May 08, 2025

Rapid7’s Lonnie Best on Measuring SOC Success Beyond Alert Closures

21 minutes

In a world obsessed with cutting-edge security technology, Lonnie Best, Senior Manager of Detection & Response Services at Rapid7, makes a compelling case for mastering the fundamentals. After transitioning from craft beer journalism through nuclear security to cybersecurity, Lonnie witnessed the evolution of ransomware attacks from "spray and pray" tactics to sophisticated credential theft and security tool disablement.

His insights reveal why 54% of incident response engagements still trace back to inadequate MFA implementation, and why understanding "how computers compute" creates better security professionals than certifications alone. Lonnie also shares practical wisdom on building effective security operations, avoiding analyst burnout, and measuring program success. As AI increasingly handles tier-one alert triage, he predicts the traditional junior analyst role will fundamentally change within 5-10 years — though human expertise will always remain essential for validating what machines uncover.

Topics discussed:

The evolution of attack sophistication from "spray and pray" ransomware to targeted credential theft and security tool disablement, requiring more comprehensive detection capabilities.

How managed detection and response (MDR) services have evolved to provide enterprise-grade security capabilities to organizations lacking internal resources or security maturity.

The critical components of building an effective internal SOC: centralized logging through SIEM implementation, specialized security expertise across multiple domains, and leadership strategies to combat analyst burnout.

Implementing AI and machine learning for tier-one alert triage to reduce analyst fatigue while maintaining human oversight for validation, with predictions that traditional junior analyst roles will transform within 5-10 years.

Why traditional metrics like alert closures fail to accurately measure SOC analyst performance, requiring more nuanced approaches focusing on contribution quality rather than quantity.

The hiring dilemma of attitude versus aptitude in security analysts, revealing why foundational system administration experience creates more effective investigators than certifications alone.

Strategies for preventing analyst burnout through appropriate tooling, staffing levels, and leadership practices that recognize security's 24/7 operational demands.

The persistent gap between security knowledge and implementation, as demonstrated by 54% of incident response engagements in 2024 resulting from inadequate MFA deployment or enforcement.

Practical fundamentals for effective security: comprehensive asset inventory, attack surface management, vulnerability remediation, and understanding where critical assets reside.

Key Takeaways:

Implement multi-factor authentication across all access points to address the root cause behind 54% of incident response engagements in 2024, according to Rapid7's metrics.

Build your security operations center with centralized logging through SIEM implementation as the core foundation before expanding detection capabilities.

Recruit security analysts with system administration experience rather than just certifications to ensure practical understanding of system behavior and anomaly detection.

Deploy AI and machine learning solutions specifically for tier-one alert triage to combat analyst fatigue while maintaining human oversight for validation.

Create comprehensive asset inventories that identify and map all crown jewels and their access paths before implementing advanced security controls.

Develop leadership strategies that address security's 24/7 operational demands, including appropriate time-off policies and workload management to prevent burnout.

Measure security operations performance through nuanced metrics beyond alert closures, focusing on the quality of investigations and genuine threat detection.

Structure your security team with specialized roles (threat hunting, cloud detection, malware analysis) to create effective career paths and deeper expertise.

Incorporate regular one-on-one meetings with security analysts to assess performance challenges and identify improvement areas beyond traditional metrics.

Prioritize attack surface management alongside vulnerability remediation to understand how attackers could gain entry and navigate toward critical assets.

Listen to more episodes:

Apple

Spotify

YouTube

Website

...more

View all episodes

By Team Cymru

4.5

1111 ratings