I'm trying to understand how this enterprise organization operates. They hired an Internal SoC Analyst as a consultant, but it seems like they aren't letting the analyst respond to security incidents. When an alert goes off that an account might be compromised, they just shoot out an email to the Help Desk and other teams to take action—like disabling the account or changing the password. This doesn't make sense to me. Shouldn't the SoC Analyst be the one handling these incidents directly? It's confusing why you'd bring in someone qualified for the role but then not trust them to do their job effectively.
4 Answers
It's crucial to remember that security roles shouldn't have admin rights. The analyst should analyze incidents and then send the cases to the correct teams either through tickets or some rapid emergency protocol. That’s the essence of segregation of duty! Welcome to the corporate world, by the way.
There's a big principle of separation of duties and least privilege at play here. You don't want the analyst who monitors threats also being the one making changes—that can lead to issues.
I think the analyst should definitely have the authority to block accounts, but maybe it makes sense to involve the Help Desk for things like password resets since they're more in tune with user-facing issues.
But how do they communicate what needs to be done? Is it just through email?
It sounds like this is just typical for how some organizations work. The SoC usually sets security policy and oversees its implementation, but they often won't have admin access. It depends on how mature the organization is when it comes to managing security.
So how should they communicate their needs, though?
I’ll have to check if they really have admin rights, but honestly, it seems like they have quite a few policies that aren’t enforced. I've had to deal with so many issues like broken drivers and installations because protocols aren't being followed. It’s frustrating.