From grey matter to BlackMatter: Addressing cognitive overload in SOC teams

All SOC teams face cognitive overload from time to time. Danika Nilson, cyber threat hunter at Forescout Frontline, faced it during a week-long red team/blue team exercise of 'defend the castle' (i.e. protect your network). In an article recounting the experience, she describes how the exercise eventually became so repetitive, that one of the senior staff realized he was blindly monitoring his own system instead of the opponent's network.

This was an eye-opening moment for Nilson, as she realized how the overwhelming demands of her job sometimes led to her forgetting to 'monitor herself'. She writes, "Unlike computers, we cannot add more RAM or plug in an external hard drive to our brains." Threat hunters like Nilson often have to parse thousands of network events. Repeating this on a daily basis adds up, resulting in cognitive overload. This could lead to loss of focus, self-doubt, and imposter syndrome, which is not an ideal situation for anybody's mental state of being, let alone that of a SOC analyst.

Overwhelmed brains do not make good soldiers

Cognitive overload is a serious cyber threat. Overwhelmed brains do not make good soldiers. Threat hunters actively dedicate themselves to finding possible, hidden threats in the organization's network. If they are not in a positive and healthy state of mind, this could lead to undetected bad actors or threats infiltrating the network.

Let's take the example of BlackMatter, a ransomware-as-a-service (RaaS) organization that focuses on individual victims and obtaining their corporate credentials. BlackMatter offers to pay up to $100,000 for information on stolen credentials and insider threats, specifically targeting organizations that have not implemented authentication protocols like MFA. Some attacks happen after extensive research of individual victims, and even involve tailored ransomware payloads based on this knowledge.

Let's say one of the targeted organization's employees, with malicious intent or a desperate need for quick money, observes that a threat hunter has a hard time focusing because of their excessive overload. The employee details their observations and sells this intel online. Eventually a threat actor from BlackMatter purchases this information and uses it to hack into one of the devices that's fallen under the threat hunter's radar and escalates privileges to access other systems. Voila, an attacker has compromised the network.

Such possibilities are endless, and organizations must take necessary precautions to eliminate vulnerabilities caused by cognitive overload.

Addressing cognitive overload and resulting vulnerabilities

Here are some measures organizations can take to address cognitive overload in their cybersecurity teams:

• Have clear-cut division of roles and responsibilities: Despite repeated data breaches and high-end cyberattacks leading to huge monetary losses, a surprising number of organizations do not invest much in their cybersecurity teams. Under staffing can lead to multiple responsibilities being handled by a few, which leads to an increase in vulnerabilities and the possibility of cyberattacks. Organizations must invest in creating full-fledged cybersecurity teams that have specialized individuals to deal with each requirement.
• Invest in a SIEM solution: It might not always be possible to avoid cognitive overload. A SIEM is a great investment to make to try and improve the health of your SOC team. A good SIEM solution comes equipped with extended SOAR capabilities that can help monitor and respond to incidents SOC analysts might miss.

To learn more about how a robust SIEM solution like Log360 can help you eliminate vulnerabilities caused by cognitive overload and lead to happier, more efficient SOC teams, sign up for a free, personalized demo with a product expert.