Security Operations Centres (SOCs) are struggling to perform effectively amid low visibility into client IT security infrastructure and network traffic, according to a new report this week that also warns of analyst burnout, slow resolution of security issues and a tidal wave of false positives.
The survey, conducted by the Ponemon Institute for data analytics platform provider Devo Technology, found the majority of respondents rated their SOC’s effectiveness as low, with nearly half (49 percent) saying it is not fully aligned with business needs; an alarming finding for SOC operators.
(An SOC can be run by a third-party, or in-house. They come in a variety of flavours but their services typically include detecting and responding to threats, staying abreast of a rapidly changing threat landscape, identifying negligent, criminal or other dangerous behaviour, and generating business intelligence).
The survey of 554 IT security practitioners in organisations that have a SOC found that over half (53 percent) rated their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. They blamed limited visibility into network traffic, lack of timely remediation, complexity and too many false positives, along with interoperability issues with their clients’ own security intelligence tools.
Security Operations Centre Troubles: Analyst Burnout a Major Cause for Concern
IT security personnel say working in the SOC is painful because of an increasing workload and being on call 24/7/365. Current threat hunting processes also contribute to the stress of working in the SOC. As a result, 65 percent say these pain factors have caused them to consider changing careers or leaving their job.
“There are a number of factors contributing to the SOC’s overall ineffectiveness – such as the lack of visibility into IT security infrastructure – but the factor that truly stands out is the level of analyst burnout due to their heavy workload, and the immense amount of stress and pressure they are facing,” said Larry Ponemon, founder of Ponemon Institute.
“It is clear this is a critical area that needs to be addressed to improve SOC effectiveness.”
SOC Survey: Other Highlights
Among the other industry trends captured by the report:
- There’s an almost equal split between where SOC infrastructure is housed: 53 percent said in the cloud; 47 percent said on-premises.
- The majority of respondents (51 percent) say their companies invest in threat intelligence feeds. Of these organizations, 54 percent of respondents say the threat intelligence feeds combine open source and paid feeds.
- The exploits most commonly identified by the SOC include high numbers of malicious insiders (68 percent).
Devo recommends automating more workflow and normalising work schedules to avoid burnout, as well as creating improved alignment between the SOC and the business to address silo issues between the SOC and IT security operations.
Do you work in or with an SOC? What’s your biggest headache/barrier to effectiveness? Speak to us on or off the record.