7 Stats That Show What It Takes to Run a Modern SOC
An inside look at staffing levels, budget allocation, outsourcing habits, and the metrics used by security operations centers (SOCs).
July 24, 2019
As the nerve center for most cybersecurity programs, the security operations center (SOC) can make or break an organizations' ability to detect, analyze, and respond to incidents in a timely fashion. According to a new study from SANS Institute, today's SOCs are treading water when it comes to making progress on maturing their practices and improving their technical capabilities. Experts say that may not be such a bad thing considering how quickly the threats and the tech stacks they monitor are expanding and changing.
"Going strictly by the numbers, not much changed for SOC managers from 2018 to 2019," wrote Chris Crowley and John Pescatore in the SANS 2019 SOC Survey report. "However, just staying in place against these powerful currents is impressive, considering the rapid movement of critical business applications to cloud-based services, growing business use of 'smart' technologies driving higher levels of heterogeneous technology, and the overall difficulties across the technology world in attracting employees."
Dark Reading explores the statistics from this study, as well as a recent State of the SOC report from Exabeam, to get some understanding about what it takes to run a SOC today and some of the major challenges security teams face in getting the most out of their SOC investments.
The typical SOC today usually employs two to five analysts, with the plurality of respondents in the SANS study reporting their staffing levels in this range. According to SANS, the size scales by organizational size, with organizations with between 10,000 to 15,000 employees generally running a SOC with six to 10 employees; organizations from 15,001 employees up to 100,000 employees putting together SOC teams of approximately 11-25 analysts; and very large enterprises with over 100,000 employees standing up SOCs with 26 to 100 analysts.
Exabeam's report, which was conducted among organizations in the US and the UK, found that technology makes up the biggest line item for SOC resource allocation and it is also the most frequently cited item for insufficient funding. When asked about where they'd like to see more investments, 39% said they'd want to make additional investments in new/modern technology, 35% said they'd like to secure additional funding for staffing needs, and 34% would invest in automation to save time.
According to the SANS study, security information and event management (SIEM) platforms are far and away the front-running technology for security analysts to correlate and analyze all of the data feeds they must deal with on a daily basis. That's followed by threat intel platforms, log management systems, and security automation and orchestration tools (SOAR).
Time wasted spinning wheels was behind some of the biggest pain points identified by those surveyed in the Exabeam study. Approximately one in three said the time spent on reporting and documentation was their biggest complaint. Meantime, 27% said alert fatigue was their biggest source of pain, while 24% cited false positives. Other common complaints were out-of-date systems or applications, false negatives, and lack of visibility.
Getting SOC analysts to team with network operations center (NOC) analysts is still a tall task for most organizations. The number of teams that report that their SOC and NOC are both technically integrated with one another and also collaborate regularly is still in the marked minority. In most instances, organizations either don't have a NOC, have no relationship with the NOC, have very little direct communication, or might collaborate but have no easy way to share technical data feeds.
SANS analysts say that if SOC managers are going to get more budget to make the investments they need to move the needle on SOC maturity, they've got to get better at the metrics game.
"To gain management support for resources, SOC managers need to move beyond quantity-based metrics - how many raindrops hit the roof - to business-relevant metrics - zero production downtime due to rain getting through the roof," they wrote.
Currently, the number one-used metric to track and report the SOC's performance is the number of incidents handled. Meantime, only a very slim number of SOCs track monetary cost per incident or losses accrued versus losses prevented.
SANS analysts say that if SOC managers are going to get more budget to make the investments they need to move the needle on SOC maturity, they've got to get better at the metrics game.
"To gain management support for resources, SOC managers need to move beyond quantity-based metrics - how many raindrops hit the roof - to business-relevant metrics - zero production downtime due to rain getting through the roof," they wrote.
Currently, the number one-used metric to track and report the SOC's performance is the number of incidents handled. Meantime, only a very slim number of SOCs track monetary cost per incident or losses accrued versus losses prevented.
As the nerve center for most cybersecurity programs, the security operations center (SOC) can make or break an organizations' ability to detect, analyze, and respond to incidents in a timely fashion. According to a new study from SANS Institute, today's SOCs are treading water when it comes to making progress on maturing their practices and improving their technical capabilities. Experts say that may not be such a bad thing considering how quickly the threats and the tech stacks they monitor are expanding and changing.
"Going strictly by the numbers, not much changed for SOC managers from 2018 to 2019," wrote Chris Crowley and John Pescatore in the SANS 2019 SOC Survey report. "However, just staying in place against these powerful currents is impressive, considering the rapid movement of critical business applications to cloud-based services, growing business use of 'smart' technologies driving higher levels of heterogeneous technology, and the overall difficulties across the technology world in attracting employees."
Dark Reading explores the statistics from this study, as well as a recent State of the SOC report from Exabeam, to get some understanding about what it takes to run a SOC today and some of the major challenges security teams face in getting the most out of their SOC investments.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024