SANS 2018 SOC Survey – How Does Your SOC Stack Up?

Each year SANS conducts a global Security Operations Center – SOC survey to identify the latest trends, recommendations and best practices to enable organizations to successfully build, manage, maintain and mature their SOCs.  With the continual increase in volume and sophistication of cyber attacks it is crucial that SOCs are performing as effectively and efficiently as possible to respond to all security alerts and potential incidents, as well as providing a clear benefit and ROI to the organization’s current security program.

This week SANS released the results of their 2018 survey and what they defined as “SOC-cess”!  This blog will cover a quick snapshot of the report highlights and we will delve deeper into some of the results in future posts.  

You can download the full report here. DFLabs is joining the SANS team for a live webinar to discuss the results in more detail (16th August at 1:00 PM EDT).  

SANS 2018 SOC Survey Highlights

Regardless of whether you are a security analyst, a SOC manager or a C-level executive, I am sure there will be some key learning points and takeaways for you, with some of the results resonating with you and your organization.  So, how does your SOC stack up against the 2018 survey results?

Here are the key findings.

  • Only half of SOCs (54%) use any form of metrics to measure their performance
  • There is a lack of coordination between SOCs and NOCs (only 30% had a positive connection)
  • Asset discovery and inventory tool satisfaction was rated the lowest of all technologies
  • The most meaningful event correlation is still primarily carried out manually
  • Over half of respondents (54%) did not consider their SOC a security provider to their business
  • The most common architecture is a single central SOC (39%)
  • Nearly a third of SOCs are staffed by 2-5 people (31%) and just over a third by 6-25 people (36%)
  • Top shortcomings to SOC performance included:
    • – Shortage of skilled staff (62%)
    • – Inadequate automation and orchestration (53%)
    • – Too many unintegrated tools (48%)

What do these results actually mean? I am sure they can be interpreted in many ways. For me some results were not surprising, such as the shortage of skilled labor is the number one shortfall affecting SOC performance. However, some were quite startling, in particular surrounding the number of SOCs that do not use any form of metrics to measure performance – results indicating nearly half.

With the growing number of threats also comes a growing number of challenges, and today it just isn’t possible for SOC analysts to manually carry out everything that is needed to run the SOC effectively. Investment in technology seems to be a must to help improve efficiencies, but it needs to be the right technology for the organization. The survey results show a clear need for SOCs to invest further in tools such as automation and orchestration, which was identified as the second most common shortfall affecting performance at 53%.   

Defining and Measuring SOC-cess

What is “SOC-cess” and how can we determine what an efficient and effective SOC is?  SANS definition of SOC-cess is as follows.

SOC success requires the SOC to take proactive steps to reduce risk in making systems more resilient, as well as using reactive steps to detect, contain and eliminate adversary actions.  The response activities of SOC represent the reactive side of operations.”

I am sure it can be defined and is defined in a multitude of ways across different organizations, but metrics will always be a key factor.  Of those SOCs surveyed, the top three metrics measured included:

  1. Number of incidents handled
  2. Average time from detection to containment to the eradication of an incident
  3. Number incidents closed in a single shift

Without these metrics, there is nothing to compare to or benchmark against to measure the overall performance and capabilities of the SOC and it will be difficult for management to justify any additional investment in additional tools or resources if the effectiveness and return on investment can’t be calculated or quantified. Therefore, measuring metrics should be a number one priority for any SOC to determine its success, not only by the 54% of SOCs that currently do so.

Summary of Findings

Overall the SANS 2018 SOC survey results indicated that there was somewhat limited satisfaction with current SOC performance with an absence of a clear vision and route to excellence. Also, survey respondents felt that their SOCs were not fulfilling expectations and many areas could still be improved, although there was an overall consensus of the key capabilities that they felt must be present within a SOC.

Compared to last year’s survey, the results showed a minor improvement; however, there are still many challenges facing today’s SOCs and the teams operating within them which need to be overcome.

There are though a number of things that can help to drive improvements and these include better recruitment and internal talent development, improved metrics to ensure the SOC is providing value to the organization, a deeper understanding of the overall environment that is being defended and better orchestration both with the NOC and SOC, using orchestration tools to drive consistency.

Overall, the existence of a functional and mature SOC is a critical factor in an organization’s security program to adequately protect the business from the ever-evolving threat landscape and SOCs will need to continue to work on improving what they already have in place.

How Can DFLabs Help?

