Why a 'Paradigm Shift' is Required in the SOCNat Smith of Gartner on New Skill Set Needed for Investigations
False positives continue to be a challenge for SOC analysts. Nat Smith, senior director analyst at Gartner, the global research and advisory company, is calling for a "paradigm shift" in the SOC. "Over the last few years … we've become embroiled with the concept of false positives as a means to distinguish which vendor is better than which," he says.
"Rather than looking at the individual players or the individual setting," Smith says, analysts need to look at the "bigger picture." "That's what needs to change, and that's a different kind of a skill set."
Smith calls for "an infrastructure change" in the SOC. "Fundamentally, instead of looking at an alert that comes in and validating whether or not that alert is accurate … we need to look at the full scale - everything else that we would expect - and look to see if we see some of these clues. That's the starting point. If we see some of these other clues, it starts to validate this is a real activity, a real sequence that's starting to happen," he says.
In a video interview with Information Security Media Group, Smith discusses:
- Why a paradigm shift is required to better investigate incidents in the SOC;
- New or additional skills needed to understand what is contextually relevant when responding to security incidents;
- Vendors that are showing positive signs of embracing this paradigm shift.
Smith is a senior director security analyst in the Technology and Service Provider division of Gartner, researching emerging technology and trends for technology product leaders. He researches technology, markets and trends that affect network security, especially artificial intelligence and machine learning.