The 2019 SANS SOC Survey Results are here! This annual survey polls security professionals worldwide to learn how security operations centers are adapting to technological shifts and keeping their businesses safe in the face of constantly innovating attackers. SANS took a new approach to this year's survey by structuring it around the five major functions of the NIST Cyber Security Framework (CSF)–Identify, Protect, Detect, Respond, and Recover. They noted that this approach did not provide the clarity they had hoped, but did highlight the fact that many security tools operate cross-functionally, serving multiple purposes in the framework. The decision to map the survey to the NIST CSF is an indicator of the increasing importance of third-party control frameworks in the security space.
Trend: The SOC Moves To The Cloud
One trend thrown into stark relief by this year's survey results is the shift of security operations to a hybrid cloud architecture. The number of respondents indicating that they would be moving to cloud-based SOC services within the next 12 months more than doubled, indicating that the rewards of moving to the cloud are starting to outweigh the potential risks in the eyes of SecOps teams. As SOCs continue their move to the cloud, legacy technologies that can't make the leap will fall by the wayside, and only cloud-native security technologies will be able to meet the needs of the enterprise SOC.
Finding: Network-Based Detection Tools Are Most Satisfactory
In the Detection category, network-based tools got the highest level of satisfaction from survey respondents, outstripping UEBA, endpoint, and log-based detection tools. AI/machine learning tools got the lowest satisfaction rating, likely due to overhype in the market about the capabilities of these technologies. The report acknowledges that AI/ML "can effectively augment skilled staff" but cannot solve the chronic staffing shortages experienced by the SOC.
Top Challenges: Integrations Aren't Where They Need To Be (Yet)
The top three challenges to full SOC utilization were lack of skilled staff, lack of automation and orchestration, and too many tools that are not integrated. The first is a chronic challenge for the SOC that is difficult to address with technology, although simpler, more guided threat detection and investigation tools can lower the barrier to entry for new workers into the SOC. The second and third item, however, are directly addressable through technological solutions. Vendors need to provide the automation and integration capabilities needed by the SOC. These factors directly impact the staffing shortfall as well, since automating and integrating SOC tools frees up analysts to focus on pressing matters, rather than burning out against an onslaught of alerts.
Get The Survey Results
For more insights into how your peers are operating their SOCs, download the survey results! You'll get answers to questions like:
- Which metrics do you use to track and report your SOC's service or performance?
- How effectively SOC and NOC teams are working together
- How capable your peers in the SOC are at maintaining an inventory of endpoints on the network
- And much more.