According to Nemertes Research, organizations that implement a security operations center (SOC) can improve their mean time to resolution (MTTR) of security threats by 50 percent. A SOC is a centralized facility where cybersecurity experts monitor and analyze data collected from across the enterprise. Security alerts and the operational processes for responding to them are defined according to the organization’s business objectives. This in turn is based upon the identification of risks that could negatively impact operations.
A SOC would appear to be an elemental component of a mature cybersecurity strategy. However, a new survey by the Ponemon Institute finds that SOCs are often ineffective and poorly aligned with business requirements. Problems include difficulty identifying threats, a lack of visibility into the IT environment and a lack of interoperability across security tools. As a result of these issues, 78 percent of survey respondents say the MTTR can be weeks to months or even years even though a SOC has been implemented.
Why SOCs Are Ineffective
Threat hunting is difficult because there are too many alerts, too many false positives and too much network traffic to compare against indicators of compromise. As we discussed in one of our earlier posts Artificial Intelligence Is Becoming Essential to Cybersecurity, organizations are so overwhelmed with alerts that they need artificial intelligence (AI) tools to keep up. However, the organizations surveyed by the Ponemon Institute either haven’t implemented AI tools or aren’t using them effectively. More than half (53 percent) of respondents say their SOCs are ineffective at gathering evidence, investigating threats and locating their source.
According to 65 percent of respondents, a lack of visibility into the IT security infrastructure is the top barrier to SOC success. A majority of organizations have implemented security intelligence tools, but these tools do not have a high level of interoperability within the SOC.
A lack of business alignment is a critical issue that impacts funding and resource allocation. More than 80 percent of respondents say their SOCs are not aligned or only partially aligned with business needs, making it difficult to get executive leadership to commit to investments in people and technology. Already, SOCs face funding shortfalls — less than one-third of the IT security budget is allocated to the SOC, on average.
Tips for Addressing SOC Challenges
There are steps organizations can take to improve SOC success. First and foremost, organizations should implement tools for automating SOC workflows to relieve the burden on cybersecurity personnel. Tightly integrated security suites provide a unified analyst experience and full visibility into the IT environment, improving the SOC team’s ability to act on threats throughout their lifecycle.
Access to external threat intelligence feeds and other content resources can provide the context needed to improve threat detection and reduce false positives. To improve the alignment between the SOC and the business, stakeholders should discuss and prioritize objectives and take steps to eliminate silos.
If your SOC is not meeting expectations, we invite you to contact the Technologent team. We can analyze your cybersecurity strategy and make objective recommendations on how to improve operational processes. We can also help you identify and implement automated tools that work in concert to improve the monitoring, analysis and investigation of security events. Let us help you address SOC challenges so your team can respond to threats rapidly and effectively.
January 30, 2020