Despite the Importance of Security Operations Centers, Performance is Poor
The external view of Security Operations Centers (SOCs) is upbeat and promising, but the internal view is concerned and worrying. On the one hand, 72% of firms consider the SOC a key part of their security strategy; but on the other hand, 60% of SOC staff have considered changing careers because of stress, while 65% claim to have limited visibility into the attack surface.
A survey of 600 professionals working in IT and security, conducted by Ponemon and commissioned by Devo, seeks to better understand the causes behind the effective and ineffective areas of SOCs. Fundamentally, it concludes that ‘turf battles’ are a primary problem for inefficiency — there is no clear line of responsibility for the SOC. “Sixty-four percent of respondents,” says the Devo report, “say these internal battles over who is in charge of what are a huge obstacle to their SOC’s success, a disheartening increase from 57% in 2019.”
In fairness, SOC efficiency is slowly improving in many areas, but very slowly. “There is,” notes the report, “an eight-percentage-point increase among respondents who say their SOC is highly effective in gathering evidence, investigating, and identifying the source of threats.” While that sounds promising, the improvement is only from 42% to 50%, meaning that half of the respondents still feel that the SOC is not performing well.
“The real issue,” Devo’s general manager of cybersecurity, Julian Waits, told SecurityWeek, “and where I see that most SOCs and most security programs fail, is they never really do a business impact analysis as a team. When you talk to companies about their security programs, they talk about technology, technology, technology. They talk a little about process — but the data that is always missing from the equation is, why are we doing this? And I think that’s the biggest problem. If you’re a retailer, the most important things include POS, personal information and so on. You should line up all your risk considerations, and therefore technology, around protecting those things that are most important to the business. When that isn’t done, everyone is chasing everything, and chaos ensues.”
The role of the CISO, he continued, “is rapidly accepting the need for business acumen, but that increased business knowledge needs to migrate down throughout the security team — including the SOC team. SOC teams are trouble-shooters by nature, their job is to solve problems. So, they may look for a CVE that may be considered bad, or other potentially malicious events, but then they need to apply it to what it means to the business. By default, that sets the priority not just for the security program, but for all the people who participate in the program. That’s the basis for how a mature security program should operate. Security is not there just to secure stuff, but to ensure the business can operate in the way it should.”
The ‘chaos’ ensuing from this lack of cohesiveness is having an effect on SOC staff. Seventy-eight percent said the work is very painful, 75% say that an increasing workload is the primary cause of staff burnout, and 53% say ‘complexity and chaos’ is a major pain point. Each of these figures is up from last year. It’s also worth noting that the survey covers the pre-COVID-19 era. “The problem is now exponentially worse,” Waits told SecurityWeek, “because people aren’t sitting next to each other in SOC rooms with big screens.”
This issue is likely to worsen in the future. Pre-COVID-19, 68% of the respondents complained of too many alerts to chase, while 67% complained of information overload. Increased working from home — which is not likely to completely go away after the pandemic — brings in, said Waits, “a whole bunch of new threats and threat vectors where the SOC team now has to worry about what sort of things are running around on people’s home computers that maybe they’ve never seen before.”
The SOC’s role in digital forensics has largely been confined to devices in a known and protected environment. In the future, the team will have the additional need to investigate remote, and unprotected devices that don’t even belong to the company. They will need to be able to triage between incidents and events that have a bearing on the company, and those that have no bearing on the company.
Nevertheless, some SOCs perform considerably better than others, and the report (PDF) seeks to find the differentiating factors between high and low performance. High-performing SOCs are rated by the respondents at 7 or above out of 10 in terms of effectiveness. Three areas stand out. Seventy-three percent of successful SOCs are fully or partially aligned with business needs (only 37% of lower-performing SOCs can say the same). Forty-four percent of high performing SOCs are ‘essential’ to the overall corporate security strategy (only 18% of lower-performing SOCs are in this position). And 67% of high performing SOCs have a defined program for training and retaining staff (compared to just 31% of lower-performing SOCs).
The high performing SOCs can still improve. Seventy-eight percent call for an improvement of visibility into the IT security infrastructure; 65% call for a solution to the turf or silo issues between IT ops and SOC teams; and 49% would like to see improved compliance with privacy and data protection requirements. The biggest pain points are managing threat intelligence (60%), malware protection and defense (57%), waiting on tools to respond to operations (48%), and tool maintenance (47%). Seventy-one percent of respondents call for more automation to help in these areas.
A common concern is that there are too many tools with insufficient automation between them. The problem with buying a point product to fill a gap is that gaps may remain between them, while those that are used often overlap with others. Understanding and correctly interpreting the different tools is a problem that just adds to the complexity of the role, and Waits notes that the more mature companies with better performing SOCs are trying to consolidate the use of different tools.
The picture that emerges from Devo’s study is that SOCs are important and valuable to cybersecurity, but they are also a problem. Staff are overburdened, and staff churn is high. Governance of SOCs is chaotic, often leading to less than optimum performance. Unaddressed, these issues are likely to worsen with increased home working — but solutions through better alignment with business and increased automation do exist.
Related: In the Detection and Response Era, a Unified SOC is the Path to Success
Related: Fighting Alert Fatigue With Security Orchestration, Automation and Response
Related: SOC Performance Improves, But Remains Short of Optimum: Report
Related: Vectra Targets SOCs With Microsoft Defender ATP, Azure Sentinel Integration