Security Operations Center (SOC) are essential to businesses yet largely ineffective, beset by problems such as inadequate visibility into the network infrastructure, workplace stress and struggles to find cyber threats, a new study found.
The research, entitled Improving the Effectiveness of the Security Operations Center, relied on data gleaned from 554 IT and IT security practitioners in organizations that have an SOC and are knowledgeable about cybersecurity practices in their organizations. Devo Technology, a Cambridge, MA-based data analytics platform provider, sponsored the Ponemon-conducted study.
The bottom line: SOCs have operational and workforce problems. Nearly half of the respondents said their SOC is not fully aligned with their business needs. Job satisfaction is regularly tied to working in an SOC, similar to working in an air traffic control center -- the stress can be overwhelming to analysts. Some 65 percent of the study’s participants said they had considered changing careers or quitting their jobs.
Managed security service providers (MSSPs) and managed service providers (MSPs) take note: Smaller organizations tend to outsource because they don't have an expert in-house SOC team and the necessary technologies to improve efficiencies. As size and maturity increases, outsourcing decreases, the study's results showed.
- Visibility. The top barrier to SOC success, according to 65 percent of respondents, is the lack of visibility into the IT security infrastructure. Nearly 70 percent said SOC ineffectiveness owed to a lack of visibility into network traffic.
- Threat hunting. About 53 percent rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives.
- Interoperability. SOCs do not have high interoperability with their organization’s security intelligence tools. Other challenges are the inability to have incident response services that can be deployed quickly and include attack mitigation and forensic investigation services.
- Alignment. SOC budgets are inadequate to support the necessary staffing, resources, and investment in technology. Roughly 30 percent of the IT security budget funds the SOC.
- Analyst stress. IT security personnel say working in the SOC is stressful because of an increasing workload and 24/7/365 on call demands.
“The survey findings clearly highlight that a lack of visibility and having to perform repetitive tasks are major contributors to analyst burnout and overall SOC ineffectiveness,” said Julian Waits, Devo’s cyber general manager. “It is critical that businesses make the SOC a priority and evolve its effectiveness by empowering analysts to focus on high-impact threats and improving the speed and accuracy of triage, investigation, and response.”
The research also assessed the current state of the SOC:
- The cloud. 53 percent of respondents said what best defines the IT infrastructure that houses their SOC is mostly cloud (29 percent) or a combination of cloud and on-premise; 47 percent of respondents say it is on-premise.
- Threat intelligence. 51 percent of respondents said their companies invest in threat intelligence feeds. Of those, 54 percent said the threat intelligence feeds combine open source and paid feeds.
- Exploits. The exploits most commonly identified by the SOC are malware attacks (98 percent), exploits of existing or known vulnerabilities (80 percent), spear phishing (69 percent) and malicious insiders (68 percent).
And, made recommendations to increase SOC effectiveness:
- Address analyst burnout. The number one recommendation from respondents is to automate workflow, followed by normalizing the work schedule, having access to more out-of-the-box content and more resources.
- Create stronger alignment between the SOC and the business. Create opportunities for leaders of each silo to discuss and prioritize objectives, and better address the turf and silo issues between the SOC and IT security operations.
- Support analyst talent with security operations technologies. Invest in technologies to address a lack of full visibility into the network traffic, lack of timely remediation, lack of interoperability with other security solutions and too many false positives.