Top 5 SOC Skills and Metrics

Operators of security operations centers describe their key challenges as a lack of context about the information they see and a shortage of skilled staff, according to the 2023 SANS Institute SOC Survey.

SOC analysts and leaders also were concerned about a lack of enterprise-wide visibility and not enough automation and orchestration, according to the seventh SOC survey conducted by SANS. The survey consisted of 641 SOC analysts, managers, and security practitioners, with many responses from North America and the finance, government, and technology sectors.

Meanwhile, respondents said they look for new employees in technical roles to have several security skills. The top five:

• Endpoint or extended detection and response (XDR)
• SIEM analysis
• Vulnerability remediation
• Network traffic monitoring
• Behavioral analysis and detection

Three of those five skills—XDR, network traffic monitoring, and behavioral analysis—track closely with the capabilities provided by network detection and response tools.

Related to a shortage of skilled staff, the respondents also listed high staffing requirements and a lack of support from management as key challenges. About 19 percent of respondents said that organizational management frequently denied SOC leader spending recommendations, and another 13 percent said managers “pay little heed” to SOC analyst recommendations and instead allocate cybersecurity budgets as they see fit.

SOC leaders need to give management a realistic picture of the SOC’s value when asking for more money, said Christopher Crowley, a senior instructor at SANS.

“The cybersecurity operations center provides an offer of loss prevention,” he said during a webcast. “We may save money for the organization. We may save reputational impact.”

Organizations then have to decide if that’s the right area to spend money on, he added, although he recommended SOCs as a good investment.

“If you feel like ‘my management doesn’t listen to me’ … this is a consistent thing that everybody in this industry is experiencing,” he said.

In many cases, SOCs appear to have high employee turnover, according to the survey. On average, about 38 percent of employees stay one to three years, and nearly 6 percent stay less than a year. Another 30 percent stay three to five years.

Elsewhere in the survey, 84 percent of respondents said their SOCs collect metrics, with the top three being number of incidents, time from detection to eradication, and ratio of incidents from known or unknown vulnerabilities.

Crowley suggested those shouldn’t be the only metrics SOCs collect, but they should be the baseline, given most others are doing so.

Meanwhile, over 75 percent of respondents said they were most likely to detect incidents before receiving external notification, with 9 percent of incidents found through proactive threat hunting. User reported incidents were typically the second most frequent way of detecting incidents, with external notifications, such as contact from law enforcement, were generally the least likely way of hearing about incidents.

Survey respondents also said that having a SOC reduced the handling of incidents and the overall incident cost, compared to not having a SOC. Forty-three percent said a SOC reduced handling costs by 50 percent, and about 36 percent said it reduced handling costs by 10 percent.