SANS 2018 SOC Survey – How Does Your SOC Stack Up?

Each year SANS conducts a global Security Operations Center – SOC survey to identify the latest trends, recommendations and best practices to enable organizations to successfully build, manage, maintain and mature their SOCs.  With the continual increase in volume and sophistication of cyber attacks it is crucial that SOCs are performing as effectively and efficiently as possible to respond to all security alerts and potential incidents, as well as providing a clear benefit and ROI to the organization’s current security program.

This week SANS released the results of their 2018 survey and what they defined as “SOC-cess”!  This blog will cover a quick snapshot of the report highlights and we will delve deeper into some of the results in future posts.  

You can download the full report here. DFLabs is joining the SANS team for a live webinar to discuss the results in more detail (16th August at 1:00 PM EDT).  

SANS 2018 SOC Survey Highlights

Regardless of whether you are a security analyst, a SOC manager or a C-level executive, I am sure there will be some key learning points and takeaways for you, with some of the results resonating with you and your organization.  So, how does your SOC stack up against the 2018 survey results?

Here are the key findings.

  • Only half of SOCs (54%) use any form of metrics to measure their performance
  • There is a lack of coordination between SOCs and NOCs (only 30% had a positive connection)
  • Asset discovery and inventory tool satisfaction was rated the lowest of all technologies
  • The most meaningful event correlation is still primarily carried out manually
  • Over half of respondents (54%) did not consider their SOC a security provider to their business
  • The most common architecture is a single central SOC (39%)
  • Nearly a third of SOCs are staffed by 2-5 people (31%) and just over a third by 6-25 people (36%)
  • Top shortcomings to SOC performance included:
    • – Shortage of skilled staff (62%)
    • – Inadequate automation and orchestration (53%)
    • – Too many unintegrated tools (48%)

What do these results actually mean? I am sure they can be interpreted in many ways. For me some results were not surprising, such as the shortage of skilled labor is the number one shortfall affecting SOC performance. However, some were quite startling, in particular surrounding the number of SOCs that do not use any form of metrics to measure performance – results indicating nearly half.

With the growing number of threats also comes a growing number of challenges, and today it just isn’t possible for SOC analysts to manually carry out everything that is needed to run the SOC effectively. Investment in technology seems to be a must to help improve efficiencies, but it needs to be the right technology for the organization. The survey results show a clear need for SOCs to invest further in tools such as automation and orchestration, which was identified as the second most common shortfall affecting performance at 53%.   

Defining and Measuring SOC-cess

What is “SOC-cess” and how can we determine what an efficient and effective SOC is?  SANS definition of SOC-cess is as follows.

SOC success requires the SOC to take proactive steps to reduce risk in making systems more resilient, as well as using reactive steps to detect, contain and eliminate adversary actions.  The response activities of SOC represent the reactive side of operations.”

I am sure it can be defined and is defined in a multitude of ways across different organizations, but metrics will always be a key factor.  Of those SOCs surveyed, the top three metrics measured included:

  1. Number of incidents handled
  2. Average time from detection to containment to the eradication of an incident
  3. Number incidents closed in a single shift

Without these metrics, there is nothing to compare to or benchmark against to measure the overall performance and capabilities of the SOC and it will be difficult for management to justify any additional investment in additional tools or resources if the effectiveness and return on investment can’t be calculated or quantified. Therefore, measuring metrics should be a number one priority for any SOC to determine its success, not only by the 54% of SOCs that currently do so.

Summary of Findings

Overall the SANS 2018 SOC survey results indicated that there was somewhat limited satisfaction with current SOC performance with an absence of a clear vision and route to excellence. Also, survey respondents felt that their SOCs were not fulfilling expectations and many areas could still be improved, although there was an overall consensus of the key capabilities that they felt must be present within a SOC.

Compared to last year’s survey, the results showed a minor improvement; however, there are still many challenges facing today’s SOCs and the teams operating within them which need to be overcome.

There are though a number of things that can help to drive improvements and these include better recruitment and internal talent development, improved metrics to ensure the SOC is providing value to the organization, a deeper understanding of the overall environment that is being defended and better orchestration both with the NOC and SOC, using orchestration tools to drive consistency.

Overall, the existence of a functional and mature SOC is a critical factor in an organization’s security program to adequately protect the business from the ever-evolving threat landscape and SOCs will need to continue to work on improving what they already have in place.

How Can DFLabs Help?

A Security Orchestration, Automation and Response (SOAR) platform, such as that offered by DFLabs can not only help to tackle the orchestration and automation shortfalls as mentioned above, but can also help to tackle a number of other common SOC challenges and pain points, including the shortage of skilled workforce, the integration of tools, as well as measuring SOC performance metrics.

Ask DFLabs today how we can help you to transform your SOC with SOAR technology and request a live demo of IncMan SOAR in action to see more.