The results of the latest SANS annual SOC survey Common and Best Practices for Security Operations Centers offer valuable insights to security leaders and practitioners looking to establish a new security operations centre (SOC) or optimise an existing operation. This article offers an overview of the survey findings as reported by Christopher Crowley, senior SANS instructor, and John Pescatore, SANS Director of Emerging Technologies.
In their introduction to the report, the authors state that the survey respondents were primarily from organisations headquartered in the US and Europe, and represented SOCs from the cybersecurity industry as well as government, banking, finance, and technology. Typically, the SOCs employ around 10 full-time staff – though staff size varies widely depending on organization size and sector.
Aims of the Survey
The purpose of the survey was threefold:
- To capture common and best practices
- To provide defendable metrics that can be used to justify SOC resources to management
- To highlight key areas on which SOC managers can focus to increase the effectiveness and efficiency of security operations
The following are the key findings from the survey:
- Barriers to excellence: While respondents report that they are “most satisfied” with the number of incidents handled and the time taken from problem identification to containment and eradication, the most frequently cited problems are a lack of skilled staff (58%) and the absence of effective orchestration and automation (50%).
- Technology satisfaction: Across all NIST Cyber Security Framework (CSF) categories, the technology rated as highest performing is access control/VPNs (87%) in the protection category. The lowest rated is AI/machine learning (ML) (53%) in the detection category.
- Outsourced capabilities: Pen testing, digital forensics and threat intelligence are the most commonly outsourced activities. The core function of monitoring and detection is also frequently outsourced.
- Incident handling: Problem identification and verification are typically the domain of the SOC. Equally, the response team which conducts preliminary containment actions and investigations are situated within the SOC.
- Knowledge management tools: Larger SOCs commonly use Jira for trouble tickets and Confluence for collaboration. Those integrated with IT or the network operations centre (NOC) tend to use Service Now or BMC Remedy in combination with SharePoint.
- Service provider status: For the majority of the survey respondents, the SOC is an internal phenomenon and does not have service provider status. In most cases, members of the organisation are required to purchase service from the SOC and may not outsource.
- Technology coverage: Due to budget and staffing constraints, SOCs generally focus on IT systems rather than on operational technology, and smart systems are typically unprotected. A mere sixteen percent of respondents could confirm having a full inventory of network endpoints and the resulting ability to correlate a particular asset to a specific user.
Two of the partners in the CYBERWISER.eu project operate SOCs. EDP, a Portuguese utilities provider, and Ferrovie dello Stato, the Italian state railway company, are participating in CYBERWISER.eu specifically in order to enhance their preparedness to respond to cyber-attacks and incidents. Using the CYBERWISER.eu cyber range platform, they will be able to address skills gaps and take their cyber security competences to new levels.
To download and read the full SANS report, click here.