SANS 2023 SOC Survey: Unveiling the Inner Workings of Security Operations Centers: An In-Depth Analysis
In an era where cybersecurity has become a paramount concern for every organization, understanding the operational facets of Security Operations Centers (SOCs) is crucial. This article will present an in-depth exploration of the results from the SANS 2023 SOC Survey. By delving into the intricate details, it will shine a light on how these key cybersecurity hubs are navigating a fast-paced, highly complex landscape.
The survey provides vital insights into a plethora of areas such as reporting SOC metrics, the use of specific metrics in operations, cost per record, budgeting, and funding. However, beyond the numbers and data, there are underlying narratives about the challenges faced by SOCs, including the lack of context, difficulty in enforcing certain metrics, and issues surrounding budget transparency.
Through this comprehensive article, we aim to paint a detailed picture of the current state of SOCs, the challenges they face, and the strategies they employ to maintain effectiveness despite constraints. Whether you’re a cybersecurity professional, a corporate executive, or simply interested in understanding the landscape of digital security, this article promises to be an enlightening read.
The key findings of the SANS 2023 SOC Survey represent several critical aspects of cybersecurity management and investment in organizations today.
1. Resource Allocation and Budgeting: The report notes the importance of connecting increased investment in the SOC with improvements in business-relevant metrics. However, the appropriate budgeting for a SOC is still not universally understood, with only 42% of organizations involving SOC management in the budget preparation. A concerning 13% of organizations reportedly do not consider SOC management’s recommendations in budget decisions. Moreover, there seems to be no strong correlation between budget allocation and the organization’s size or sector.
2. Incident Discovery Techniques: Different methods were ranked for incident discovery, with Monitoring/Alerting, Hunting, User Reported, and Third-party/external notification methods being most frequent. The high prevalence of monitoring and alerting underlines the critical role of proactive cybersecurity measures, with hunting being the second most common technique, emphasizing the need for active threat detection.
3. SOAR Workflow Management: Security Orchestration, Automation, and Response (SOAR) is a crucial aspect of the modern SOC. The majority of respondents (34.8%) frequently update their SOAR workflows and have dedicated staff for this purpose. However, 26.1% are not aware of how they approach their SOAR update and tuning needs.
4. Metrics Usage: Metrics are extensively used in SOCs, with only a small portion of respondents (11.2%) not using them. Unfortunately, a significant portion of these non-users were in the government sector. Among those using metrics, most respondents were satisfied with their effectiveness. However, more than half (56.3%) of respondents were not attempting to calculate the value their SOC provides, highlighting a potential area for improvement.
5. Staffing: Staffing continues to be a significant factor in running a SOC effectively. The most common SOC size is between 11 and 25 staff members. However, for large organizations (50,000 FTE or greater), the most commonly reported size is between 26–100 SOC staff.
The survey reveals that a predominant challenge for the respondents in 2023 was the “Lack of context related to what we are seeing” (16%). This result contrasts with the prior year’s survey, where this challenge was nearly at the bottom. This significant shift suggests a change in the operational context or new developments in the field that brought the issue of context into sharper focus. This lack of context could be related to how security incidents are reported, the amount of information provided, or the clarity of that information.
Other challenges identified in the survey results include “Lack of automation and orchestration”, “Lack of enterprise-wide visibility”, and “Lack of skilled staff”. These issues suggest that the respondents struggle with creating an automated and coordinated security response, understanding the full scope of their security landscape, and finding staff with the necessary expertise.
The issue of skilled staff appears to be twofold:
1) Skilled security staff is needed to resolve the lack of context issue, possibly implying a need for better expertise in interpreting security alerts or incidents.
2) Skilled staff is also necessary for a successful Security Orchestration, Automation, and Response (SOAR) workstyle. The continued scarcity of experienced security analysts is a key roadblock here.
Encouragingly, the decreased identification of “lack of management support” as a challenge indicates an increasing willingness of organizations to invest in enhancing their security context and automation capabilities. The survey data also suggests a strong connection between the size of the organization and the size of the SOC team. This data is crucial as it can highlight the staffing realities and needs of SOCs across different organization sizes.
