While most enterprises recognize the critical role that security operation centers (SOC) play in cybersecurity activities, very few are able to perfect a SOC approach that meets their ultimate satisfaction. A new study out on attitudes toward SOC efficacy shows that organizations are spending millions each year to run their SOCs, but that many are unhappy with the ROI from this investment.
Based on a survey conducted by Ponemon Institute among over 600 IT decision-makers, The Economics of Security Operations Centers report showed that 73% of organizations see their SOC as a lynchpin for executing on cybersecurity strategy. The average organization spends $2.86M on their in-house SOC, with some industries spending significantly more. For example, financial services firms spend an average of $4.6 million per year and industrial and manufacturing companies spend $3.16 million annually. Larger organizations also tend to spend significantly more, with organization supporting an employee base of 25,000 to 75,000 spending an average of $6.27 million per year on their SOC.
For all the money put into the SOC, approximately 49% of those questioned admitted their dissatisfaction at their SOC's effectiveness in detecting attacks. What's more, the situation is grows trickier by the day. Some 44% of respondents report that the ROI of their SOC is getting worse.
In examining the ineffectiveness of the modern SOC, the study highlighted the struggle that many organizations face when coming up with their SOC operational model. At present there exists a difficult dichotomy between two least-worst choices for running a SOC: either doing it in-house or outsourcing to an MSSP. The Ponemon study shows that at present there exists a grass-is-greener mentality no matter what side an organization chooses.
In-House SOCs Are No Picnic
Of course, running a SOC internally is a perennial challenge for organizations of all sizes, considering the constrained market for skilled security analysts. The study shows that 70% of organizations report that SOC analysts burn out quickly due to the high-pressure environment, and 72% report the pain of working in a SOC as very high. Some of the biggest sources of pain cited by respondents include increasing workloads, being on call 24/7/365, lack of network visibility, alert fatigue, and information overload. This leads to a state of constant churn within in-house SOCs. According to the study, organizations expect to lose three analysts for every four that they hire in the SOC in 2020.
The Trouble with Fully Managed SOC
As a result there are a lot of organizations out there that feel they don’t have the wherewithal to man their own SOC and instead choose to have an MSSP do the work. But often times going the outsourced route leads to them up being more dissatisfied with the performance of their security nerve center. Approximately 58% of organizations that go for the fully managed option question the effectiveness of their SOC. That's illuminating considering that they typically spend significantly more than those running an in-house SOC, laying out an average $4.4 million annually. This leads these organizations looking for greener grass once again. Some 40% of organizations dissatisfied with the fully managed SOC option say they're looking into bringing their SOC back in-house.
3 Ways Orgs Are Tweaking Their SOC Models
With so many organizations banging their heads against the difficulties of running a SOC in-house but also finding their MSSPs ineffective to moderately effective, the industry faces " a conundrum that suggests a third-way solution is necessary,” says Dr. Larry Ponemon, chairman and founder of Ponemon Institute. These are three ways organizations are tweaking their models to forge that third path.
In many instances organizations are finding that they need to find the right balance between running the SOC in-house and augmenting internal staff with service providers for certain specialized functions. As SANS Institute pointed out in its most recent SOC survey, " Organizations frequently achieve good results by turning to external service providers to bolster their SOCs’ capabilities."
Bolster is the key word there, rather than replace. This philosophy of service augmentation is where popularity for specialized services like managed detection and response and endpoint detection and response has sprung from in recent years.
Automation has long been seen as the ultimate balm for the security skills shortage in the SOC. But getting the right automation in place—the kind that lessens the workload rather than increases it through added complexity and false positives, that's the trick.
Right now SANS reports that half of SOC managers report a very low satisfaction rating for many of the AI and machine learning tools out on the market today, so it is definitely a buyer beware situation for SOC decision-makers. And Gartner's most recent report on the security orchestration, automation, and response (SOAR) market admits that "use cases implemented by early adopters have not evolved over the last 12 months and are stuck in a rut."
Part of this has less to do with the automation tech itself and the way in which organizations use it. For example, Gartner notes that ticket-driven organizations not willing to give up its ticket system get little benefit out of the case management capabilities of SOAR. So it is going to take a fair amount of process design work for organizations to truly reap the benefits of automation efforts in the SOC.
Finally, the best SOC runners recognize that getting the most out of its stable of SOC analysts comes down to the very unsexy and fundamental work of sound people management. This includes creatively recruiting and training staff, providing the right incentives, and giving the resources they need to stay sane on the job. For example, developing playbooks and documentation makes it easier to train up new people and bridge the knowledge gaps that occur due to turnover and surge staffing during emergencies.
It's not rocket science, but it isn't easy either. Says SANS analysts, " Accomplishing low turnover came from involving analysts in use case and detection development, providing career growth and enabling regular rotation opportunities to keep people learning."
Ultimately, these tweaks will take real investment. The recent Ponemon study hints at this. When it looked at organizations who self-reported as running highly effective SOCs, the results showed that these organizations spent 22% more than the average.