Security operations centers (SOCs) are the nerve centers of enterprise cybersecurity programs. They should serve a critical function by helping businesses improve their security posture by monitoring, detecting, and analyzing potential cyber threats. But for a number of reasons, today’s SOCs are not doing this effectively.
Devo worked with Larry Ponemon, founder of the Ponemon Institute, to research the barriers and challenges to an effective SOC and the steps that can be taken to improve SOC performance. Ponemon surveyed 554 IT security practitioners with knowledge of their company’s security practices, hailing from organizations in healthcare, financial services, retail, manufacturing, and public sector. Fifty percent of respondents worked at companies with at least 10,000 employees globally.
The research identified several factors that are critical to the SOC’s success, including support from the organization’s senior leaders; investment in technologies; and the ability to hire and retain a highly skilled team.
Anatomy of the SOC
Today’s SOC environments most often deploy monitored or managed firewalls and intrusion prevention systems (IPS) or intrusion detection systems (IDS). Sixty-one percent of respondents to the Ponemon survey noted that IPSs are deployed in their SOCs. This aligns with recent data highlighting the growth of these systems, a market set to reach $8.5 billion by 2025. Security professionals also confirmed the shift to cloud, with 53 percent stating their SOC is housed in a cloud or hybrid infrastructure.
Responses show that there are a variety of leaders heading SOC organizations. CISOs lead 25 percent of SOCs and 21 percent are led by the CIO. Most notably, 18 percent of SOCs—nearly 1 in 5— have line-of-business leaders at the helm, which may lead to confusion when it comes to driving security practices.
Finally, the data shows a gap in priorities within the SOC. Although 86 percent say they believe the SOC is critical to a business’s cybersecurity strategy, only 51 percent feel that the SOC is fully or even partially aligned to the strategy. This misalignment may be contributing to mean time to resolution (MTTR) that is lengthier than it should be, as 36 percent say it takes weeks to resolve issues, and 24 percent say it can take months. This length of time is simply unacceptable.
Respondents agree that today’s SOC is ineffective, with more than half (53 percent) believing their SOCs are unable to gather evidence, investigate, and find the source of threats. But in order to find solutions, we need to explore what’s driving this lack of effectiveness.
SOC Ineffectiveness: What’s Causing It?
A lack of full visibility into data and infrastructure causes significant challenges for SOC analysts, leading them to view the SOC as less effective that it should be, and even a painful place to work. Analysts report these specific challenges:
- Limited visibility: 65 percent say lack of visibility into the IT security infrastructure drives ineffectiveness, and 69% cite a lack of visibility into network traffic.
- Lack of top-level support: Lack of leadership (23 percent) and executive-level support (21 percent) impact effectiveness.
- Heightened complexity: 56 percent say increased complexity makes SOCs challenging work environments.
- Latency in remediation. 63 percent say lack of timely remediation leads to ineffectiveness.
Analysts also report ineffectiveness of threat hunting performance, with 61 percent saying there are too many IOCs to track, and 50 percent saying there is too much internal traffic to compare against IOCs. Limited resources and alert noise also make the job more difficult.
Proven ways to enhance SOC effectiveness include advanced analytics, incident response capabilities, and high interoperability with threat intel tools, but these methods are largely underutilized. Respondents report leveraging them at rates of only 44 percent, 43 percent, and 37 percent, respectively.
The degree of this ineffectiveness has repercussions. It can lead to a poor security posture and can impact the analysts themselves, as analyst burnout is a critical—and negative—outcome of SOC ineffectiveness.
Sixty-five percent of respondents say they are likely to quit or make a career change due to burnout.
You read that right – it’s nearly two-thirds. The specific reasons for burnout cited are an increasing workload (73 percent), closely followed by a lack of visibility into IT and network infrastructure (72 percent) and being on call 24/7/365 (71 percent). Analysts also say they have too many alerts to chase, an inability to prioritize threats, and a lack of resources. They also feel demoralized by losing to adversaries. The takeaway for leaders? The stresses of working in a SOC make it difficult to hire and retain experienced IT security practitioners, who are key to an effective SOC.
Recommendations for an Effective SOC
Respondents say workflow automation (67 percent) and a normalized work schedule (53 percent) would be helpful in decreasing analysts’ pain points. They also cite access to more out-of-the-box content (52 percent) and resources (51 percent) as things that would reduce pain and increase effectiveness.
Leaders can play a significant role in empowering their SOC analysts by stepping in and providing guidance and needed resources:
- Address analyst burnout: Leaders must mandate ways to reduce the stress and pain of working in the SOC. This requires listening to their analysts’ recommendations for workflow automation, enabling a normalized work schedule, and providing more content and resources.
- Create stronger alignment between the SOC and the business: Everyone wants a stronger security posture, but the needs and budgets of the business and the SOC must be in alignment to be effective. Leaders should create opportunities for open communication between SOC and business leaders to discuss and prioritize objectives and gain consensus.
- Support analyst talent with security operations technologies: Leaders must help rebuild the security function by investing in technologies that will address SOC effectiveness challenges and facilitate full visibility into network traffic, timely remediation, and interoperability with other security solutions.