SOCs are essential to building a resilient cybersecurity posture, but still elusive: Part 1
July 20 2021
by Aaron Sherrill
Recent, well-publicized cyberattacks – impacting energy providers, technology supply chains, water supplies, transit networks, healthcare organizations, gaming providers and local governments – have highlighted two grim realities. There is no shortage of avenues for hackers to exploit and compromise, and most organizations are still struggling to consistently and rapidly detect and respond to threats.
The recent SolarWinds attack underscores how prevalent these realities are. First identified by FireEye in early December 2020, an estimated 100 organizations, including Fortune 100 enterprises, private companies and dozens of federal agencies, were identified as compromised, with attackers operating undetected for months. Although the attack has been described as 'unprecedented' and 'extremely sophisticated,' it has highlighted the importance of having a security operations center (SOC). At the same time, it exposed how difficult it is for organizations – even those with well-funded security programs, ample expertise and robust security stacks – to gain visibility across a dynamic IT ecosystem and consistently detect indicators of compromise.
The 451 Take
In the face of increasing risks and an ever-expanding attack surface, organizations are making significant investments in their security programs, most notably by establishing and augmenting SOCs. Aiming to build a stronger security posture, organizations are investing in expertise and systems to expand their ability to detect and respond to threats that have bypassed preventative security controls. However, building, managing and scaling an effective SOC has proven to be a significant challenge for even the most well-funded security programs. According to 451 Research data, the number of organizations reporting they have a SOC in place has risen from 32% in 2017 to 46% in 2020. While this trendline is positive, several survey findings imply that effective SOC adoption still has a long road ahead.
Rapid and consistent threat detection and incident response are two of the most important aspects of a resilient cybersecurity posture – they are also among the top strategic security objectives for organizations. Detecting indicators of compromise and responding to threats 24x7 is one of the primary roles of an organization's SOC. Armed with a team of analysts and a broad range of technologies, SOCs proactively identify, investigate, prioritize and resolve issues and mitigate risks that threaten the security of the organization's infrastructure and data.
According to 451 Research's survey, only about 46% of organizations report having a SOC in place. Not surprisingly, that percentage is lower among smaller organizations (26%) and higher (about 63%) in larger organizations.
Of those that report having a SOC, just over half staff their SOCs solely with internal resources, while about a quarter primarily outsource SOC responsibilities and operations to an MSSP, a MDR provider, a SOCaaS provider or other third-party firm. About 20% report leveraging a mix of internal and outsourced resources to operate their SOC.
The presence of a SOC tends to be a reliable indicator of the security maturity and capabilities of an organization. However, the number of organizations that report having a full-scale SOC in place may be a bit aspirational. About a quarter of organizations with a SOC indicate their SOCs only operate during business hours. Rapidly detecting and responding to threats is one of the most impactful actions organizations can take to minimize an attacker's opportunity, and the damage and cost of malicious activity. Staffing and operating a SOC only during standard business hours means that any security incidents that occur outside of these hours will not be addressed until, at best, the following business day, giving an attacker two or more days to exploit an organization's network without detection or interference.
It is also concerning that 74% of organizations report having less than 10 full-time employees dedicated to information security – not enough to staff a SOC 24x7 and handle the demands of digital transformation, security technology implementation and maintenance, threat detection and response, and compliance and regulations, while also facing a steady stream of new challenges and complexities. And although over half of organizations report that their staffing levels are inadequate to address the security challenges they are facing, only 15% plan to add to their information security teams this year.
Having a fully staffed SOC that can operate 24/7 is only part of the challenge. Organizations report lacking a number of skillsets that are key to effective SOC operations, including cloud platform expertise, incident response skills, application security coding expertise and threat hunting skills.
Security information and event management (SIEM) systems, a core technology for enabling security operations, have still not reached universal adoption. SIEM technologies aid security incident and event management – logging real-time and historical data of security alerts and events into one centralized location, and enabling correlation and analysis to uncover indicators of compromise.
