Pulling security activities out of the NOC into dedicated Security Operations Centers (SOCs) sounds like a good thing. Centralize handling of security incidents in one place. Hire experts. Improve efficiencies. However, less than half the respondents to a recent Ponemon Institute survey deemed their dedicated SOC efforts effective.
In a more recent study, Ponemon respondents said running an effective Security Operations Center costs $3.5 million per year on average, nearly twice as much as an ineffective SOC, which still costs plenty ($1.96 million per year). If we agree that SOC is worthwhile, these lackluster findings beg the question: how do we make security more efficient without costs going through the roof?
Survey respondents cited a host of reasons for inefficiencies ranging from lack of visibility and timely remediation to complexity and too many false positives—all valid, and none easily solved. Specific challenges exist around tools, analytics, interoperability, and scale.
At a higher level, these issues amount to a need to drive change across four key areas: cost, skills shortages, complexity, and efficiency, or the ability to demonstrate value and alignment with the business.
The theoretical value of the SOC continues to rise within enterprises of all sizes as security professionals race to sift through logs and alerts to find, prioritize, and act on real threats. Yet not every company can or wants to build and run its own.
Large companies with big budgets and mature cybersecurity strategies will do so while small to mid-market enterprises may approach activities on an ad hoc basis within IT, or outsource to some form of managed security service or managed detection and response provider (MSSPs, MDRs).
Resource constraints are the biggest hurdle to overcome with the cost of operating a dedicated 24/7 SOC taking up to 30 percent of the annual cybersecurity budget. Staffing can easily require 20+ full-time employees (FTEs) which, depending on skill levels can approach or top $2 million per year. If your company operates its own Security Incidents and Events Management (SIEM) solution—another major capital and/or ongoing cost—additional staff may be needed to analyze and apply data.
SIEMs and other tools may also require more dedicated personnel than expected. This leads to even more contention for analyst time, greater fatigue, and higher total cost of ownership than anticipated.
Analyst fatigue continues to surge off the charts, with good reason. Fatigued SOC analysts face long shifts, barrages of endless alerts, and the drudgery of chasing too many threats and indicators of compromise (IoCs) with far too few resources.
Consider the math: If a company averages 1,000 alerts per day, and a good security analyst can investigate about 15 events per day, 20 analysts could at best investigate 300 events. It becomes paramount to choose the right ones—by weeding out the false positives quickly—in order to keep from losing ground on a daily basis. Without more automation, better context and correlation, CISOs’ struggle to find, train, and retain skilled, motivated security professionals will continue to be a losing battle.
And, a costly one. Ponemon found the time taken to hire and train a single analyst is nearly a year and the average analyst stays with the company just above two years—a costly revolving door dynamic given no one has time to spare training new people.
Job satisfaction might improve if analysts had more time to focus on challenging activities that make the company safer. SecOps and overall security strategies might evolve more quickly from prevention to emphasize detection, response, and resilience.
A major goal of a dedicated SOC is speed, yet just 22 percent of Ponemon respondents said resolution of security incidents typically occurs within hours or days. Forty-two percent reported averaging months or years.
Along with skills gaps, the sheer and relentless complexity of cybersecurity plays a role here. In networking and other facets of IT, operations typically center around a core set of vendors and technologies that, for the most part, play nicely together. In contrast, a security infrastructure that may include 50 or more vendor solutions that don’t interoperate well, even when complying with standards.
Many tools and technologies remain under-utilized, making it even harder to demonstrate return on investments in the boardroom.
The SOC has its issues but a modern approach can transform its real and perceived value very quickly. Upleveling security and SecOps activities appears to be a no-brainer, but allocating more resources may prove challenging until the boardroom deems the SOC a winning proposition.
It doesn’t help that what we’re trying to measure is the value of something, namely breaches and outages, not happening. It’s hard to know for sure how much worse off a company would be if they did not invest in the SOC.
To secure funding and right-size investment, it helps to be able to try, buy, scale and change capabilities as your security posture and business needs evolve. This might mean adding threat intelligence (TI), vulnerability assessments, pen testing, attack surface management (ASM), breach and attack simulation (BAS), or other capabilities to make the company safer and demonstrate a shrinking threat landscape.
Stay tuned for Part 2 of this series on Intelligent SOC, “Resolution Intelligence for Security,” where we’ll describe a new approach based on consuming precisely the outcomes – and engaging precisely the resources – that you need right when you need them. In the meantime, check out Netenrich’s Intelligent SOC-as-a-Service Solution to learn about a risk-free trial.