The threat landscape facing organizations is changing forever, but one security in the fight against online threats has been the center of security operations. Although most businesses view the SOC as a critical part of their cyber security strategies, there is growing dissatisfaction with what they are getting for their investment.
One study, conducted by the Ponemon Institute and released in January, found that just over half of organizations (51%) were satisfied with the effectiveness of their SOCs in detecting attacks.
Another disturbing development is the growing perception that the return on investment of an SOC is getting worse. The Ponemon study found that more than half of organizations (51%) feel this way, compared to 44% in 2019.
The study, based on a survey of 16,841 IT and IT security practitioners with an SOC, found that organizations spend an average of $ 2.86 million annually on their internal SOC. The cost increases significantly to $ 4.44 million if SOC functions are outsourced to a managed security service provider.
To be more effective, organizations need to spend more money, the researchers found. An average of $ 3.5 million was spent on highly efficient SOCs, compared to an average of $ 1.96 million on very low-efficiency SOCs.
But spending is just the beginning. Security teams understand how important this is. TechBeacon spoke to top experts for guidance. Here are the best SecOps team challenges – and best practices to deal with them.
1. Cost of complexity
If organizations are looking for a quick ROI of their SOCs and technologies like SEIM and security orchestration, automation and response (SOAR), it’s easy to understand why they might be disappointed.
Dan Lamorena, vice president of marketing at FireEye, said ROI can take time.
“Traditional SIEMs and SOARs need a lot of work by professional services or internal engineering teams to get started, so it will take a while before the ROI will appear. There may be a trough of disillusionment taking place while this is happening.”
–Dan Lamorena
Indeed, the Ponemon study found a link between complexity and SOC effectiveness. Nearly three-quarters of the organizations surveyed (74%) admit that it is difficult to manage their SOCs because of their complexity. ‘As a result, the researchers write,’ only about half of the respondents (51%) say that their organizations are very effective at detecting attacks. ‘
A survey among Fortune 1000 companies released in February by CardinalOps, a maker of an AI-powered platform for optimizing threat coverage, found that many of the rules and policies written for SIEMs were ineffective is not. Researchers have found, for example, that on average 25% of SIEM rules are violated and will never fire, mainly due to fields not being extracted correctly, or to recording sources that do not send the necessary data.
In addition, they discovered that 15% of SIEM rules result in 95% of the cards being handled by an SOC showing that a small percentage of noisy rules overwhelm SOC analysts with misleading false positive warnings.
Anton Chuvakin, a former Gartner analyst who worked on the security strategy at Google Cloud, said that buying security technologies for many organizations is a much easier task than using and operationalizing them.
‘In fact, there are many more guidelines on’ Which tool to buy? ‘and’ How can you buy security? ‘ than on how to use the instrument in a specific environment. ”
–Anton Chuvakin
2. Staff challenges
The Ponemon report also found that problems with hiring, retaining and paying SOC staff contribute to dissatisfaction with ROI. Due to the shortage of skilled people, it explained, the cost of personnel management continues to rise. The average salary for a Tier 1 analyst is $ 102,315, and it is expected to continue to rise.
Nearly half of the organizations surveyed by researchers (45%) predicted that salaries would increase by an average of 29% by 2020. According to the report, more than half of the cost of running an SOC is labor-related, with the average cost of maintaining an SOC. about $ 3 million – $ 1.46 million for labor and $ 1.4 million for all others.
Tim Wade, technical director for the CTO team of Vectra Networks, a provider of automated threat management solutions, said finding and retaining talented security analysts is one of the key issues mentioned by security leaders.
It is difficult to find skilled analysts, and supply seems to exceed demand in an order of magnitude. “It was discussed ad nauseam,” he remarked.
“[Perhaps] more interestingly, most tools for security operations centers are ineffective and lead to a combination of vigilance and unresolved, frustratingly deadly investigations – which increases the burnout of analysts. ‘
—Tim Wade
Exhaustion is a major problem, the Ponemon study also found. About 70% of survey participants agreed that SOC analysts burn out quickly due to the high-pressure environment in which they find themselves and the devastating workload they carry.
