Security Professionals Advise On How To Improve The Security Operations Center

AI Impact on Society/artificial intelligence

Saryu Nayyar | »

Whether it’s hosted in-house or outsourced to a managed security service provider (MSSP), most enterprise organizations have a security operations center (SOC). This is a centralized function charged with monitoring, detecting, investigating and responding to cyber threats across the enterprise. It’s a critical function for reducing risk and protecting the business operations of any organization.

Given the average cost of a data breach in the U.S. now exceeds $9 million for a single event, a SOC is an important investment. Organizations should be looking for ways to make their SOC as effective as possible in mitigating the potential harm from cyber threats.

To gather more insight into how to do that, my company conducted a survey of attendees at the 2022 Black Hat USA conference, one of the largest gatherings of cybersecurity practitioners in the country. We asked security professionals who work in a SOC about the types of attacks that vex them the most, what technologies they believe they need to succeed and their plans for the coming year.

The good news: SOC programs are progressing.

The majority of our survey respondents say they believe their SOC program is getting better. These results are similar to those in the SANS 2022 SOC Survey, which indicate that SOC trends are going in the right direction as measured by the number of intrusions/incidents declining over the past 12 months. And in cases where an intrusion did occur, fewer resulted in a breach.

Why is this outlook important? Moving the SOC forward through frequent improvements is critical as threats against organizations constantly evolve. If the SOC doesn’t get better, then eventually, attackers will win.

Many attacks are perpetrated by cybercriminals who run their operations like a legitimate business. They have “managers” who choose and plan the targets and “staff members” who develop malware code and other hacking tools. Even two-bit hackers can buy or rent ransomware, malware and networks of bots for denial-of-service attacks.

The volume of threats has also reached staggering numbers. A large organization can be bombarded by hundreds of thousands of attempts a day. Failing to keep up with such trends by neglecting to improve the SOC can be a recipe for disaster.

Some attacks are a challenge to detect.

Regarding the kinds of attack campaigns that security professionals have the most difficulty detecting, 27% of respondents say insider threats are the hardest to detect, followed by ransomware, phishing attacks and data exfiltration. SOC workers are also challenged by privileged access misuse and compromises using stolen credentials, both of which are often precursors to insider attacks.

It’s not surprising that insider threats are a top challenge. Current trends such as work-from-anywhere, the “Great Resignation,” quiet quitting and mass layoffs are contributing to a loss of data by careless or disgruntled workers. The number of insider threats is up 44% in 2022 versus 2020, and the total annual costs of such threats increased by 34% over the same time span, according to the Ponemon Institute 2022 Cost of Insider Threats Report.

What technology can help improve the SOC?

SOC staffers rely heavily on security technology to monitor all systems and bring attention to potentially risky events and activities. Many modern technologies do their best to correlate events and gather context that helps calculate risk levels before sounding the alarm that human investigation is needed.

We asked security professionals what tools they feel they are missing that would improve their SOC. More than a third say they want behavior analytics technology, which can address the gaps in detecting insider threats by ferreting out malicious activity based on an understanding of normal user and entity activity. In the SANS Institute white paper Effectively Addressing Advanced Threats, 35% of survey respondents consider misuse by organizational insiders to be a major visibility gap in their infrastructure.

Many security professionals also feel their security information and event management (SIEM) capabilities are lacking, with 18% of respondents saying a better SIEM would improve SOC performance.

In many ways, a SIEM is one of the most important tools used by SOC staffers. This is the tool that ingests data from numerous disparate sources, normalizes it, correlates it, risk scores it and presents the alerts and associated context for human investigations. If an existing SIEM tool isn’t getting this done effectively, the SOC analysts are definitely at a disadvantage and should discuss their requirements for a new tool.

Security professionals cite some of the common deficiencies with their existing SIEM tool, including the inability to query all data deeply and broadly, limitations on data collection or storage that leads to incomplete context of an incident, excessive alerts due to lack of prioritization and the sheer complexity of setting up and maintaining the tool.

Success requires more than just technology.

While the right technology is vitally important, the knowledge and expertise of the SOC staffers matter too. According to the SANS 2022 SOC Survey, the biggest barrier to full utilization of SOC capabilities across the enterprise is high staffing requirements. Security professionals want more experienced, high-level talent in the SOC, specifically Tier 3 analysts and threat hunters. The challenge is that these people are expensive and in short supply.

Research shows that many workers don’t feel they receive enough training to do their jobs effectively. Similarly, our study found that only 39% of cybersecurity practitioners get “enough” training in this way. This leaves plenty of room for improvement by investing in more training for the technical experts on the front lines of the cyber battle. Staffers also say that better compensation and more time off from their highly stressful jobs would help keep them motivated.

The bottom line: Organizations that want to improve their SOC should focus on attracting and retaining top-level experts and equipping them with the right tools and technology for success. Without continuous improvements, the risks from cyber threats only increase.

About Author
Saryu Nayyar
Saryu Nayyar, CEO, Gurucul

Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.

Read Full Bio

Improve The Security Operations Center

Improve The Security Operations Center

Improve The Security Operations Center
External Link: Security Professionals Advise On How To Improve The Security Operations Center

Share this page:

Related Posts