On the outsourcing front, the survey presents the types of activities that are most commonly outsourced, such as forensics, threat intel, and penetration testing. These activities require specialized skills and aren’t used consistently within most SOCs, making them ideal for outsourcing. However, the data also indicates that activities more likely to be outsourced are slightly less likely to be done overall, suggesting possible budget constraints or a belief that such activities are not required. The survey delves into the practice of threat hunting within SOCs, defining it as the investigation of available data with the presumption that other alerting mechanisms have failed. The survey data indicates that most threat hunting is partially automated, but manual activities are also common.
Threat intelligence is another area covered by the survey. It highlights how respondents consume, produce, and attribute threat intelligence within their SOCs, indicating that more people outsource threat intelligence entirely or partially rather than doing it entirely on their own. However, it also shows that more respondents conduct threat intelligence activities internally in some respect than do it externally. The ability to conduct a deeper analysis of the data using a Python-based Jupyter notebook is also provided, potentially offering further insights into the challenges, operational practices, and staffing considerations of SOCs in 2023.
The report distinguishes between the concept of a SOC’s mission and capabilities versus its architecture. The mission and capabilities are what define a SOC, but its architecture — encompassing physical locations, staffing arrangements, and what’s being protected — is important to understand.
The report states that the physical location of SOCs, while still centralized, allows for remote working. The location where staff members work is generally one geographic region, and the location of data used for analysis can be different. This separation of personnel and data location can be due to various reasons including data residency regulations, cost-effectiveness, or staff preferences. The survey results showed that central SOC structures dominate the responses, with 48.7% of respondents reporting a single, central SOC. Projections for future architecture show a trend towards “Cloud-based services”. However, the percentage change from 2021 to 2023 is only modest, suggesting that while respondents anticipate changes, these changes are not happening as fast as expected.
Regarding the SOC structure, the survey showed varied responses with the single, central SOC leading at 48.7%, followed by multiple hierarchical SOCs at 19.9%, and multiple standalone/siloed SOCs at 13.6%. For the deployment of SOC infrastructure, the majority of respondents projected a shift towards cloud-based SOC services. Despite this projection, the actual change from 2021 to 2023 shows only a modest increase, indicating that the transition to the cloud is happening more slowly than anticipated.
One of the architectural attributes of SOCs discussed is their operation times. The majority of SOCs operate 24/7, often using a mix of in-house and outsourced services. The decision to operate non-stop tends to drive a significant amount of outsourcing. Regarding remote work for SOC staff, 73% of respondents reported that their staff were allowed to work remotely. Interestingly, the report reveals that the structure of the SOC doesn’t have a substantial influence on whether staff can work from home.
The report also delves into staffing issues. They find that most SOCs could operate better or more efficiently with more qualified people. However, onboarding new or junior staff is a challenge due to the necessary on-the-job training. The report suggests that this is because SOCs are not designed or built to address human capital cycles and they are often understaffed. In terms of staff roles, the survey showed a variety of roles within the SOC, from junior analysts and interns to dedicated monitoring analysts and general-purpose analysts. As for staff hiring and turnover, the survey results showed that the average employment duration is less than five years, which aligns with general IT turnover. The survey also showed that technical and non-technical skills are both essential for SOC staff. The most critical technical skill identified was “Information Systems and Network Security,” and the most important non-technical skill was “Risk Management.” Lastly, the report revealed that career progression was the most commonly cited method for retaining staff.
The presented data in the survey gives us also intel around the deployment level of different technologies, user satisfaction, and the perceived importance of these technologies for potential new hires:
1. Technology Usage and Satisfaction
The data reveals that half of the survey respondents opted to skip the extensive technology-related section, indicating that this part might be seen as too long, optional, or potentially overwhelming due to its depth and detail.
Those who completed this section were asked about their preferences and satisfaction with various technologies. The technology preferences and satisfaction were ranked on a GPA basis, with host-based EXDR topping the list at a GPA of 2.89 and a tie between network-based packet analysis and AI/machine learning at the bottom with a GPA of 2.18. The GPA here seems to indicate a satisfaction scale, with higher scores indicating higher satisfaction. It’s important to note that no GPA was above a ‘C’ grade, indicating that respondents generally have moderate levels of satisfaction with the technologies they use.
