The changing face of the security operations centre

(Image credit: Image source: Shutterstock/deepadesigns)

For many years, Security Operations Centres (SOCs) have been seen as one of the best ways to centrally monitor, coordinate and manage an organisation’s security defence systems. However, with the security landscape evolving at an alarming pace, SOC operations must also evolve in order to remain both relevant and effective in the fight against cyber-crime. Doing so requires intricate knowledge of the latest industry trends, regular assessment of shortcomings, and a willingness to invest the time and money needed to address them.

Every year, Exabeam conducts a detailed ‘State of the SOC’ survey amongst IT professionals with management responsibilities in both the UK and US, in order to understand what the latest challenges facing SOCs are and how organisations plan to address them. The report catalogues responses in numerous key areas including: SOC basics/responsibilities, outsourcing, hiring and staffing, technology, and finance and budget. This article will look at the main findings in each of these areas of the 2019 report, how they have changed since last year and the resulting implications.

Basic operations: CIOs/CISOs getting more hands on

Over the past 12 months, CIOs and CISOs have become increasingly concerned about the efficiency of their SOCs incident response capabilities, largely due to the significant impact poor response can have on business operations. As a result, many of them are getting much more hands on than before, with 86 per cent now directly involved compared to 65 per cent in 2018. The same can be said for threat hunting, which has seen CIO/CISO involvement jump from 51 per cent to 67 per cent in just 12 months.

In the SOC itself, there’s been a 140 per cent increase in the number of frontline analysts now using automation (20 per cent in 2018 vs 48 per cent in 2019), showing just how important this technology is becoming to ongoing activity and overall efficiency. Elsewhere, procedure and policy, monitoring security tools, and investigations are taking up more analyst time as well.

Hiring and staffing: A major ongoing issue

Staffing challenges remain one of the biggest concerns, with many respondents still struggling to recruit the right people and technology needed to effectively resource their SOCs. In the worst instances, up to 10 additional employees can be needed for a SOC to be considered adequately staffed. As a result, some are worryingly vulnerable to dangerous cyber-attacks and alert fatigue.

Fortunately, the picture looks better when it comes to retaining existing staff. 46 per cent of those surveyed said it was easy to do so with the right workplace benefits, while 42 per cent felt a good/challenging environment also plays a key role in retention.

Outsourcing: Emphasis switching from basic monitoring to specific expertise

As a result of the ongoing global staffing shortages, outsourcing continues to play a key role in the majority of SOC operations. However, the tasks being outsourced have started to change. For example, 55 per cent of respondents now outsource malware analysis expertise (up 15 per cent from 2018) and 45 per cent outsource threat intelligence services (up 17 per cent YoY). However, for tasks such as event/data monitoring, outsourcing is down 10 per cent to just 37 per cent in 2019.  This suggests that while the growing use of automation is helping to ease some of the simpler monitoring and reporting based burdens, the need for expertise in other key areas continues to grow faster than in-house staff can be recruited.

Technology: Keeping on top of security alerts still the biggest pain point

Technology remains a major area of investment for SOCs, with big data analytics, endpoint detection/response, network/cloud monitoring, and identity/access management still the top priorities amongst respondents. The greatest areas of increase in the last 12 months have been biometric authentication and access management (up six per cent), along with AI (up four per cent), perhaps showing the start of a new trend in SOC technology (more on this below).

Amongst CIOs and CISOs, keeping up with security alerts is now the biggest pain point, with the number of respondents citing it jumping from 35 per cent in 2018 to 49 per cent in 2019. This jump could explain the four per cent increase in AI investment, as CIOs/CISOs search for an effective fix to this issue. For analysts themselves, the biggest pain point is poorly integrated security tools (38 per cent), suggesting that many SOCs are buying the right tools but failing to invest the time and money needed to really get the most from them.

Finance and budget: More investment in technology remains top demand

Despite all of the areas of investment discussed above, technology remains the area seen as the most underfunded by respondents, with 39 per cent wanting to see even greater investment in it going forward. Automation is a particular area that many respondents feel could save them a great deal of time in the long run. 35 per cent also desire greater funding for staffing in order to try and resolve the recruitment issue discussed earlier.

As this report shows, 12 months is a long time in the life of a SOC. With cyber-security now so integral to ongoing success, every aspect of SOC operations is increasingly under the microscope. Unfortunately, with the global staffing shortage showing no sign of abating, many have to either outsource for speciality skills and expertise or invest heavily in technology such as automation and AI to help existing employees to do more with less.

Steve Moore, Chief Security Strategist, Exabeam