The cloud-native platform for centralized log management
Analytics, visualizations, and workflows purpose built for practitioners
Leading firms gaining more value from their machine data
Any source, any velocity – centralize logs, metrics, and traces for full visibility.
Close the gap between detection and response with an analyst-focused, cloud-native approach.
Understand complex environments with visual analysis and KPIs that matter most.
The most recent articles & research from Devo
Security operations centers (SOCs) are the nerve centers of enterprise cybersecurity programs. They should serve a critical function by helping businesses improve their security posture by monitoring, detecting, and analyzing potential cyber threats. But for a number of reasons, today’s SOCs are not doing this effectively.
Devo worked with Larry Ponemon, founder of the Ponemon Institute, to research the barriers and challenges to an effective SOC and the steps that can be taken to improve SOC performance. Ponemon surveyed 554 IT security practitioners with knowledge of their company’s security practices, hailing from organizations in healthcare, financial services, retail, manufacturing, and public sector. Fifty percent of respondents worked at companies with at least 10,000 employees globally.
The research identified several factors that are critical to the SOC’s success, including support from the organization’s senior leaders; investment in technologies; and the ability to hire and retain a highly skilled team.
Today’s SOC environments most often deploy monitored or managed firewalls and intrusion prevention systems (IPS) or intrusion detection systems (IDS). Sixty-one percent of respondents to the Ponemon survey noted that IPSs are deployed in their SOCs. This aligns with recent data highlighting the growth of these systems, a market set to reach $8.5 billion by 2025. Security professionals also confirmed the shift to cloud, with 53 percent stating their SOC is housed in a cloud or hybrid infrastructure.
Responses show that there are a variety of leaders heading SOC organizations. CISOs lead 25 percent of SOCs and 21 percent are led by the CIO. Most notably, 18 percent of SOCs—nearly 1 in 5— have line-of-business leaders at the helm, which may lead to confusion when it comes to driving security practices.
Finally, the data shows a gap in priorities within the SOC. Although 86 percent say they believe the SOC is critical to a business’s cybersecurity strategy, only 51 percent feel that the SOC is fully or even partially aligned to the strategy. This misalignment may be contributing to mean time to resolution (MTTR) that is lengthier than it should be, as 36 percent say it takes weeks to resolve issues, and 24 percent say it can take months. This length of time is simply unacceptable.
Respondents agree that today’s SOC is ineffective, with more than half (53 percent) believing their SOCs are unable to gather evidence, investigate, and find the source of threats. But in order to find solutions, we need to explore what’s driving this lack of effectiveness.
A lack of full visibility into data and infrastructure causes significant challenges for SOC analysts, leading them to view the SOC as less effective that it should be, and even a painful place to work. Analysts report these specific challenges:
Analysts also report ineffectiveness of threat hunting performance, with 61 percent saying there are too many IOCs to track, and 50 percent saying there is too much internal traffic to compare against IOCs. Limited resources and alert noise also make the job more difficult.
Proven ways to enhance SOC effectiveness include advanced analytics, incident response capabilities, and high interoperability with threat intel tools, but these methods are largely underutilized. Respondents report leveraging them at rates of only 44 percent, 43 percent, and 37 percent, respectively.
The degree of this ineffectiveness has repercussions. It can lead to a poor security posture and can impact the analysts themselves, as analyst burnout is a critical—and negative—outcome of SOC ineffectiveness.
Sixty-five percent of respondents say they are likely to quit or make a career change due to burnout.
You read that right – it’s nearly two-thirds. The specific reasons for burnout cited are an increasing workload (73 percent), closely followed by a lack of visibility into IT and network infrastructure (72 percent) and being on call 24/7/365 (71 percent). Analysts also say they have too many alerts to chase, an inability to prioritize threats, and a lack of resources. They also feel demoralized by losing to adversaries. The takeaway for leaders? The stresses of working in a SOC make it difficult to hire and retain experienced IT security practitioners, who are key to an effective SOC.
Respondents say workflow automation (67 percent) and a normalized work schedule (53 percent) would be helpful in decreasing analysts’ pain points. They also cite access to more out-of-the-box content (52 percent) and resources (51 percent) as things that would reduce pain and increase effectiveness.
Leaders can play a significant role in empowering their SOC analysts by stepping in and providing guidance and needed resources:
To learn more, download the full Ponemon Institute report or watch the webinar.
By Julian Waits
Sign up to stay informed with the latest updates from Devo.