‘SOC’ It to ‘Em: How to Overcome Security Operations Center Challenges
From Dark Reading
As the nerve center for most cybersecurity programs, the security operations center (SOC) can make or break an organizations’ ability to detect, analyze and respond to incidents in a timely fashion.
According to a new study from SANS Institute, today’s SOCs are treading water when it comes to making progress on maturing their practices and improving their technical capabilities. Experts say that may not be such a bad thing considering how quickly the threats and the tech stacks they monitor are expanding and changing.
“Going strictly by the numbers, not much changed for SOC managers from 2018 to 2019,” wrote Chris Crowley and John Pescatore in the SANS 2019 SOC Survey report. “However, just staying in place against these powerful currents is impressive, considering the rapid movement of critical business applications to cloud-based services, growing business use of ‘smart’ technologies driving higher levels of heterogeneous technology, and the overall difficulties across the technology world in attracting employees.”
Channel Futures’ sister site, Dark Reading, explored the statistics from this study, as well as a recent State of the SOC report from Exabeam, to get some understanding about what it takes to run a SOC today and some of the major challenges security teams face in getting the most out of their SOC investments.
Staffing levels. The typical SOC today usually employs two to five analysts, with the plurality of respondents in the SANS study reporting their staffing levels in this range. According to SANS, the size scales by organizational size, with organizations with between 10,000 and 15,000 employees generally running a SOC with six to 10 employees; organizations from 15,001 employees up to 100,000 putting together SOC teams of approximately 11-25 analysts; and very large enterprises with over 100,000 employees standing up SOCs with 26-100 analysts.
SOC budgets. Exabeam’s report, conducted among organizations in the U.S. and the U.K., found that technology makes up the biggest line item for SOC resource allocation and it’s also the most frequently cited item for insufficient funding. When asked about where they’d like to see more investments, 39% said they’d want to make additional investments in new/modern technology, 35% said they’d like to secure additional funding for staffing needs, and 34% would invest in automation to save time.
Outsourcing. According to the Exabeam report, SOCs today have increased the use of outsourced functions in five of the eight major categories outlined by that study. Some 43% of organizations report that they outsource certain functions of their work. The three most popular functions for outsourcing – both in prevalence and growth over the last year – were malware analysis expertise, threat analysis and threat intel services. This is in line with SANS outsourcing findings, which broke up categories differently but found that monitoring and detection capabilities were outsourced to some degree by 76% of respondents.
Top tech used. According to the SANS study, security information and event management (SIEM) platforms are far and away the front-running technology for security analysts to correlate and analyze all of the data feeds they must deal with on a daily basis. That’s followed by threat intel platforms, log management systems, and security automation and orchestration tools (SOAR).
SOC pain points. Time wasted spinning wheels was one of the biggest pain points identified by those surveyed in the Exabeam study. Approximately one in three said the time spent on reporting and documentation was their biggest complaint. Meantime, 27% said alert fatigue was …