Security Operations Center (SOC) Performance Falling Short
Disconnects in perception between security operations center (SOC) leadership and staff in terms of organizational effectiveness and capability are hampering organizational efforts to combat cybercrime and other issues, according to a report.
The global survey of more than 1,000 cybersecurity professionals, conducted by the Ponemon Institute in September 2021, found more than 70% of SOC staff rate their “pain” level from a seven to 10 on a scale of 10.
The study also revealed “turf and silo” issues are still plaguing a majority of organizations, with more than 60% citing them as a primary barrier to success.
‘Turf and Silo’ Issues Plague SOCs
Rick Holland, CISO and vice president of strategy at Digital Shadows, a provider of digital risk protection solutions, said “turf and silo” issues can plague all departments across a company, and that it’s not unique to the SOC.
“These types of problems are primarily a failure of leadership,” he said. “Executive sponsorship and support are critical to breaking down silos, eliminating kingdom building and minimizing turf wars.”
He explained that, if the SOC’s mission isn’t understood and prioritized at the highest level of the company, then the turf and silo drama will only continue, adding that the disconnect between SOC leadership and SOC staff is also a failure of leadership.
“Security leaders must come down from the ivory tower and understand the ground truth,” Holland said. “One way to get ground truth is to conduct skip-level meetings with the frontline SOC staff. Weak, inappropriate or misaligned metrics and reporting could also contribute to the disconnect.”
In addition, big data is only getting bigger, so effective SOCs must leverage data science and automation to make alerts actionable and improve efficiency.
From Holland’s perspective, one key to effective SOC work is to have a clear understanding of mission-critical assets and prioritize alerting and playbooks based on this.
“Not all SOC alerts are created equal, so automated triaging and prioritization are must-have SOC capabilities to be effective,” he said.
Focus on the Human Elements of the SOC
He said the focus is so often on the technology part of “people, process and technology”, and suggested that instead of leading with technology, we need to focus on the human side of the SOC.
“Leaders need to invest time to understand the SOC analysts’ challenges. Leaders must invest time in developing and mentoring SOC analysts,” Holland said. “Leaders must establish processes that minimize SOC burnout and improve SOC analyst retention. You can have market-leading technology, but if you can’t recruit and retain staff to run it, you are just investing in ‘expense in-depth’ and wasting your resources.”
The study also found that while more than half of leaders lauded the investigative capabilities of their SOC, only one-third of staff gave it high marks.
In assessing the communication of SOC strategy “to the trenches,” nearly 60% ranked communication as average or below average, with more than one-third rating communication as solidly below average.
John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company, added that the larger organizations are, the more distance there is between teams and the more competition there is in business priorities.
“Security often has a poor hand because no revenue has ever been derived by being more secure—even in security companies,” he said. “The more bureaucratic an organization is, the more this problem tends to occur.”
From his perspective, ultimately, senior leadership and the board need to insist these issues be resolved.
“Modern IT operations and security operations are not neat little boxes that you can put on an organizational chart; there are interdependencies,” he pointed out. “If executive leadership tells everyone to work together and puts a plan in place and devotes resources to making that happen, middle management and below will have the ability to get it done.”
Making Alerts Actionable
Data science and automation make more alerts actionable, as most alerts are processed the same way with the same steps to investigate and analyze the incident.
Bambenek said automation can simply take the work normally done in 50 browser tabs and just present that with the alert so the analyst can take it the final mile.
“There really are two issues that need to be addressed,” he said. “The SOC needs to be less overloaded which means using automation to process alerts completely or at least deal with the bulk of routine analysis.”
He said the second item is cultural, as there is no tool that can solve turf and silo issues.
“Those issues need to be handled by executive leadership, which means SOC leadership needs to invest the time in breaking down barriers so different parts of the organization can work as partners and not adversaries,” he said. “The path between ITOps and SecOps is trending toward convergence in many places, and that is not a bad thing.”
