank you for sharing that. So
Thomas Kinsella:Yeah, so like, I think a lot of people have
Thomas Kinsella:thought of automation. So that's writing scripts. The challenge
Thomas Kinsella:with a lot of automation is that it's really hard to do. And as a
Thomas Kinsella:result, those people that know the processes just can't do it.
Thomas Kinsella:So what we built in Tines is we built a really lightweight,
Thomas Kinsella:no-code automation platform that allows anybody, so that's like
Thomas Kinsella:interns, or like, like low level, low level is not a good
Thomas Kinsella:word, like SOC analysts of like tier one, or engineers to
Thomas Kinsella:automate their own workflows. So that could be that manual task
Thomas Kinsella:of investigating an IP, it could be an engineer who knows how to
Thomas Kinsella:finally, let's talk about the fourth actionable takeaway, not
Thomas Kinsella:like build an incredibly complex process. Their tool is simple,
Thomas Kinsella:but not simplistic, it can go very deep. But the idea is that
Thomas Kinsella:those people who know the process will be able to use in
Thomas Kinsella:our case, a simple drag and drop builder to automate away those
Thomas Kinsella:tasks. So just to say, Okay, I want to investigate an IP
Thomas Kinsella:address in this tool, I'm going to drag on an action and I can
Thomas Kinsella:investigate that IP address, I want to send an email, or drag
Thomas Kinsella:on an action and send an email, I want to contact a user on
Thomas Kinsella:Slack, I will drag on an action, and contact a user on Slack. And
Thomas Kinsella:we make it simple enough that people with very, very little
Thomas Kinsella:experience are able to build and as a result, allow them to focus
Thomas Kinsella:on much more impactful risk reduction efforts. The no code
Thomas Kinsella:part is just that it's we make it super easy so that you really
Thomas Kinsella:don't need to be a developer. It's not to say that you don't
Thomas Kinsella:know how to you also have to know what an IP address is kind
Thomas Kinsella:of thing. But it means that it's just Yes, super, super flexible,
Thomas Kinsella:necessarily, in the order of importance is just the number
Thomas Kinsella:lightweight, easy to learn. And we've got yet some incredible
Thomas Kinsella:teams from the small startups through awesome security teams,
Thomas Kinsella:great, great consumer teams, some universities, yeah, like
Thomas Kinsella:four. And and that is -- it's time for no-code automation.
Thomas Kinsella:all the way up to Fortune 10s using the using the platform to
Thomas Kinsella:all in they're all in the exact same way. So that's what it is.
Thomas Kinsella:But the power of that is really so the reason we say that as a
Thomas Kinsella:takeaway is that if you allow those people that are super
Thomas Kinsella:familiar with the process, they're able to they say, I know
Thomas Kinsella:exactly what this is. But also it means that when there's a
Thomas Kinsella:tweak to the process, I actually normally if it's the CEO, we
Thomas Kinsella:What does that mean?
Thomas Kinsella:won't send the thanks reporting will be back to you in 24 hours,
Thomas Kinsella:email will probably say, yes, we'll be back to you
Thomas Kinsella:immediately, or we'll alert somebody and wake up somebody to
Thomas Kinsella:respond to that. And that part is the people that are familiar
Thomas Kinsella:with that process are able to automate that part of the
Thomas Kinsella:process as well. So that's that that's, that's the idea behind
Thomas Kinsella:it. And then ultimately, it's that if you do that, first of
Thomas Kinsella:all, they're fulfilling that creative part that you kind of
Thomas Kinsella:talked about earlier. And then they're, they're no longer
Thomas Kinsella:dealing with as many manual repetitive alerts, and they're
Thomas Kinsella:able to focus on much more impactful risk reduction efforts
Thomas Kinsella:that are actually going to add value to to the business. That's
Dr. Dave Chatterjee:Fantastic. Yeah. I mean, so if you can, the
Dr. Dave Chatterjee:the idea.
Dr. Dave Chatterjee:extent to which you can reduce the technical hurdle, it always
Dr. Dave Chatterjee:helps, it helps get more people involved and interested, and
Dr. Dave Chatterjee:engaged. Well, Thomas, this was a fascinating discussion. I wish
Dr. Dave Chatterjee:we could go on. But in the interest of time, we have to
Dr. Dave Chatterjee:conclude here once again, before we wrap things up, do you have
Dr. Dave Chatterjee:any final words for the listeners
Thomas Kinsella:just yet? Thank you so much. I've really enjoyed
Thomas Kinsella:being on if you do want to check out Tines, we've got a free
Thomas Kinsella:community edition. So anybody can use it. Tines.com just sign
Thomas Kinsella:up for I think you get three workflows completely for free.
Thomas Kinsella:And yeah, you can reach out and say hi, I'm on
Thomas Kinsella:twitter.com/thomas ksec, LinkedIn on just Thomas
Thomas Kinsella:Kinsella. And yeah, I'd love to say hi, especially anybody that
Thomas Kinsella:wants to talk about the future of security operations, or
Thomas Kinsella:mental health burn out, the future of the SOC. I'd love to
Thomas Kinsella:have those conversations. And yeh please do reach out.
Dr. Dave Chatterjee:Well, thank you, Thomas. It's been a real
Dr. Dave Chatterjee:pleasure. Thank you. A special thanks to Thomas Kinsella for
Dr. Dave Chatterjee:his time and insights. If you liked what you heard, please
Dr. Dave Chatterjee:leave the podcast a rating and share it with your network. Also
Dr. Dave Chatterjee:subscribe to the show so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.