Does Your SOC Measure Up? A “Sneak Peek” into the SANS SOC Survey

Does Your SOC Measure Up? A “Sneak Peek” into the SANS SOC Survey

Does Your SOC Measure Up? A “Sneak Peek” into the SANS SOC Survey

By Aliza Israel

November 14, 2021

CyberProof and SANS have partnered to provide this year’s SANS Institute SOC Survey – a report that provides security leaders with insight about key trends adopted by Security Operations Centers (SOCs) in organizations across the globe. Respondents from a diverse group of 319 organizations participated in the survey, answering an initial list of questions, and sharing additional information in follow-up inquiries – thereby providing the community of security leaders with valuable information about best practices and common challenges.

The survey discusses topics including SOC staffing, technology, funding, and more. You can download the full report here.  Here are some of the areas it explores:

Barriers to Optimal SOC Utilization 

The report indicates that in 2021, a lack of skilled staff was the greatest barrier to fully utilizing a SOC’s capabilities. The second most indicated barrier is a lack of orchestration & automation. This indicates that teams are lacking the capacity to focus on higher-impact activities such as responding to validated incidents and are spending too much time on manual processes to “keep the lights on.”

The staffing issues that respondents described were of two types: (1) a need for additional team members, and (2) a need for specific types of expertise. 

Respondents indicated that their teams are lacking certain kinds of cyber security skills. The most glaring need was described as a dearth of deep technical knowledge – including deeper technical knowledge of: 

  • Networks
  • Operating system internals
  • Overall IT architecture & operations

Teams are lacking the capacity to focus on higher-impact activities such as responding to validated incidents and are spending too much time on manual processes to “keep the lights on.”

Metrics in Reports & Dashboards 

Compared to last year’s data, this year’s responses indicated that more SOCs (77%) are using metrics to track SOC capabilities and effectiveness. The most common metrics mentioned were:

  • Time to respond 
  • Percent of coverage of endpoints, by required security agents 
  • SOC analyst performance metrics
At the same time, many of the same respondents who indicated that they use metrics to gauge the status of SOC capabilities also reported dissatisfaction with the types of metrics in their reports & dashboards

The survey also touched upon the question of exactly how metrics are obtained. Respondents shared that metrics are produced in a partially-automated manner. In other words, when presenting data to their constituents, substantial manual effort is required.

This insight shows that while more SOC teams are reporting on their performance, the dissatisfaction with the metrics indicates they either are not actionable or are not contributing to the overall security goals of the business. 

At CyberProof, we advocate the mantra of, “If a KPI does not result in a decision, it isn’t really a KPI.” Metrics are so important, however, they are only one component of a KPI alongside the corresponding Indicator and Decision. It’s also important that a KPI contributes to a security goal. 

 

SANS 2021 Security Operations Center (SOC) Survey

 

For example, if a goal is to “Correctly Distinguish between False Positives and True Incidents,” the KPI would consist of the following components:

  • Indicator – Number of alerts labeled as incidents but later found to be False Positives
  • Metric – Percent of incidents closed as False Positive
  • Decision – Effective triage should not elevate many False Positives to Incidents. If this indicator is high or trending upward, a root cause analysis is warranted.

While more SOC teams are reporting on their performance, the dissatisfaction with the metrics indicates they either are not actionable, or are not contributing to the overall security goals of the business.

Outsourcing SOC Services 

The report indicates that certain expert capabilities tend to be outsourced, such as: 

More than 50% of respondents indicated that they outsource these services either partially or fully. Reasons given for outsourcing include the fact that handling these capabilities in-house would add to the headcount.

Our advice is to start off by understanding how the MSSP or MDR provider, that is augmenting your SOC, could potentially implement additional capabilities such as pen testing and threat intelligence to further improve your security posture. They will have a good idea of your objectives and threat profile. The advanced service providers will likely have a competent team that can add this capability to your SOC in a more efficient way. 

For example, with threat intelligence continuing to be one of the top outsourced capabilities, make sure a service provider’s offering is in synch with the following life-cycle stages:

  • Direction – Setting objectives on what the outcome will be from this service.
  • Collection – Leveraging a combination of clear, dark, and deep web sources.
  • Processing – Preparing data gathered from all sources, for further analysis.
  • Analysis – Providing actionable insights into patterns and trends.
  • Dissemination - Delivering the data in the form of reports and assessments.
  • Feedback – Feeding the data back into SOC processes and threat detection systems.

You can learn more about how to adopt threat intelligence services in our guide here.

More than 50% of respondents indicated that they outsource these services either partially or fully. Reasons given for outsourcing include the fact that handling these capabilities in-house would add to the headcount.

Moving to a Cloud-based Architecture

When asked which type of SOC architecture organizations would be changing to, in the next year, a “cloud-based SOC services” architecture was the second highest response (with 24%). 

This is a natural trend, given the impact of COVID-19 in accelerating IT infrastructure migration to the cloud. It serves as a stark reminder that legacy, on-premises security practices need to transition as smoothly as possible to cloud-native security practices, to avoid the cost and complexity that can come with large migrations. 

For example, when migrating to cloud-native security monitoring, be sure to adopt a phased approach that includes:

  • Define, onboard, and optimize both on-premises and cloud Use Cases. Ideally, use a single SOC delivery platform like CyberProof’s CDC to monitor all use cases as you transition from on-premises to cloud monitoring.  
  • Implement log collection methods that parse, filter, and tag the data as it’s being ingested, to enable real-time analysis without high ingestion or retention costs.
  • Use a cloud-native security analytics platform that can leverage machine learning to correlate and analyze large volumes of cloud data.
  • Accelerate incident handling with orchestration, automation, and real-time collaboration capabilities via a co-sourced SOC services model. Ideally, use a provider that already has experience and native integrations with your cloud-native security analytics provider.

One way of approaching these issues and improving the operations of the SOC is by working with a partner like CyberProof, who can help you fill in some of the crucial gaps in optimization and performance.

How Advanced SOC Services Providers Can Help 

The SOC leaders who responded to the survey pinpointed several key challenges preventing SOCs from operating optimally including a lack of expertise, inadequate automation and orchestration, and ineffective reports and dashboards.

One way of approaching these issues and improving the operations of the SOC is by working with a partner like CyberProof, who can help you fill in some of the crucial gaps in optimization and performance. CyberProof’s next-generation SOC services enable you to leverage your SOC’s in-house capabilities more fully by:

  • Providing you with specialist expertise in areas such as pen testing, forensics, and threat intelligence
  • Facilitating orchestration & automation  with SeeMo, our virtual analyst, eliminating  repetitive, manual tasks that are being conducted by SOC analysts
  • Improving reporting capabilities by providing dynamic reporting on KPIs covering SOC visibility, efficiency, and continuous improvement

Read the full SANS Institute SOC Survey here! If you’d like to learn more about how CyberProof can help you boost your SOC operations, be in touch today.

Aliza Israel
Written by Aliza Israel
Aliza is an experienced writer and blogger who brings 15+ years of hands-on knowledge in high tech. Aliza is dedicated to conveying facts, figures, and insights that raise awareness to the cyber security issues all organizations and consumers face. Aligning with CyberProof’s mission of helping our customers create and maintain secure digital ecosystems, she is an advocate and promoter of CyberProof services worldwide.