Survey Finds Many SOCs are Set Up to Fail

Image from Pixabay

At face value, the idea of a security operations center (SOC) makes tremendous sense. What organization wouldn’t want a team of dedicated cybersecurity professionals monitoring the network around the clock to proactively identify issues and quickly respond to security incidents in real time? Unfortunately, that isn’t the reality for most SOCs. A recent survey found that many SOCs are ineffective and the security analysts that work in them are being pushed to the breaking point.

The Ponemon Institute study, sponsored by Devo, surveyed more than 550 IT professionals from organizations that have a SOC and who are knowledgeable about the cybersecurity practices in their organizations. The resulting report—Improving the Effectiveness of the Security Operations Center—contains some interesting findings. In a nutshell, most rate the effectiveness of their SOC as low, and cite lack of visibility and workplace stress as contributing factors.

Effectiveness of Security Operations Center

It’s not cheap to build and manage a security operations center, so it seems reasonable that an organization should expect to see a significant return on the investment. Only about 40%, however, rate their SOC as highly effective, and less than half (47%) have confidence in the ability of their SOC to gather evidence and investigate to find the source of emerging threats. In order to address the challenges of the SOC, we must dig deeper into these numbers to find out why so many organizations consider their SOCs ineffective.

When asked what makes the SOC ineffective, nearly 7 out of 10 respondents (69%) indicated lack of visibility into network traffic. Almost as many (65%) cited lack of visibility into the IT security infrastructure as a primary barrier to the success of the SOC. If the cybersecurity analysts in the SOC don’t have comprehensive visibility, it is difficult to expect them to succeed at consistently identifying and remediating threats.

Alert Fatigue and SOC Analyst Burnout

The larger issue when it comes to managing an effective security operations center is the challenge of finding—and keeping—people with the right knowledge and skills for the job. Thanks to DevOps practices, container technologies, and hybrid cloud environments, IT infrastructures are more complex and more dynamic than ever. At the same time, the threat landscape is continuously expanding and evolving. The net result is an overwhelming number of alerts for potentially suspicious or malicious behavior that need to be assessed—many of which are insignificant or low priority risks once the broader context is known, and some of which are just false positives that generate unnecessary noise and distract from legitimate issues.

According to the Ponemon Institute study, the demands of being an analyst in a security operations center can quickly lead to career burnout. When asked what makes it so difficult to work in a SOC, the leading response was that the increasing workload causes burnout (73%). Lack of visibility into the network infrastructure was also at the top of the list. In fact, many of the other leading factors are related to the demands of trying to manage a complex network with an overwhelming volume of information to assess using limited resources. Being on call 24/7 (71%), too many alerts to chase (69%), information overload (62%), inability to prioritize threats (60%), and even complexity and chaos in the SOC (49%) all ranked as issues that make it painful to work in the SOC.

Automate and Streamline Analysis

The volume of threats is unlikely to decrease any time soon—or ever, really—so what can organizations do to deal with these issues? Companies need to find ways to address both the cybersecurity skills shortage and the problem of alert fatigue.

For many businesses, the answer is outsourcing. Enlisting the support of a third-party SOC provides a few benefits. You get dedicated professionals who have experience and know what they’re doing without having to hire or retain them yourself. It also often reduces the volume of alerts you have to deal with because cybersecurity professionals will monitor your network 24/7 and alert you only for the security incidents that require your attention.

Another option is to employ a more sophisticated security platform that can automate and streamline the SOC lifecycle. The problem with many traditional SIEM (security incident and event management) platforms is that they flood you with alerts and lack the right intelligence or context—leaving your IT security team to sift through it all and figure it out. Newer SIEM platforms and security tools are designed to take care of the initial heavy lifting—filtering and prioritizing events to enable analysts to more quickly triage and investigate the threats that matter.

Many SOCs struggle because they have a complex network to protect and an overwhelming amount of information to analyze with limited resources. The Ponemon Institute study shows that the challenges of SOC analyst burnout and alert fatigue are very real concerns that businesses need to address in order to effectively protect their users, systems, networks, and data from bad actors. Based on the findings from the Ponemon study, solutions that provide comprehensive visibility of the IT security infrastructure and network activity as well as reduce alert fatigue would go a long way in helping ensure the SOC is set up to succeed.

Tony Bradley: I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Threads, Facebook, Instagram and LinkedIn.
Related Post