This year's SANS SOC survey (download here) yielded valuable, specific insights about why so many organizations are struggling to quantify the value their SOCs deliver in a way that wins budget so they can modernize and improve, year over year.
The creators of the report bring decades of deep SecOps expertise to bear in their research, and the results offer meaningful insight for anyone working in a Security Operations Center. The primary authors are principal SANS instructor Christopher Crowley, and John Pescatore, SANS director of emerging technologies. I won't go too deeply into the details in this post, but it's a hefty read and there are a few key takeaways I want to highlight for you in case you don't have time to go through the whole report right away:
1: Only 54% of SOCs reported using metrics. At all.
If you want to improve anything about your SOC, from staff training to automation and asset discovery tools, your first and only job is to define how much value that increased investment will bring to your business. If you don't collect any metrics about quantities of vulnerabilities, alerts, attacks, and resolved issues and connect those metrics to how much potential damage to the business was avoided, you have no case.
If you're among the SOCs that don't collect and correlate metrics, here are the top three you'll want to start measuring:
- Number of incidents handled
- Time from detection to containment to eradication (this one is particularly powerful when correlated to reductions in downtime or other business impacts)
- Number of incidents closed in a single shift
Check page 16 of the survey results for more ideas!
2: The top self-identified SOC shortcoming was lack of skilled staff (62%)
I think the authors put it best themselves: "The role of a SOC analyst requires a large amount of background knowledge and adjacent expertise to derive actionable insights from the data collected into SIEMs and other security tools."
Tier 1 SOC analysts may not have that varied background, and even if they have basic security training, the barrage of data every analyst experiences will tax their ability to rapidly sort out the information that matters and make a quick, data-driven decision.
Advanced automation and orchestration tools will help you scale your SOC more effectively than searching for the unicorns that are seasoned security analysts who also understand your business.
3: Asset discovery and inventory tool satisfaction was rated lowest of all technologies
Of all the tools most commonly found in SOCs, asset discovery and inventory tools received an F in overall satisfaction (only 59% of respondents said good things). That's a little surprising when you think about how mature this area is compared with, say, behavioral analysis and detection (74.7% satisfaction).
That means there's a big problem with the status quo for these tools, and it's one that a lot of security vendors aren't actively trying to address. The two highest priority CIS Critical Security Controls are discovery and inventory, so if you're part of that 41% and looking for help prioritizing which areas to improve first, finding a better way to discover and classify assets within your environment should definitely take top billing.
And that's all I'll pull from these results for now. Go ahead and download your own copy so you can see which statistics might be most valuable for your team!