However, the picture emerging from 451 Research surveys is that a sizeable fraction of respondents lack this critical SOC technology. Even under the best of circumstances, adding all the in-use, pilot and planning data, it will take another 24 months for SIEM coverage to cross the 80% penetration rate.
However, having a SIEM in place is only the first step. While it's common to highlight 'alert fatigue' and 'too many alerts' as significant issues for security operations teams, recent survey results give a different perspective. First, a sizeable proportion of respondents indicate that SIEM coverage is not uniformly broad. Only 39% indicate coverage of log-producing systems that is at or better than 76%.
Second, according to survey respondents, over 90% indicate they cannot investigate a sizable portion of alerts in a typical day, with nearly 30% indicating they are unable to process half or more of the incoming alerts. This, along with gaps in the nature and scope of telemetry, is the type of scenario that can allow attackers to persist in the environment for an extended period, and make extracting them much more complicated and expensive.
SIEMs are essential components for SOCs to collect, aggregate, store, correlate and analyze the flood of data coming in from a porous and evolving attack surface. However, without context and insights, the endless volume of unvalidated alerts and raw data from a SIEM is too large for SOC analysts to rapidly analyze, understand and prioritize threats across the organization's entire IT ecosystem.
Many organizations are seeking to augment their SIEMs with relevant and actionable threat intelligence to help them make rapid, informed and prioritized decisions. Of the organizations that have a SOC in place, over 96% believe the ability to integrate threat intelligence is one of the most important attributes to consider when selecting a SIEM. Yet, only 51% report they have been able to integrate threat intelligence with their SIEM.
In order to protect data and assets (including applications, users, networks, databases and APIs), organizations must first know that they exist. According to 451 Research's survey, gaining visibility across the entire IT architecture is one of the top security pain points for organizations, tied with cloud security, and only trailing the pains of user behavior.
Maintaining visibility of data and assets (and the threats targeting those assets) across the organization's expanding digital footprint is becoming increasingly difficult for SOC teams. New asset types, dynamic and ephemeral workloads, emerging technologies, the shift to remote work, mergers and acquisitions, and multicloud architectures are only adding to these burdens.
Comprehensive, continuous, real-time visibility is crucial to mitigating potential exposures and reducing risk. But to provide maximum value, visibility must be augmented with context and analytics, and deliver actionable intelligence that can empower the SOC to rapidly detect and respond to threats in the environment.
Organizations are facing many other obstacles when it comes to their SOCs – complexity, staff retention, an expanding attack surface, integration challenges, scalability issues, IoT/OT threat detection, tool and data silos, and a growing threat landscape, just to name a few. These challenges are just a few of many that are driving the increasing adoption of managed security services.
According to 451 Research's survey, about a quarter of organizations report that they currently use a managed security service (MSS), with another 28% planning to use an MSS within the next 12 months. At the same time, 17% of organizations report that MSS will see the largest increase in their security budgets in the coming year, only slightly behind planned increased spending on people.
The expense and complexity of building and running a 24x7 SOC – coupled with the lack of specialized expertise and the complexity of deploying and managing a SIEM, as well as the challenges of integrating automation, analytics and AI/ML into SOC operations, are spurring growing demand for services such as managed detection and response (MDR), security operations as a service (SOCaaS) and outsourced SOC services.
At the same time, a number of providers are pitching XDR (extended detection and response) as an approach to strengthening the security posture of the organization while helping security teams get ahead of the skills, tools and visibility shortages that plague security operations.
Unfortunately, the security space is infamous for using terminology that obscures products and services, making it difficult for enterprises to understand and differentiate offerings, and determine which can deliver the outcomes they hope to achieve. While the capabilities and outcomes of MDR, SOCaaS and XDR overlap in many ways, there are no clear universal definitions of any of these approaches.
In the next part of this spotlight report, we will shed light on how each of these approaches aims to enhance and supplement enterprise SOC operations, and how security teams can determine the right approach for their organization.