Micro Focus is now part of OpenText. Learn more >

You are here

You are here

State of Security Operations 2019: 5 challenges for SOC teams

Jaikumar Vijayan Freelance writer

Staffing and budget availability are key challenges hampering the ability of security operations centers (SOCs) to carry out their missions effectively, a new study has found.

Since 2008, the Micro Focus Security Intelligence and Operations Consulting team gathered insights from hundreds of companies around the globe about their SOC capabilities and the maturity of their processes for handling security incidents.

According to the 2019 State of Security Operations Update, the role of security operations is gaining importance within many enterprise organizations due to data breaches and privacy concerns.

The report cites a study by the Ponemon Institute that showed that 67% of IT and IT security practitioners consider their SOC to be essential or very essential (PDF) to their cybersecurity strategy. Preston Wheiler, product-marketing manager at Micro Focus, says requirements for SOCs have changed because of increasing volumes of data, more data sources and attack vectors, increasingly sophisticated attacks, and a complex ecosystem of security tools.

"Many SOCs have started to mature beyond just log management and data analysis but are still not where they should be in terms of true security analytics."
Preston Wheiler

Here are five clear challenges standing in the way across all SOCs.

1. Skills shortage

Human analysts are critical to a SOC's ability to quickly identify, prioritize, and respond to security incidents. While numerous tools are available to help organizations gather and analyze massive volumes of security and event data, human experts add the context and situational awareness needed to remediate threats.

The report found that SOCs are literally in a war for talent, with many complaining of having staff poached by other companies. For nearly six in 10 report respondents, the top barrier to SOC excellence is staff availability, the Micro Focus report states, quoting a SANS Institute study.

"Limited staff means less analysts monitoring and responding to alerts, and less analysts hunting and investigating. Triaging security alerts and tuning correlation rules for threat detection are two areas where cybersecurity teams struggle to be proficient."
—Preston Wheiler

SOCs that are grappling with a skills shortage should look to recruit people from diverse technology backgrounds such as app developers and database admins, Micro Focus recommended. This hiring strategy can broaden the available talent pool while infusing the SOC with new skills and experience.

2. Budget availability

Despite the increasing importance of SOCs, a high percentage appear to have difficulty obtaining the funds needed to maintain an adequate capability. Many organizations that participated in the study report said lack of investment was one of their biggest roadblocks.

Increased pressure to cut or maintain costs is driving many of them to outsource key functions to third parties, said Daniel Kennedy, lead information security analyst at 451 Research.

"A SOC can come under pressure when it's not clear what value they're providing to an organization."
Daniel Kennedy

Ironically, this can happen both when a SOC is ineffective and when it is too effective. When a SOC is very good at keeping problems under control, no one notices it. This can make it difficult to demonstrate value, for example, when senior IT managers start looking for places to cut costs.

The key for SOCs is to ensure proper alignment with the business, the report says. SOC leaders need to demonstrate value by tracking and reporting on the successes they have had in protecting company assets against cyber threats.

3. Lack of documented processes

Many SOCs are running into trouble because they either don't have documented processes or are letting the ones they do have stagnate because of a lack of continuous improvement effort.

"Without the solid foundation that processes and procedures provide, SOCs become reliant on the tribal knowledge of individual 'superstars,'" the report said. This often results in SOCs becoming less predictable in their outcomes, especially when organizations have high staff turnover rates.

"Frankly, incident response solutions have to become better around documentation and response workflow, as SOC analysts complain that an inordinate amount of time is spent documenting and following up on incidents, as opposed to looking for new ones."
—Daniel Kennedy

Portable, adaptable, and fully integrated process and procedure management systems are key, the report said. Systems that allow the capture and sharing of scripts, videos, and other operational assets need to be portable and easy to maintain. Contributions to documentation need to be made a key performance metric.

Organizations can use the NIST framework and MITRE ATT&CK framework to develop processes, Wheiler said.

4. Uncertainty about the mission

Many SOC staffers interviewed for the report appeared to be unsure about their core mission. They either did not have one, or it had not been communicated to staff and other stakeholders. In many cases, SOC managers did not have a clear idea as to which business assets—such as applications and data—were most important to protect. As a result, they had little idea of which threats were most important to focus on.

To be effective, SOC staffers must have a clear idea of what they are required to protect and why, the report said. They need to know, for example, if the mission is to keep operational technology safe from state-sponsored threat actors or to protect intellectual property from competitors. Only if companies are clear about the mission can operational capabilities be properly aligned to meeting it.

5. Pinning hope on technology

Many SOCs are expecting technologies such as security information and event management (SIEM), user and entity behavioral analytics (UEBA), security orchestration, automation, and response (SOAR), and products leveraging AI and machine learning to alleviate some of the challenges. 

"Mature SOCs today have powerful SIEMs and are beginning to implement security analytics tools like UEBA, and other tools like SOAR. Those needs will grow in the future."
—Preston Wheiler

Managed services providers are becoming more sophisticated in how they can plug into the operations of an internal security operations team, 451 Research's Kennedy said. They can provide either needed person power or specialized skill sets as required in specific threat hunting or incident response situations.

But to maximize the value of these technologies, SOC leaders need to first identify their security use cases, know what they need to protect against, and deploy the right tools to address those issues, the report said.

All together now

The most effective security operations teams had a few traits in common. Among them were a commitment to the mission from top leadership down, a focus on continuous improvement, and a willingness to invest in talent. Significantly, top SOCs are aligned with IT and have complete visibility into the entire IT infrastructure, the report said.

Read more articles about: SecurityInformation Security