SecOps - The Good, The Bad and The Automated: SANS 2019 SOC Survey

Back to all articles

SANS 2019 SOC Survey

SANS conducts a global Security Operations Center (SOC) survey each year with the aim to identify current trends, while providing best practices to enable organizations to build, manage, maintain and mature their SOCs more effectively and efficiently. As cyber attacks increase in sophistication and pace, SOCs must have the ability to keep up, in order to detect, respond and remediate these threats as quickly as possible.

The latest 2019 survey results have just been released, with this year’s report designed to provide objective data to security leaders and practitioners who strive to establish a SOC or to optimize their existing one. As well as capturing common and best practices, it provides defendable metrics that can be used to justify SOC resources to management, and emphasizes key areas on which SOC managers must focus in order to increase the overall security operations performance within their organizations.

Who Was Surveyed?

The survey this year received a total of 517 responses with over half of these (57%) located in North America, 17% in Europe and 10% in Asia. Just over one third (35%) of the organizations had approximately 10 full time employees operating within their SOC, but overall staff sizes varied greatly depending on the organization size and sector, from part time staff to over 1000 team members. As expected the industries covered was very broad and spanned technology, government, banking and finance, healthcare, telecoms, manufacturing, utilities and more.

The respondents covered a range of job levels, skill sets and responsibilities, including 28% security admins/analysts in the thick of the SOC day to day activities. While technical roles totalled approximately 63%, management, director and executive roles equalled 37%.

What’s Different This Year?

The survey kept many questions the same from previous years with the purpose to highlight differences across multiple years. Regarding the answers however, there have been some major changes from 2018 to 2019, but some aspects remained the same. In addition, this year SANS also held fifteen more in-depth telephone interviews with some of the respondents to add some anecdotal information to the findings.

Those respondents who had success in improving their SOC effectiveness and efficiency focused on increased SOC staff skills in key areas. This also helped to confirm what some people still question with regards to implementing automation, whereby automation should be used to augment existing staff skills and is not meant to be a solution to replace staff altogether.

Regarding the most common barriers that SOCs are faced with, such as lack of skilled staff and absence of effective orchestration and automation, these area didn’t see much change from 2018 to 2019. This ultimately means that many SOC managers haven’t yet been able to effectively increase their staff levels or implement suitable orchestration and automation solutions to make up the difference that is required.

Defining a SOC

In last year’s survey, SOC was defined as a “combination of people, processes and technology protecting the information systems of an organization through: proactive design and configuration, ongoing monitoring of system state, detection of unintended actions or undesirable state, and minimizing damage from unwanted effects.” This remains the same, yet there are many terms often used interchangeably when people describe a security operations center.

The SANS SOC Survey 2019 further explores what a SOC does internally, via outsourcing, or both. The key aspect of SOCs is the ability to identify and respond to issues, and this is frequently an internal capability. Architecture, planning, and security administration, on the other hand are normal duties, as is the assurance organization's IT systems are in compliance with legal and industry requirements. Technical security assessments (such as pen testing and vulnerability scanning), threat intelligence collection and use, and purple-teaming are less common, but still present.

Key 2019 Survey Highlights

Below, we have outlined some of the most important findings of this year’s SANS SOC Survey, but much more depth and insight can be found by reading the full report.

  • The top three most frequently cited barriers to SOC excellence were:

  • The highest-performing CSF technology in the protection category was access control/VPNs (87%)

  • The lowest (of popular use) in the detection category was artificial intelligence (AI)/ machine learning (ML) (53%)

  • For SOC continued improvement, these critical areas were identified:

    • Articulate services to the business

    • Build use cases

    • Retain staff through training and growth

    • Use external MSSPs strategically to bolster weakness

    • Closely coordinate with NOC/IT


As cyber threat behavior, business processes, and IT technologies change constantly, SOC operations are one of the most challenging environments to manage and measure. As well as the top three challenges highlighted above, other pain points which were specifically cited as holding back a SOC from being able to be fully utilized and integrated to serve the entire organization included; a lack of management support, non defined processes or playbooks, weak enterprise-wide visibility, too many alerts to look at and a siloed approach between security and incident response operations. These results indicate that the majority of SOCs regardless of industry or size are facing the same of similar challenges worldwide.

Automation and machine learning tools are proving effective in augmenting skilled analysts or enabling lesser-skilled analysts to focus on the most likely true positives first. By orchestrating and automating their existing tools and technologies, security teams can significantly benefit from augmenting their analysts to minimize their shortcomings.

Metrics were again seen to be a key area for improvement, with a large percentage of SOCs not proactively implementing them to be able to effectively monitor and measure performance, as well as those required to build business cases in order to invest in further capabilities or enhancements. Therefore metrics should be at the forefront of any SOC, and designed for users, managers and executives, providing the day to day numbers, as well as demonstrating the overall value provided to the organization.

And finally, most organizations think about tools and technology first, rather than the processes and people also involved in operating the SOC, but it is crucial to remember that people are still a SOC’s most essential asset. It is important for organizations to be able to gain and retain good staff, especially with the increasing deficit of skilled cybersecurity professionals in the market, but if this is not an option internally, external managed security service provides may be a suitable and viable alternative.

Keep an eye out for our next blog in this mini SANS 2019 SOC Survey series where we will be discussing some of the results in more detail, including best practices for operating a successful SOC, including sizes and capabilities, architecture and technology coverage, funding, metrics and more.

To find read the full findings of the SANS 2019 SOC Survey sponsored by DFLabs, you can download it here.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo