Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/22/2020
05:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

For Mismanaged SOCs, The Price Is Not Right

New research finds security operations centers suffer high turnover and yield mediocre results for the investment they require.

The security operations center (SOC), considered a core component of many organizations' cybersecurity strategies, is plagued with high costs and myriad challenges. Businesses running a SOC often struggle to achieve a high return for what proves to be an expensive investment.

These findings come from a new report entitled "The Economics of Security Operations Centers: What Is the True Cost for Effective Results?" conducted by the Ponemon Institute and commissioned by Respond Software. Researchers surveyed 637 IT and IT security practitioners who work in organizations running SOCs to learn about their economics and effectiveness.

The SOC has been a topic of conversation for much of the past five to six years, as experts seek to learn more about their cost and functionality, says Ponemon Institute chairman Larry Ponemon. Organizations spend an average of $2.86 million each year on their in-house SOC, researchers found. The annual cost jumps to $4.44 million if they outsource to a managed security service provider (MSSP), a number that researchers found surprising. Only 17% of respondents say their MSSP is "highly effective."

Despite the pricey investment, only 51% of organizations surveyed are satisfied with their SOC's effectiveness in detecting cyberattacks. Forty-four percent say their SOC's ROI is worsening.

The most important SOC activities, they say, are the minimization of false-positives (84%), threat intelligence reporting (83%), monitoring and analyzing alerts (77%), intrusion detection (77%), use of technologies such as automation and machine learning (74%), agile DevOps (73%), threat hunting (71%), and cyber forensics (69%).

More than two-thirds (67%) of respondents say training SOC analysts is one of the most critical SOC activities. SOCs heavily rely on human expertise to prevent, detect, analyze, and respond to security incidents. Complexity and hiring challenges interfere with the ability to detect attacks.

"We found that, on average, when individuals were recruited to the SOC, it took a better part of a year to become an active member of the team," Ponemon says. "You can't just walk in and be an expert. It takes effort; it takes time." Further, researchers discovered, 74% of respondents say their SOCs are "highly complex" environments, which makes management more difficult.

Staffing the SOC is expensive – about $1.46 million of average SOC spend goes toward direct labor costs – because low-level analysts make high salaries and usually don't stay in their positions very long. The average salary for a tier-one analyst is $102,315, and 45% earn between $75,001 and $100,000. Thirty percent make $100,001 to $150,000, and 9% earn $150,000 or more. Only 16% of tier-one analysts make less than $75,000 per year.

The average SOC analyst leaves the organization after a little more than two years, and employers can't keep up with the turnover. An average of four analysts is expected to be hired in 2020; however, three analysts will be fired or resign in one year. "It happens in security across the board," says Ponemon of the turnover. "But in a SOC environment it's pretty tough."

Why the short stay? Seventy percent of respondents agree that SOC analysts burn out quickly because of the high-pressure environment and workload. "You're constantly waiting for the next shoe to drop," he adds. When asked about what makes SOC work painful, respondents pointed to an increasing workload (75%), being on call 24/7/365 (69%), lack of visibility into IT and network infrastructure (68%), too many alerts to chase (65%), and information overload (65%).

"The tier one analyst role traditionally has always been an entry-level job," says Dan Lamorena, security executive with Respond Software. "It's the building blocks of a security career for a lot of people." Still, these employees are often hard to find. SOCs demand critical thinkers who are comfortable with technology and willing to take on tasks that tier two and three analysts don't want to do, like sit through the night shift.

Ultimately, he continues, the time that tier one analysts spend in an entry-level role prepares them to take on higher positions at other companies, where they can demand higher salaries.

"You're constantly learning how the adversary is acting," Lamorena says. "You're learning a lot of threat intelligence, the types of people attacking you. What are the tactics they're using?"

The IT infrastructure monitored by the SOC also influences cost, researchers report. On-prem environments cost the most ($3.19 million), followed by mobile ($3.06 million) and cloud ($2.75 million). Hybrid environments combining on-prem and cloud cost the least, with $2.5 million in annual costs. Researchers also found respondents who ranked their effectiveness as higher generally spent more to improve their SOC's ability to detect cyberattacks.

Spending also varies by industry. Financial services firms spend the most ($4.6 million) on their SOC each year, followed by industrial and manufacturing companies ($3.16 million), technology and software ($3.02 million), services ($2.56 million), and the public sector ($2.25 million).

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."

 

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
ReneTie
100%
0%
ReneTie,
User Rank: Apprentice
1/23/2020 | 2:52:49 AM
Good Mission is they
Thats why we should invest in optimizing and streamlining SOC's , just buying a SIEM , filling it with logs and putting a few analysts, or even normal IT engineers  in front of it just does not do the trick, nomatter what SIEM vendors tell you.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.