David Weisskopf | Aug 13, 2018 from Cyberbit Blog
The 2018 SANS survey just came out and is chock full of important industry trends and practices that every SOC manager needs to know. Since security operations professionals are super busy, we have provided this quick summary of important highlights to help get you up to speed quickly.
2018 SANS Survey Highlights:
1/2 of SOCs still not using metrics
SOC & NOC lack coordination
Asset discovery & inventory tools disappoint
Meaningful event coordination still primarily manual
1/2 of SOCs not providing organizational security
39% of SOCs have centralized architecture
Leading barriers to SOC performance
lack of automation and orchestration
too many unintegrated tools
SANS Survey: Biggest SOC Challenge is lack of skilled staff
According to the SANS survey, slightly over 60% of respondents cited lack of skilled staff as their largest obstacle to success. The lack of skilled staff is a multifaceted problem that significantly impacts the effectiveness of a company’s SOC. This means enterprises must focus on both onboarding new entry-level team members, constantly sharpening the skills of more experienced staff, and retaining these highly sought-after professionals. Organizations will have to get creative about how to meet this challenge, including; outsourcing to MSSPs, training on a cyber range, developing training programs for new recruits and re-training programs for experienced professionals wishing to make a career change. Any or all of these solutions can help a SOC be better prepared to face the mounting number of alerts and ensure when a serious threat develops, they have experienced professionals ready to operate the event.
What Challenges are holding back the full integration and utilization of a centralized SOC service model that can serve the entire organization?
SOC & NOC Lack Integration and Coordination:
The survey demonstrates SOC/NOC integration is a point of substantial frustration for many SOC managers and analysts. The SANS survey found that 89.46% of responders do not have well-informed integrated SOC and NOCs. This is a big problem because it leads to a large disconnect between cybersecurity teams and automated programs. This lack of integration also means that your SOC effectiveness is not being maximized. Also, the lack of integration between the SOC and NOC means that some attacks may not be detected by the SOC and thus penetrate the network undetected and unhindered. This is easily solved by investing in more integrated systems that create a highly integrated system that is efficiently able to detect more attacks on the network.
Lack of Automation and Orchestration:
The SANS survey found that greater than 50% of organizations are swamped by the multitude of alerts that many of which analysts are unable to attend to. When threatened by complex and persistent attacks from multiple origins and are required to respond within minutes this creates a major problem for SOC effectiveness. This overflow of attacks and their resulting alerts if detected by the SOC are so great that it overwhelms the SOC analysts’ capacity to handle alerts manually, this is exacerbated even further when considering the lack of sufficiently skilled analysts. The solution to this dire problem is introducing an automated SOC that will be able to determine the highest-level threats and present only those which require the attention of an analyst to contain and neutralize the attack. Automation of SOC functions will increase the number of alerts and actual threats handled, decrease the time from detection-containment-eradication, and decrease the probability an attack will escape the attention of the SOC team.
Too Many of Unintegrated Tools:
The SANS survey found that 47.7% of SOC managers, the lack of integrated tools used to build SOC systems make it hard to create an integrated SOC system that is able to keep up with vulnerabilities and threats. The sheer quantity of tools and functions are enough to overwhelm any analyst. Additionally, newly hired analysts may only be trained how to use some of the many tools used in their new employer’s SOC, thus limiting their effectiveness and ability to execute their jobs. The solution to this problem is building a centralized, integrated tool set to streamline the analyst’s job and make each analyst more efficient and effective at monitoring and eliminating threats.
2018 SANS Survey Takeaways
The ever-increasing influx of new threats and dissolving of the network perimeter means that SOC managers and staff will continue to be pushed to their limits and look for technologies to increase efficiency. Today there simply are not enough veteran analysts to completely staff every company’s SOC. The solution to challenges highlighted by the SANS survey lies in constant, realistic training of all levels of SOC professionals and implementing the right combination of automation and orchestration technologies into one coherent framework. This is the best approach for SOC managers to stay maximize the effectiveness of every member of your SOC team and stay ahead of threats.
Read the entire report here.