The vast majority of security operations centers (SOCs) are confident in their ability to counter cyber threats, yet few of their frontline workers can aptly track mean time to detection, while organizations still struggle with SOC staff shortages, new research shows.
Infosec professionals in the U.S., the U.K., Canada, Germany and Australia have mixed opinions on key aspects of their operations, hiring and staffing, retention, technologies, training and funding.
82% of SOCs are confident in the ability to detect cyberthreats, even though just 22% of frontline workers track mean time to detection, which helps determine hacker dwell time, according to an Exabeam survey. At the same time, 40% of the organizations polled said they still struggle with SOC staff shortages and finding qualified people to fill the cybersecurity skills gap, exacerbating the risks of a rather unfounded confidence.
Chief Security Strategist Steve Moore says his company learned in the past two years that dwell time, or the time it takes to detect a compromise, has grown.
“Based on this, it is surprising for SOCs to report such inflated confidence in detecting cyberthreats,” Moore said. “We see great progress in the SOC with attention paid to employee well-being, measures for better communication and more. However, disparate perceptions of the SOCs’ effectiveness could be dangerously interpreted by the C-suite as assurances that the company is well-protected and secure, when it’s not.”
Disagreements between SOC leaders and frontline analysts on the most common threats facing the organization further highlight this imbalance. For example, while SOC chiefs see phishing and supply chain vulnerabilities as the most important issues, analysts cite distributed denial of service (DDoS) attacks and ransomware as greater threats.
To the analysts’ point, DDoS attacks are nothing short of disastrous, especially if we consider the costs of downtime in the business sector. New research from NaWas by NBIP recently showed how DDoS attacks became much bigger and more complex in 2019. And in the first quarter of 2020, the not-for-profit already observed a DDoS attack of 140 Gbps.
Exabeam’s researchers support these findings as well. According to their research, small- and medium-sized teams in particular are more concerned with downtime or business outage (50%) over threat hunting as an operational metric.Threat hunting, however, stands out as a must-have hard skill (61%).
In the U.K., SOC outsourcing grew from 36% to 47% over a year. Germany reported 47% outsourcing, primarily of threat intelligence services, and Australian respondents admitted their SOCs struggle in most categories and need improvement in technology updates, monitoring events and responding to/analyzing incidents. By contrast, SOC outsourcing in the U.S. has declined YoY (36% to 28%), suggesting large companies in the States are getting a grip on the SOC concept.
Other key findings:
- Monitoring and analytics, access management and logging are higher priorities this year for all SOC roles
- More than half of SOCs were found to log at least 40% of events in a security information and event management (SIEM) platform
- The U.K. uses logging more than other countries
- SOCs are least able (35%) to create content, the skill around the creation of detection logic, validation, tuning and reporting
Researchers expect automated security orchestration and response to overtake traditional technologies in coming years. Under-staffing, however, remains a key issue in most geographies, especially across the U.S. and Canada, where 23% of SOC personnel report being understaffed by more than 10 employees. Furthermore, 64% of frontline employees in the SOC reported a lack of career path as a reason for leaving jobs, while less effective SOCs reported feeling they lacked the necessary investment in technology, training and staffing to do their jobs well.
Bitdefender’s Managed Detection and Response (MDR) Service is designed to identify and remove cyber threats from business environments big and small. Bitdefender MDR puts experienced security analysts at your disposal to monitor detailed telemetry and quickly respond to malicious activities, actively removing the threat to reduce dwell time and limit any damage.