'SOC' It to 'Em: How to Overcome Security Operations Center Challenges

An inside look at staffing levels, budget allocation, outsourcing habits and more.

July 25, 2019

4 Min Read
Security Operations Center Man with Monitors

By Ericka Chickowski

From Dark Reading

As the nerve center for most cybersecurity programs, the security operations center (SOC) can make or break an organizations’ ability to detect, analyze and respond to incidents in a timely fashion.

According to a new study from SANS Institute, today’s SOCs are treading water when it comes to making progress on maturing their practices and improving their technical capabilities. Experts say that may not be such a bad thing considering how quickly the threats and the tech stacks they monitor are expanding and changing.

“Going strictly by the numbers, not much changed for SOC managers from 2018 to 2019,” wrote Chris Crowley and John Pescatore in the SANS 2019 SOC Survey report. “However, just staying in place against these powerful currents is impressive, considering the rapid movement of critical business applications to cloud-based services, growing business use of ‘smart’ technologies driving higher levels of heterogeneous technology, and the overall difficulties across the technology world in attracting employees.”

Channel Futures’ sister site, Dark Reading, explored the statistics from this study, as well as a recent State of the SOC report from Exabeam, to get some understanding about what it takes to run a SOC today and some of the major challenges security teams face in getting the most out of their SOC investments.

Staffing levels. The typical SOC today usually employs two to five analysts, with the plurality of respondents in the SANS study reporting their staffing levels in this range. According to SANS, the size scales by organizational size, with organizations with between 10,000 and 15,000 employees generally running a SOC with six to 10 employees; organizations from 15,001 employees up to 100,000 putting together SOC teams of approximately 11-25 analysts; and very large enterprises with over 100,000 employees standing up SOCs with 26-100 analysts.

SOC budgets. Exabeam’s report, conducted among organizations in the U.S. and the U.K., found that technology makes up the biggest line item for SOC resource allocation and it’s also the most frequently cited item for insufficient funding. When asked about where they’d like to see more investments, 39% said they’d want to make additional investments in new/modern technology, 35% said they’d like to secure additional funding for staffing needs, and 34% would invest in automation to save time.

Outsourcing. According to the Exabeam report, SOCs today have increased the use of outsourced functions in five of the eight major categories outlined by that study. Some 43% of organizations report that they outsource certain functions of their work. The three most popular functions for outsourcing – both in prevalence and growth over the last year – were malware analysis expertise, threat analysis and threat intel services. This is in line with SANS outsourcing findings, which broke up categories differently but found that monitoring and detection capabilities were outsourced to some degree by 76% of respondents.

Top tech used. According to the SANS study, security information and event management (SIEM) platforms are far and away the front-running technology for security analysts to correlate and analyze all of the data feeds they must deal with on a daily basis. That’s followed by threat intel platforms, log management systems, and security automation and orchestration tools (SOAR).

SOC pain points. Time wasted spinning wheels was one of the biggest pain points identified by those surveyed in the Exabeam study. Approximately one in three said the time spent on reporting and documentation was their biggest complaint. Meantime, 27% said alert fatigue was …

… their biggest source of pain, while 24% cited false positives. Other common complaints were out-of-date systems or applications, false positives, and lack of visibility.

SOC-NOC relationships. Getting SOC analysts to team with network operations center (NOC) analysts is still a tall task for most organizations. The number of teams that report that their SOC and NOC are both technically integrated with one another and also collaborate regularly is still in the marked minority. In most instances, organizations either don’t have a NOC, have no relationship with the NOC, have very little direct communication, or might collaborate but have no easy way to share technical data feeds.

Proving SOC value with metrics. SANS analysts say that if SOC managers are going to get more budget to make the investments they need to move the needle on SOC maturity, they’ve got to get better at the metrics game.

“To gain management support for resources, SOC managers need to move beyond quantity-based metrics – how many raindrops hit the roof – to business-relevant metrics — zero production downtime due to rain getting through the roof,” they wrote.

The No. 1-used metric to track and report the SOC’s performance is the number of incidents handled. Meantime, only a very slim number of SOCs track monetary cost per incident or losses accrued versus losses prevented.

Ericka Chickowski specializes in coverage of information technology and business innovation as a contributor for our sister site, Dark Reading. She has focused on information security for the better part of a decade and regularly writes about the security industry.

Read more about:

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like