New research explores the current state of the Security Operations Center (SOC) and the analysts that run them; shows the SOC is considered essential to business yet largely ineffective
Cambridge, Mass., July 29, 2019 – Devo Technology, the data analytics platform that unlocks the full value of machine data for the world’s most instrumented enterprises, today released the findings of a new survey conducted in partnership with the Ponemon Institute. The research, Improving the Effectiveness of the Security Operations Center, found that while the SOC is considered an essential or important component of business, most respondents rate their SOC’s effectiveness as low, and 49 percent say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats, and workplace stress on the SOC team are diminishing its effectiveness.
Further, security professionals say working in the SOC is painful, leading 65 percent to report having considered changing careers or quitting their jobs. As a result of these factors, 78 percent of respondents say the mean time to resolution (MTTR) can be weeks to months or even years.
“The survey findings clearly highlight that a lack of visibility and having to perform repetitive tasks are major contributors to analyst burnout and overall SOC ineffectiveness,” said Julian Waits, General Manager of Cyber, Devo. “It is critical that businesses make the SOC a priority and evolve its effectiveness by empowering analysts to focus on high-impact threats and improving the speed and accuracy of triage, investigation, and response.”
The following findings reveal why organizations have SOC frustration:
- The visibility problem: The top barrier to SOC success, according to 65 percent of respondents, is the lack of visibility into the IT security infrastructure and the top reason for SOC ineffectiveness, according to 69 percent, is lack of visibility into network traffic.
- The threat hunting problem: Threat hunting teams have a difficult time identifying threats because they have too many IOCs to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise and too many false positives. More than half of respondents (53 percent) rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives.
- The interoperability problem: SOCs do not have high interoperability with their organization’s security intelligence tools. Other challenges are the inability to have incident response services that can be deployed quickly and include attack mitigation and forensic investigation services.
- The alignment problem: SOCs are not aligned (49 percent) or only partially aligned (32 percent) with business needs, making it difficult to gain senior leadership’s commitment to providing adequate funding for investments in technology and staffing. Further, the SOC budget is inadequate to support the necessary staffing, resources, and investment in technology. On average, less than one-third of the IT security budget is used to fund the SOC.
- The problem of SOC analyst pain: IT security personnel say working in the SOC is painful because of an increasing workload and being on call 24/7/365. The lack of visibility into the network and IT infrastructure and current threat hunting processes also contribute to the stress of working in the SOC. As a result, 65 percent say these pain factors have caused them to consider changing careers or leaving their job.
“There are a number of factors contributing to the SOC’s overall ineffectiveness – such as the lack of visibility into IT security infrastructure – but the factor that truly stands out is the level of analyst burnout due to their heavy workload, and the immense amount of stress and pressure they are facing,” said Larry Ponemon, founder of Ponemon Institute. “It is clear this is a critical area that needs to be addressed to improve SOC effectiveness.”
The Anatomy of Today’s SOC
The research also highlights the state of the SOC today, including:
Organizations are shifting to the cloud: 53 percent of respondents say what best defines the IT infrastructure that houses their SOC is mostly cloud (29 percent) or a combination of cloud and on-premises; 47 percent of respondents say it is on-premises.
The majority of respondents (51 percent) say their companies invest in threat intelligence feeds. Of these organizations, 54 percent of respondents say the threat intelligence feeds combine open source and paid feeds. 60 percent of respondents in organizations that invest in threat intelligence feeds develop custom feeds based on a technology profile.
The exploits most commonly identified by the SOC are malware attacks (98 percent), exploits of existing or known vulnerabilities (80 percent), spear phishing (69 percent) and malicious insiders (68 percent).
Organizations outsource to MSPs based on their size and maturity level. Smaller organizations tend to outsource because of the inability to have an expert in-house SOC team and the necessary technologies as well as to improve efficiencies.. As size and maturity increases, outsourcing decreases.
Recommendations To Minimize Analyst Burnout and Increase SOC Effectiveness
The findings do not bode well for setting a SOC up for success, but the research also suggests organizations can consider the following actions:
- Address analyst burnout. The number one recommendation from respondents is to automate workflow, followed by normalizing the work schedule, having access to more out-of-the-box content and having more resources.
- Create stronger alignment between the SOC and the business. Leaders should create opportunities for leaders of each silo to discuss and prioritize objectives, and better address the turf and silo issues between the SOC and IT security operations.
- Support analyst talent with security operations technologies. Leaders should create stronger alignment between the SOC and security intelligence tools, as well as investing in technologies that will address the security problems cited in the research, such as a lack of full visibility into the network traffic, lack of timely remediation, lack of interoperability with other security solutions and too many false positives.
Sponsored by Devo Technology, Ponemon Institute surveyed 554 IT and IT security practitioners in organizations that have a SOC and are knowledgeable about cybersecurity practices in their organizations. Their primary tasks are implementing technologies, patching vulnerabilities, investigating threats and assessing risks.
Sign up for the webinar for more insights on the survey results from the Ponemon Institute and Devo.
Devo unlocks the full value of machine data for the world’s most instrumented enterprises, putting more data to work now. Only the Devo data analytics platform addresses both the explosion in volume of machine data and the new, crushing demands of algorithms and automation, enabling IT operations and security teams to realize the full transformational promise of machine data to move the business forward. Devo is a privately held company based in Cambridge, MA and is backed by Insight Partners. Visit devo.com to learn more.