Mark Manglicmot, vice president of security services at Arctic Wolf, a provider of cyber security services, said that with many organizations conducting security operations themselves, analysts are struggling to be inundated with a tsunami of warnings to which they must respond. ‘
“If analysts do not have enough coverage in their network, they may not be able to determine the cause of a threat. Therefore, there is a persistent attacker in their area. Then they play a slap-mole instead of responding holistically to attacks. ‘
–Mark Manglicmot
Meanwhile, changes in working conditions due to COVID-19 stress and workload levels for SOC staff have increased, said Charles Herring, CTO and co-founder of WitFoo, manufacturer of a diagnostic security platform. “SOC analysts need to work from home and not have access to some of the tools and tactics they ever had.”
‘By protecting a centralized network, they can block IP addresses, disable network ports, and physically run forensic devices on devices within organizations. The business changes created by COVID have reduced data and limited response tactics, making traditional SOC procedures obsolete. “
–Charles Herring
Chris Hazelton, director of security solutions at Lookout, a provider of mobile phishing solutions, said it’s a matter of math to see how it plays out.
“Before COVID-19, SOCs were focused on securing one or more offices. Now SOCs are focused on securing hundreds or thousands of home offices.”
–Chris Hazelton
The Ponemon report also noted that stress and workload contribute to turnover, which affects the effectiveness of the SOC. Nearly two-thirds of study participants told researchers that the time spent finding and training analysts to fill vacancies had a significant impact on the ability of SOC staff involved in the process were involved in performing their other duties.
It is a challenge for organizations to keep up with turnover, the report says. It takes an average of nearly eight months to bring a new analyst online – 3.5 months to find someone, and another 3.8 months to train them – while for every four analysts hired, the organization left during the same period.
While the pandemic could contribute to turnover by increasing stress and workload, it could also be a dampener, said AN Ananth, president of Netsurion, a cybersecurity as a service provider.
“Some employees are nervous about moving because they are unsure of what the environment will be like. It helped us because people who would normally leave stayed seated. It also helped us because we are not limited to renting.” a specific geography. “
—AN Ananth
Ananth said the firm had previously only considered people in the same geography as the SOC. “Now everyone is remote, so it doesn’t matter anymore,” he said.
Brandon Hoffman, chief information security officer at Netenrich, a provider of IT, cloud and cyber security operations and services, said there are disadvantages for SOC analysts confined to their homes.
“Most SOC workers are accustomed to a large amount of work remotely, but still have the ability to get together with different members or teams for deeper investigation. It needs to be done remotely now, and collaboration technology today does not really offer a similar interactive experience, which complicates interactive triage or war room. “
–Brandon Hoffman
Hoffman noted that it is also more difficult to hunt deeper or triage in cases where physical access to the system is required or strongly preferred.
Built in cyber resilience
Despite the strain that COVID-19 has placed on SOC operations, some organizations have managed to limit the impact of the pandemic on their security operations. A recent study by Cisco found that organizations have some common characteristics that contribute to their resilience:
- They had a proactive technological refreshment strategy that emphasized the emphasis on regular upgrades to the best IT and security technologies.
- They had adequate security personnel and invested in their people through role-based training programs.
- They kept top executives informed through clear reporting on the activities and effectiveness of the security program.
Wade Baker, a partner with the Cyentia Institute, a research firm on cyber security, said the technological approach is critical to achieving cyber resistance.
“We interpret these results to indicate that an organization’s ability to maintain resilience through unexpected events such as the COVID-19 pandemic is highly dependent on a modern, high-performance technology stack maintained by skilled personnel and with great accountability of organizational leadership. “
–Wade Baker
Although organizations may be disappointed in the bang they get from their SOC dollars, as the Ponemon / Respond study indicates, the centers remain important to many organizations’ security strategy.
Uri May, CEO of Hunters, an open XDE threat hunting company, said it’s time to think about automation and better use of the tools and talent you have in place.
“Organizations have a lot of security tools and large amounts of telemetry, but SOC processes are still manual. Most of the SOC analysts’ time is still spent writing rules, investigating warnings, and finding out the cause of incidents.”
—Uri May
A modern SOC is the key
The new generation of SOC technologies are designed to solve these problems. Security instruments are linked and telemetry is seamlessly embraced by IT and security instruments. Artificial intelligence and machine learning replace rules-based detection and IR, and remediation is built into the workflow and has better automation.
“The SOC is not going away, but the technology and operations in the SOC will be different.”
—Dan Lamorena
Detection and response tools should fetch data from many sources, the FireEye driver continued, and new solutions should be in the cloud. “We also need to realize that the workforce is changing, and we need to bring new talent into cybersecurity and be more acceptable to people who may not have the perfect background but can be trained to meet our needs.”