Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/22/2020
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

For Mismanaged SOCs, The Price Is Not Right

New research finds security operations centers suffer high turnover and yield mediocre results for the investment they require.

The security operations center (SOC), considered a core component of many organizations' cybersecurity strategies, is plagued with high costs and myriad challenges. Businesses running a SOC often struggle to achieve a high return for what proves to be an expensive investment.

These findings come from a new report entitled "The Economics of Security Operations Centers: What Is the True Cost for Effective Results?" conducted by the Ponemon Institute and commissioned by Respond Software. Researchers surveyed 637 IT and IT security practitioners who work in organizations running SOCs to learn about their economics and effectiveness.

The SOC has been a topic of conversation for much of the past five to six years, as experts seek to learn more about their cost and functionality, says Ponemon Institute chairman Larry Ponemon. Organizations spend an average of $2.86 million each year on their in-house SOC, researchers found. The annual cost jumps to $4.44 million if they outsource to a managed security service provider (MSSP), a number that researchers found surprising. Only 17% of respondents say their MSSP is "highly effective."

Despite the pricey investment, only 51% of organizations surveyed are satisfied with their SOC's effectiveness in detecting cyberattacks. Forty-four percent say their SOC's ROI is worsening.

The most important SOC activities, they say, are the minimization of false-positives (84%), threat intelligence reporting (83%), monitoring and analyzing alerts (77%), intrusion detection (77%), use of technologies such as automation and machine learning (74%), agile DevOps (73%), threat hunting (71%), and cyber forensics (69%).

More than two-thirds (67%) of respondents say training SOC analysts is one of the most critical SOC activities. SOCs heavily rely on human expertise to prevent, detect, analyze, and respond to security incidents. Complexity and hiring challenges interfere with the ability to detect attacks.

"We found that, on average, when individuals were recruited to the SOC, it took a better part of a year to become an active member of the team," Ponemon says. "You can't just walk in and be an expert. It takes effort; it takes time." Further, researchers discovered, 74% of respondents say their SOCs are "highly complex" environments, which makes management more difficult.

Staffing the SOC is expensive – about $1.46 million of average SOC spend goes toward direct labor costs – because low-level analysts make high salaries and usually don't stay in their positions very long. The average salary for a tier-one analyst is $102,315, and 45% earn between $75,001 and $100,000. Thirty percent make $100,001 to $150,000, and 9% earn $150,000 or more. Only 16% of tier-one analysts make less than $75,000 per year.

The average SOC analyst leaves the organization after a little more than two years, and employers can't keep up with the turnover. An average of four analysts is expected to be hired in 2020; however, three analysts will be fired or resign in one year. "It happens in security across the board," says Ponemon of the turnover. "But in a SOC environment it's pretty tough."

Why the short stay? Seventy percent of respondents agree that SOC analysts burn out quickly because of the high-pressure environment and workload. "You're constantly waiting for the next shoe to drop," he adds. When asked about what makes SOC work painful, respondents pointed to an increasing workload (75%), being on call 24/7/365 (69%), lack of visibility into IT and network infrastructure (68%), too many alerts to chase (65%), and information overload (65%).

"The tier one analyst role traditionally has always been an entry-level job," says Dan Lamorena, security executive with Respond Software. "It's the building blocks of a security career for a lot of people." Still, these employees are often hard to find. SOCs demand critical thinkers who are comfortable with technology and willing to take on tasks that tier two and three analysts don't want to do, like sit through the night shift.

Ultimately, he continues, the time that tier one analysts spend in an entry-level role prepares them to take on higher positions at other companies, where they can demand higher salaries.

"You're constantly learning how the adversary is acting," Lamorena says. "You're learning a lot of threat intelligence, the types of people attacking you. What are the tactics they're using?"

The IT infrastructure monitored by the SOC also influences cost, researchers report. On-prem environments cost the most ($3.19 million), followed by mobile ($3.06 million) and cloud ($2.75 million). Hybrid environments combining on-prem and cloud cost the least, with $2.5 million in annual costs. Researchers also found respondents who ranked their effectiveness as higher generally spent more to improve their SOC's ability to detect cyberattacks.

Spending also varies by industry. Financial services firms spend the most ($4.6 million) on their SOC each year, followed by industrial and manufacturing companies ($3.16 million), technology and software ($3.02 million), services ($2.56 million), and the public sector ($2.25 million).

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ReneTie
100%
0%
ReneTie,
User Rank: Apprentice
1/23/2020 | 2:52:49 AM
Good Mission is they
Thats why we should invest in optimizing and streamlining SOC's , just buying a SIEM , filling it with logs and putting a few analysts, or even normal IT engineers  in front of it just does not do the trick, nomatter what SIEM vendors tell you.
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5527
PUBLISHED: 2020-03-30
When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource co...
CVE-2020-5551
PUBLISHED: 2020-03-30
Toyota 2017 Model Year DCU (Display Control Unit) allows an unauthenticated attacker within Bluetooth range to cause a denial of service attack and/or execute an arbitrary command. The affected DCUs are installed in Lexus (LC, LS, NX, RC, RC F), TOYOTA CAMRY, and TOYOTA SIENNA manufactured in the re...
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.