Security Experts:

SOC Performance Improves, But Remains Short of Optimum: Report

The good news is that security operations centers (SOCs) are becoming more efficient. The not-so-good news is that there is still considerable scope for improvement.

This is the conclusion of the fifth annual Micro Focus State of Security Operations Report for 2018 (PDF), which draws on the experience of 200 assessments of 144 discreet SOC organizations in 33 countries. In greater detail, there has been an overall 12% improvement in SOC maturity -- the most significant shift yet in the five years of the survey. Despite this, the median SOC maturity level stands at just 1.42 across all industries; significantly below the Micro Focus recommended target of 3.0,

The report uses the Micro Focus Security Operations Maturity Model (SOMM) methodology for assessments. This is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI), which has been updated by Micro Focus at regular intervals to remain relevant with current information security trends and threat capabilities. 

SOMM evaluates SOCs on the basis of people and processes, technology, and business capabilities. Despite the remaining room for improvement, this year's results show that organizations are beginning to see a return on their security investments and are seeing more value out of the security solutions they have deployed.

“Over the last five years, we have watched organizations attempt to achieve a complete security transformation by applying Band-Aids – such as the purchase of peripheral products or dismantling of solutions – only to find poor results and poor business alignment,” said Matthew Shriner, vice president, Security Professional Services for Micro Focus. “With that in mind, it is refreshing that when it comes to cyber defense capability, Micro Focus is seeing a much higher degree of operational sophistication than ever before. Nearly 25% of organizations assessed are meeting business goals, representing a nearly 10% year-over-year improvement.”

The SOMM gives a rating between 0 and 5. '0' represents a complete lack of capability, while '5' is given for a capability that is consistent, repeatable, documented, measured, tracked, and continually improved upon. Micro Focus believes that enterprises should seek a maturity level of 3, while managed security service providers should target a level between 3 and 4. The reliable detection of malicious activity, and a systematic approach to managing that activity are considered to be the most important success criteria for mature cyber defense. 

Despite the overall improvement in maturity levels, the report notes that "20 percent of cyber defense organizations that were assessed over the past 5 years failed to score a security operations maturity model (SOMM) level 1. These organizations continue to operate in an ad-hoc manner with undocumented processes and significant gaps in security and risk management."

Geographically, the top performing areas are South America (SOMM score of 1.89) and the Benelux countries (1.79). In both cases the report suggests this may be down to a continuing trend "toward the use of niche service providers with a high degree of maturity, and initial investment by new service provider organizations entering the market. Niche provider SOC organizations in those regions are often willing to deliver a highly customized service to their customers and are starting to explore Hunt-as-a-Service offerings as part of their services portfolio."

The UK and DACH countries (Germany, Austria and Switzerland) all showed improvement -- 17% for the former and 9% for the latter. "Analysis," notes the report, "revealed multinational organizations making security investments in preparation for the General Data Protection Regulation (GDPR) which is currently scheduled to become enforceable in May of 2018. The consolidation and relocation of SOCs within the EMEA regions to form Security Fusion Centers have also improved the effectiveness of security operations."

North American SOCs showed only a limited improvement of 1%; but that follows a major improvement of 34% last -- and at 1.53, it remains ahead of the UK's 1.47. "Security operations teams in North America," says the report, "once again led as the region most willing to undergo external evaluations of their cyber defense capability and experienced accelerated results based on the implementation of targeted roadmaps."

Cloud migration has proven a problem for many SOCs. In most organizations, the cloud strategy focuses on application functionality without accounting for security and logging requirements. "Plans to monitor," notes the report, "did not follow key assets to the cloud for most security operations centers, leaving these SOCs with visibility only into the functionality that remained within legacy data center space."

In 2015, Micro Focus noted that organizations had begun to invest in big data lakes and analytics. By 2017, assessments showed that some SOCs are performing successful analytics, usually mining historical data for TTPs and IoCs -- but, "for the majority of organizations assessed such investments continue to be a science experiment with an uncertain future."

The use of deception grids continues to grow. The purpose is to increase the cost of an attack by tricking the attacker into deploying resources that are ineffective; while simultaneously learning about both the attacker and his intentions. Micro Focus expects this practice to grow, and will monitor the use of deception grids and their effect on SOC maturity in future years.

Overall, Micro Focus is optimistic over SOC progress in 2017, but warns that SOCs are no quick fix for security. "Successful security operations programs require an assessment of the risk management, security, and compliance objectives of the organization and the active tuning of the solutions deployed."

RelatedWhat Makes an Effective SOC is Evolving 

Related: It's Time to Implement SOC 2.0 

Related: SOCs Suffer Under Volume of Data, Alerts: Report 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.