2. Technology Deployment and Satisfaction
The survey presents a correlation between technology deployment and user satisfaction. Technologies that have reached the production phase generally have higher satisfaction ratings. This could be due to the increased familiarity, comfort, and utility derived from fully deployed technologies. However, the survey stops short of declaring this a causal relationship.
3. Employee Skill Requirements
The final section focuses on the types of technology skills hiring managers are looking for in new hires. SIEM Analysis and EDR/XDR products top the list of desired skills, with 26.5% and 27.1% preference respectively. This high preference might be due to the importance of these tools in contemporary cybersecurity practices and threat detection/response mechanisms.
In the qualitative responses, the survey reveals that SOC managers typically prefer analysts with a broad technical knowledge base, rather than specific product or technology experience. This is likely due to the belief that those with a fundamental understanding of business process flows and potential threats can more easily learn how to use and extend various technology tools.
4. Improvement Opportunities
From an improvement perspective, the survey data suggests a need to make the technology section more engaging or manageable to increase participation. The moderate satisfaction scores across all technologies suggest room for improved user experience, better technology deployment, or perhaps better training and onboarding for the technologies.
The preference for broad technical knowledge in new hires suggests a trend towards more generalized technical education, with specific tool or product training occurring on the job. This may impact how organizations approach hiring and training, and how educational institutions structure their curriculums.
Regarding the function and operational aspects of Security Operations Centers (SOCs). Several key areas of analysis emerge from the information provided.
1. Reporting SOC Metrics: From the data, it’s evident that a small percentage (11.2%) of SOCs do not provide metrics. Regular reporting of SOC-related metrics to the board of directors and organizational executives, both within and outside the cybersecurity management hierarchy, is observed to be common, but not done by a majority (36.7%).
2. Use of Metrics: The survey asked respondents to detail the metrics used in their SOC operations. The answers were sorted based on the value of “Used” for outsourced capabilities. It is notable that some respondents considered certain metrics as “enforced”, an assertion that the report authors find questionable. For example, enforcing a metric of “monetary cost per incident” might suggest that incident handling would be stopped once a certain amount of resources are expended.
3. Cost per Record: Another important metric asked about was the cost per record. The definitions of this vary and it’s challenging to estimate. For example, larger incidents can be more damaging but may actually show the lowest cost per record. Conversely, ransomware attacks can disrupt an entire business by encrypting one key file with a small number of records. The report highlights the SOC metric of time to detect/response/restore as the only part of cost/record that the SOC actually owns.
4. Budget and Funding: The report underscores the lack of transparency regarding SOC operational costs, with the most popular answer to the cost question being “Unknown” (22.1%). This might indicate a disconnect between the business owners, SOC cost, and expenses, and the information systems used by the business.
5. Justifying Funding with Metrics: The report also explored the metrics used to justify the budget for the SOC. The most common response was the number of incidents handled (46.5%). Other significant metrics included time to detect/eradicate (37.9%) and the percentage of incidents exploiting unknown vulnerabilities (33.0%).
Conclusion
In an increasingly digitized and interconnected world, the role of Security Operations Centers (SOCs) in maintaining an organization’s security posture is undeniable. The findings from the SANS 2023 SOC Survey illuminate the current operational practices, challenges, and strategies utilized by SOCs globally.
We’ve gleaned that while the majority of SOCs use and report metrics, there remains a significant gap in terms of enforcing certain metrics. We’ve also uncovered the need for better transparency and understanding of budget and expenditure, hinting at a potential disconnect between SOC operations and the broader business context.
The survey also highlighted the critical role of threat intelligence and threat hunting, emphasizing the constant push for proactive rather than reactive security measures. However, the most significant challenge, as expressed by many, is the lack of context regarding the systems under protection, underscoring a need for tighter integration between the business and security functions.
As we move forward, it’s crucial for SOCs to address these issues, making strides in transparency, communication, and understanding the full landscape of their responsibilities. The journey toward a more secure future is undoubtedly a complex one, but with in-depth insights like those provided in this survey, we can continue to learn, adapt, and improve.
In sum, the 2023 SOC Survey serves as an invaluable resource, offering a compelling snapshot of the current state of Security Operations Centers. It underscores the pressing need for continued dialogue, shared knowledge, and relentless advancement in our collective cybersecurity journey.
