A new report that examines the processes and effectiveness of corporate security operations centers (SOCs) reveals that 82% of SOCs are confident in the ability to detect cyberthreats, despite just 22% of frontline workers tracking mean time to detection (MTTD), which helps determine hacker dwell time. Compounding this unfounded confidence, says the 2020 State of the SOC Report, is that 40% of organizations still struggle with SOC staff shortages and finding qualified people to fill the cybersecurity skills gap.
The survey, conducted among 295 respondents across the U.S., the U.K., Canada, Germany and Australia, was also fielded to determine how analysts and SOC management view key aspects of their operations, hiring and staffing, retention, technologies, training and funding.
"From 2018-2019, we learned that dwell time - or, the time between when a compromise first occurs and when it is first detected - has grown. Based on this, it is surprising for SOCs to report such inflated confidence in detecting cyberthreats," said Steve Moore, chief security strategist at Exabeam. "We see great progress in the SOC with attention paid to employee well-being, measures for better communication and more. However, disparate perceptions of the SOCs’ effectiveness could be dangerously interpreted by the C-suite as assurances that the company is well-protected and secure, when it’s not."
Highlighting the imbalance is that SOC leaders and frontline analysts do not agree on the most common threats facing the organization. SOC leaders believe that phishing and supply chain vulnerabilities are more important issues, while analysts see DDoS attacks and ransomware as greater threats.
Small- and medium-sized teams especially are more concerned with downtime or business outage (50%) over threat hunting as an operational metric, yet threat hunting stands out as a must-have hard skill (61%). Other prominent findings include:
- SOC outsourcing in the U.S. has declined YoY (36% to 28%)
- U.K. outsourcing had a YoY increase (36% to 47%)
- Germany reported 47% outsourcing, primarily of threat intelligence services
- Australian SOCs struggle in most categories and need improvement in technology updates, monitoring events and responding to/analyzing incidents
In general, monitoring and analytics, access management and logging are higher priorities this year for all SOC roles.
- More than half of SOCs were found to log at least 40% of events in a SIEM
- The U.K. utilizes logging the most, compared with geographic counterparts
- SOCs are least able (35%) to create content, the skill around the creation of detection logic, validation, tuning and reporting
To support this, most SOCs expect to see security orchestration, automation and response (SOAR) tools take precedence over other technologies in upcoming years.
The U.S. and the U.K. SOCs have shown YoY improvements in recruiting costs and identifying candidates with the right expertise. Workplace benefits, high wages and a positive culture were this year’s top drivers for retention in nearly 60% of SOCs. Notably, there remain challenges, the report says:
- 23% of SOC personnel across the U.S. and 35% across Canada report being understaffed by more than 10 employees
- 64% of frontline employees in the SOC reported a lack of career path as a reason for leaving jobs
- Less effective SOCs reported feeling they lacked the necessary investment in technology, training and staffing to do their jobs well