Even though companies are trying to get their arms around the ever-shifting threat landscape by implementing security operations centers (SOCs), research has revealed that excessive alerts, outdated metrics and limited integration are leading to over-taxed resources within the SOCs.
Fidelis Cybersecurity conducted the study over the span of three months, interviewing security practitioners from enterprise companies in a cross-section of industries: software-as-a-service (SaaS), retail, financial services, healthcare, consumer services and high tech.
“The study findings are only further proof that with…continued constraints on both the availability and bandwidth of well-trained SOC analysts, SOCs are increasingly burdened,” said Tim Roddy, vice president of cybersecurity product strategy at Fidelis. “Organizations need to look at automating common tasks, integrating network visibility with endpoint detection and response, and shifting the focus from identifying signatures and indicators to attacker techniques, tactics and procedures.”
The survey found a number of challenges to be in play within the SOC, not least of which is that 70% of survey respondents said that at least half of their security controls weren’t yet integrated; integration is seen as key for SOC automation, efficiency and effectiveness. This state of affairs impedes not only the speed of investigation but also the speed of remediation and control. The survey results showed a correlation between the companies that achieved a high-alert triaging rate and those that have more integrated security controls.
Also, SOC and incident response (IR) metrics are outdated and ineffective: Every organization interviewed used metrics to measure SOC/IR effectiveness. However, 80% feel that the metrics they are using today are “not effective” or “had room for improvement.”
Meanwhile, threat hunting is an elite operation that exists only in the largest and most sophisticated organizations: Only 17% of organizations have a dedicated threat-hunting team.
Outside of these issues, one of the main hurdles that SOCs face is the sheer volume of events: Analysts are being overwhelmed by the number of alerts and the number of investigations that require their attention. Most SOC analysts (60%) can only handle 7 or 8 investigations in a day. Only 10% of organizations said they can realistically handle 8 to 10 investigations in a day. Overall, 83% of the companies triage less than 50% of the alerts received daily.
In addition to a capacity issue, the report found that SOCs are facing a skills gap/training issue, as many organizations struggled to recruit, train and retain qualified SOC analysts.
Against this backdrop, automation is becoming increasingly important for SOCs, according to Wang.
“Our study uncovered a number of notable findings,” he said. “For organizations that want to operate efficient, highly effective security operations, we recommend following best practices, such as automating Tier 1 and Tier 2 analyst tasks, identifying further opportunities to eliminate manual tasks, and standardizing processes and procedures for threat detection and response.”