A Security Orchestration, Automation and Response (SOAR) platform, such as that offered by DFLabs can not only help to tackle the orchestration and automation shortfalls as mentioned above, but can also help to tackle a number of other common SOC challenges and pain points, including the shortage of skilled workforce, the integration of tools, as well as measuring SOC performance metrics.

Ask DFLabs today how we can help you to transform your SOC with SOAR technology and request a live demo of IncMan SOAR in action to see more.

How to Prevent Alert Fatigue

Security analysts today are spending the majority of their time dealing with the mundane, repetitive and administrative based tasks associated with incident response, as opposed to using their valued time proactively investigating and hunting threats in order to remain one step ahead of the increasing number of cyber threats they are facing.  On a daily basis, security teams are being bombarded with a plethora of security alerts, most commonly from their security information and event management (SIEM) solution, combined with log and event data from a number of other platforms and sources with their infrastructure.

A SIEM tool pulls event and logs data from a wide range of internal sources, sometimes up to 15 different third-party tools or more, to provide a complete all-around picture of an organization’s current security posture ongoing threats. The SIEM mainly acts as a security monitoring system by correlating relevant data from multiple sources and generating alerts when the events appear to be worthy of further investigation. At a basic level, SIEM implementations can be rule-based or can employ a statistical correlation engine to establish relationships between event log entries, while advanced SIEMs can be used for user and entity behavior analytics (UEBA) and some orchestration and automation processes.

Is there such a thing as too much information?

The main advantage of implementing a formal and automated SIEM process is to increase the overall visibility of the IT network and security infrastructure. However, this process and enhanced visibility often leads to large volumes of alerts being generated which then manually need investigating by security analysts. Quite often a number also turn out to be false positives after further investigation, wasting a considerable amount of time. In other cases, far too many alerts are being generated for the workforce to even begin to consider investigating them all. As a consequence, only the higher levels of alerts are prioritized, increasing the risk to the organization by disregarding some of the lower-level alerts.

A more effective and efficient solution

Rather than leaving the organization vulnerable to the risks of ignored alerts, a better solution is to complement the SIEM with security orchestration, automation, and response (SOAR) technology. Gartner created the term SOAR to describe an approach to security operations and incident response that aims to improve security operations’ efficiency, efficacy, and consistency. SOAR allows organizations to collect security data and alert information from a number of different sources, including a SIEM, and to then perform incident analysis and triage using a combination of human and machine power. This helps to formalize the response handling procedure, determining and deploying effective and repetitive incident response processes and workflows.

Acting as a force multiplier, SOAR allows security teams to do more with less resources. It provides capabilities to automate, orchestrate and measure the full incident response lifecycle, including detection, security incident qualification, triage and escalation, enrichment, containment, and remediation.  The overall goal of an organization utilizing a SOAR solution is to reduce the mean time to detection (MTTD) as well as the mean time to respond (MTTR) to an incident. This, in turn, minimizes the risk resulting from the growing number of cyber threats and security incidents, while also enabling the organization to achieve legal and regulatory compliance, while ultimately increasing the return on investment for existing security infrastructure technologies.

Action alerts immediately automatically

A SIEM solution ingests and processes large volumes of security events from various sources, then collates and analyzes the information to identify the issues, which subsequently triggers the creation of the initial security alert. This functionality is often limited to unidirectional communication with the data collection sources and in most cases, SIEM implementations do not carry out actions beyond the initial alert generation. This is where the power of SOAR can add significant value, taking the SIEM generated alert and orchestrating and automating responses, utilizing multiple security and IT tools from different vendors to remediate the threat.

Once a SIEM alert is generated, an incident is triggered within the connecting SOAR solution. Combined with machine automation and some level of human interaction where needed, a number of enrichment and response actions are carried out following a specific set of playbooks and runbooks for each individual incident type. A set of activities based on previously defined incident workflows and results, combined with machine learning are used to automate and guide the entire response process from start to finish.

Get more from the people you have

Integrating SIEM and SOAR combines the power of each to create a more robust, efficient and responsive security program, ensuring no alerts go untouched. It accelerates incident detection and response actions from minutes to seconds, ultimately enabling security teams to maximize analyst efficiency, minimize incident resolution time and avoid alert fatigue that negatively impacts so many of today’s security teams. It also enables organizations to automate most of the low-level work often performed by security analysts, allowing them to do what they do best, which is challenging and rewarding, while SOAR technology does the rest.