Last week, Smarter SIEM™ company Exabeam released its annual ‘State of the SOC’ report, identifying shifting roles and responsibilities as one of the most pressing challenges for SOC managers.
The survey sought the opinions of IT professionals in the U.S. and U.K., with management responsibilities in operations and security. Common roles targeted were CIO/CISO, SOC manager or frontline employee, such as threat researchers, security architects, engineers, analysts and risk officers.
The report catalogues findings in five key areas: basic operations, hiring and staffing, process, technology, and finance and budget. It also reveals a few key opportunity areas for MSSPs and other cybersecurity providers.
CIOs and CISOs are more concerned about incident response, automation, and threat hunting while SOC analysts are more focused on procedure and policy, monitoring security tools, and investigations.
Almost half of SOCs continue to outsource business activities. Malware analysis, threat analysis, and threat intelligence are the most frequently outsourced functions. SOC analysts are strongly involved in incident response and automation.
Hiring and Staffing
Staffing challenges also remain one of the highest concerns for SOCs: many organizations don’t have the right people and technology to man their SOCs, leaving them open to potentially devastating cyberattacks and alert fatigue.
SOC staffing remains an issue for many organizations and is most prevalent among less effective SOCs (46 percent) compared to more effective SOCs (29 percent). Retention remains strong due to competitive benefits (44 percent) and the good or challenging nature of SOC work (42 percent).
Notably, while hard skills remain critical, 65 percent of SOCs are placing increased emphasis on soft skills, particularly personal/social.
Process & Perception
In some instances, holding different positions resulted in stark divergences in findings, particularly around perceptions. For example, while YoY effectiveness has changed little, a gap has emerged (54 percent) in the perception of the SOC’s ability to perform auto-remediation. This is a 14 percent change from 2018.
All groups agree that too much time is spent on reporting and documentation, while the problem of inexperienced staff is greater in the eyes of CISOs and CIOs than with SOC staff and SOC managers.
Big data analytics, endpoint detection/response, network/cloud monitoring, and identity/access management remain top technology priorities. Keeping up with security alerts remains the top pain point for SOCs.
Finance and Budget
Technology investment as compared to staffing, facilities and management remains the most underfunded part of the SOC, a sentiment felt more strongly by Americans.
A final key insight the report illuminates revolves around opportunity. Solving primary pain points for CIOs / CISOs and SOCs is a major opportunity for MSSPs and other cybersecurity providers.
Specifically, 27 percent of respondents felt their top pain point was alert fatigue. Additionally, false positives and time spent on reporting/documentation are significant pain points for respondents, accumulating 24 percent and 33 percent of respondents respectively. Additionally, the survey revealed that the lack of environmental visibility in the form of too few logs is also an issue.
Managed SIEM deployments, especially those with machine-learning based behavior analytics features, can help greatly reduce these issues through automation, specifically timeline creation, which will decrease alert fatigue, save time, and prioritize work.
You can view the full report here.
by Steve Moore, Chief Security Strategist, Exabeam.
About Steve Moore
Stephen Moore has been vice president and chief security strategist of Exabeam, Inc. since August 2017. Moore has more than 15 years of experience in information security, intrusion analysis, threat intelligence, security architecture and web infrastructure design. Prior to joining Exabeam, Mr. Moore spent more than seven years at Anthem, in a variety of cybersecurity practitioner and leadership roles. He was the architect of the new 6,000 square-foot Anthem Cyber Security Operations Center in Indianapolis. Prior to joining Anthem in 2009, he served in a variety of roles at Sallie Mae (now known as Navient and Sallie Mae Bank) within the Web Infrastructure, Program Management and Information Security organizations. He served as staff vice president of Cyber Security Analytics at Anthem, Inc. and played a leading role in the response and remediation of the data breach announced in 2015. He has deep experience working with legal, privacy and audit staff to improve cybersecurity and demonstrate greater organizational relevance. Moore has been a Member of Advisory Board at SecureAuth Corporation since July 2017.