Recent studies show that the modern SOC has evolved to become the lynchpin for most enterprise security strategies. Organizations spend a significant chunk of their security budget on SOC operations and many depend upon the SOC to help them detect and hunt for threats, respond to incidents, and maintain visibility into the organization's cyber risk posture. However, SOC effectiveness still varies greatly from organization to organization.
We recently took a look at the latest research to draw a finer point on the phenomenon. The following status offer an unvarnished look on the status of SOC practices, analyst attitudes, and performance levels at the typical enterpriseorganization.
SOCs are a Key Component of Security Strategy
The value of the SOC to a typical security organization is on the uptick:
72% of organizations believe their SOC is key to their cybersecurity strategy.
This is according to a recent survey by Ponemon Institute on behalf of Devo, which shows this stat has increased by five percentage points since 2019. Approximately 31 percent of organizations say that the SOC is essential to security strategy, while 41% believe it is very important. The study showed that most organizations are putting their money where their mouth is with regard to this belief—70% of respondents said that they are likely to very likely to invest in new SOC technologies within the coming year.
SOC a Major Cybersecurity Line Item
SOC budgets make up a significant portion of today's cybersecurity budget. The Ponemon/Devo study found:
organizations spend an average of $9.9 million to run their SOC.
That's up from $7.8 million in 2019. According to survey respondents, organizations make up about 32% of the average total cybersecurity budget.
SOC Performance: A Work In Progress
In spite of the big spend, many organizations still struggle to make it work for their SOCs, indicating that the function may be underfunded at many organizations. The Ponemon/Devo study showed that the overall efficacy of the modern SOC is definitely a work in progress:
50% of orgs rate their SOC as being highly effective.
That number has bumped up from 42% in 2019, but this means that half of organizations realize they've still got a lot of improvements to make. And, in fact, the study showed that over one in five organizations admit that their SOC is highly ineffective, with lack of visibility, lack of timely remediation, and lack of skilled personnel named as the biggest reasons for the efficacy gap. Only 24% of organizations say they can resolve security incidents within hours or even days.
Very Few SOCs Tracking MTTD
Speaking of timeliness in response, one of the issues with this may well be that organizations are not basing their SLAs and performance metrics in the right areas. A new study by Exabeam showed that while 82% of SOC operators are confident in their ability to detect cyber threats, far fewer have a realistic understanding of how long that detection takes:
only 22% of SOC operators track mean time to detect (MTTD).
MTTD is the window of time between infection and detection, and is the duration that attackers have to run rampant in an environment. If organizations don't even measure that time, they're going to have a hard time driving it down. And that's before an incident response even begins. Response is a whole other kettle of fish.
Skills Shortages Hitting SOC
Study after study shows that the cybersecurity skills gap is especially apparent within the SOC. Among the statistical highlights, the Exabeam study showed:
40% of organizations struggle with SOC staff shortages.
The study found that this year some teams have as many as 10 key roles open for hiring that they're unable to fill.
Attrition is the SOC Team Killer
The SOC staffing issue isn't just a matter of being unable to attract or hire new talent, but also retaining people once they've come on board. A study earlier this year by Ponemon Institute on behalf of Respond Software found:
organizations expect to lose three analysts for every four that they hire in the SOC in 2020.
That study showed that 70% of security leaders agree that SOC analysts burn out quickly because of the high-pressure environment.
SOC Analysts are Overloaded
The recent Ponemon/Devo study put a finer point on the issue of negative SOC analyst sentiment over their job:
78% of security pros report that working in the SOC is very painful.
Something like three in five SOC workers say the stress is causing them to consider leaving their jobs or even their careers. The reasons for this are layered but tend to come back to the theme of analysts being overloaded. About 75% of analysts say that increased workload is the number one reason for burnout. 67% report information overload is another contributing factor. And complexity overload is also a problem, with 53% reporting that "complexity and chaos" are a major pain point in the SOC.
Many SOCs Going Back In-House
Even though in-house SOC leaders struggle to hire and retain talent, running a fully managed outsourced SOC is no path to enlightenment either. The Ponemon/Respond study showed:
40% of organizations dissatisfied with the fully managed SOC option say they're looking into bringing their SOC back in-house.
That study showed that many times organizations spend more on a managed SOC and 58% of them still question the effectiveness of their SOC function.
IR Function Has Varying Degrees of SOC Integration
According to a recent SANS Institute study, the SOC as the hub of incident response activities is not a forgone conclusion at all organizations:
32% of organizations say that incident response is a fully integrated part of the SOC, with cross-trained team members
Another 30% of organizations say that incident response teams operate under or within the SOC with different team members, often separately trained from SOC staff. Another 30% say that incident response is completely independent from the SOC—either in-house or outsourced—and conducts investigations separately from SOC activities.
Mature Threat Hunting Still Rare
Meantime, a different SANS study shows that for most organization the SOC is still largely a reactive one:
just 29% of organizations say their proactive threat-hunting practices are mature or very mature
The study showed that 70% of organizations report that they do some kind of internal threat-hunting but that they're still operating with relatively immature practices. The biggest constraints to leveling up those practices is lack of skilled staff, budget constraints, and lack of defined processes.