Security operations center (SOC) analysts are so exhausted from increasing workloads and too many alerts, that a high number of them would consider leaving their jobs or changing careers.

That’s according to a new survey released by Devo Technology and conducted in partnership with the Ponemon Institute. Ponemon surveyed 554 IT and IT security practitioners in organizations that have a SOC and are knowledgeable about cybersecurity practices in their organizations. Their primary tasks are implementing technologies, patching vulnerabilities, investigating threats and assessing risks.

Devo’s Julian Waits

Julian Waits, general manager of Devo’s cyber business unit, tells us when examining what makes working in the SOC difficult, the primary theme that emerges is visibility. According to 65% of respondents, there is a lack of visibility into the IT security infrastructure that prohibits SOC success. The top reason for SOC ineffectiveness, according to 69%, is lack of visibility into network traffic.

“In addition, respondents have a difficult time identifying threats because they have too many indicators of compromise (IOCs) to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise, and too many false positives,” he said. “These factors are leading 53% of respondents to rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective.”

Finally, what’s making working in a SOC difficult is the lack of alignment, Waits said. SOCs are not aligned (49%) or only partially aligned (32%) with business needs, making it difficult to gain senior leadership’s commitment to providing adequate funding for investments in technology and staffing, he said. Further, the SOC budget is inadequate to support the necessary staffing, resources and investment in technology, as on average, less than one-third of the IT security budget is used to fund the SOC.

“For smaller and midsize organizations, MSPs and MSSPs can introduce efficiencies that can be difficult to achieve outside a more mature organization,” he said. “But size and maturity matter. Smaller organizations tend to outsource due to lack of in-house expertise and technologies, and to improve efficiencies such as in preventing, detecting and containing cyberattacks, [while] outsourcing decreases the larger and more mature the organization. More than half of organizations overall are outsourcing all or part of their SOC due to lack of in-house expertise and technologies, and to improve efficiencies. Sixty percent of respondents say the outsourcing of their SOC saves money, which is important because many respondents cited budgetary constraints as a problem in having a successful SOC.”

Organizations are shifting to the cloud, as 53% of respondents said what best defines the IT infrastructure that houses their SOC is mostly cloud (29%) or a combination of cloud and on-premises, while 47% said it is on-premises.

Some 51% said their companies invest in threat intelligence feeds. Of these organizations, 54% said the threat intelligence feeds combine open source and paid feeds. Some 60% of respondents in organizations that invest in threat intelligence feeds develop custom feeds based on a technology profile.

The exploits most commonly identified by the SOC are malware attacks (98%), exploits of existing or known vulnerabilities (80%), spear phishing (69%) and malicious insiders (68%).

There are three main steps towards alleviating SOC stress and burnout, Waits said.

“First, listen to your analysts: Leaders face a mandate to reduce the stress and pain that comes with working in the SOC,” he said. “The No. 1 recommendation from respondents is to …

… automate workflow, followed by normalizing the work schedule, having access to more out-of-the-box content and having more resources. By paying attention to these needs, leaders will foster a more successful SOC – from a technology and a skills-retention perspective – and overall a stronger security posture.”

The next step is to create a stronger alignment between the SOC and the business, Waits said. Often, these needs already are in alignment as everyone wants a stronger security posture, but not at the expense of an oversubscribed budget. Leaders must foster discussion opportunities to prioritize objectives and mitigate security risk, while ensuring the needs of each line of business is met, he said.

“Finally, make use of powerful technology that can lighten the load on SOC analysts, freeing them up to become more proactive; for example, with threat hunting,” he said. “Leaders should support their existing personnel and help to build the effectiveness of the security function by integrating critical security intelligence tools with the SOC, as well as investing in technologies that will address the lack of full visibility into the network traffic, ineffective threat hunting, lack of timely remediation, lack of interoperability with other security solutions and too many false positives.”

The factor that truly stands out is the level of analyst burnout due to their heavy workload, and the immense amount of stress and pressure they are facing, said Larry Ponemon, founder of Ponemon Institute.

“It is clear this is a critical area that needs to be addressed to improve SOC effectiveness,” he said.