A new survey on the current state of security operations center (SOC) performance has found that while some organizations have increased funding, the overall gains have been meager, and the most significant issues have not only persisted, but worsened.
The second annual Devo SOC Performance ReportTM, based on a survey conducted by Ponemon Institute also found that 60 percent of SOC team members are still considering changing careers or leaving their jobs due to stress.
On the positive side, the importance of investing in a SOC remains high, with 72 percent of respondents categorizing the SOC as “essential” or “very important” to their organization’s overall cybersecurity strategy, up 5 percent year-over-year, says the report. Additionally, the average annual cybersecurity budget for organizations rose $6 million to $31 million, with the SOC representing more than one-third of that total. For respondents whose organizations have invested in people, process, and technology, the performance differences are stark. Strong business alignment (73 percent) and extensive training (67percent) help high-performing SOCs more than double the effectiveness of their lower-performing brethren. However, the pain and barriers facing SOC teams are universal and worsening, with higher performers citing 10% more pain at an extreme level (9-10 on a 10-point scale), and virtually no difference in the level below that (7-8).
The major areas of pain and resistance include:
- 70 percent suffer a lack of visibility into the IT infrastructure (up from 65 percent)
- 64 percent combat turf or silo issues between IT and the SOC (up from 57percent)
- 71 percent need greater automation (up from 67 percent), especially as they continue to spend substantial manual cycles on tasks such as alert management (47 percent), evidence gathering (50 percent), and malware protection and defense (50 percent)
- Environmental factors are driving substantially higher pain, including information overload
The survey also found that people, process and technology are misaligned and inefficient:
- Organizations have too many tools and more than half don’t have all the data necessary, nor the ability to capture actionable intelligence
- While 76 percent say training/retention is highly important, more than 50 percent have no formal programs in place, and more than 50% cite the lack of skilled personnel as a major factor in SOC inefficiency
- Mean time to response (MTTR) remains unacceptably high, with 39 percent saying their average time to resolve an incident is “months or even years”
Among the lessons that can be learned from the findings, the top three actions cited to demonstrably alleviate SOC analyst pain are greater workflow automation (71 percent), implementing advanced analytics/machine learning (63 percent) and access to more out-of-the-box content (55 percent).