Smart, risk-minded organizations, when considering how to ensure the continuity of their business, hope for the best but prepare for the worst.

And with cybersecurity now ranking at or near the top of most CEOs’ shortlist of biggest worries, that means placing an increased focus on threat detection and response – operating under the principle that the longer it takes to identify, contain, and recover from a data breach or other major digital incident, the more it will cost and greater harm it will impart.

But here’s the rub: Even if your organization has fully grasped this priority shift and is looking to expand its maturity level beyond being solely prevention- or compliance-focused (and many are, considering the value of the security operations market is rapidly rising and SOCs are considered more essential than ever) detection and response are hard to do. Thanks to a growing attack surface, only escalated by the exponential rise of connected Internet of Things devices, there is not only more ground to cover than ever but also more disparate devices pinging you about potential malicious activity.

The recent SANS Security Operations Center Survey, which polled several hundred technical staff, technical managers and SOC managers, sought to quantify the largest disruptors to success within the SOC. Officially terming these impediments “Challenges to Full Integration and Utilization of a Centralized SOC Service Model Year-over-Year” and comparing them side by side with the previous year’s survey, SANS found:

2019 SANS SOC Survey

Let’s dive into the top five – which, as you’ll see, are related in many ways and try to make sense of why they are consistently interfering with companies’ ability to drive more effective security operations.

1) Lack of Skilled Staff

This one is obvious. The lack of proficient cybersecurity professionals is neither native nor exclusive to SOC. It’s everywhere in infosec, so much so that multiple studies have reported the skills gap has greatly tipped the scales in favor of your adversaries. Combine the talent dearth with the overwhelming number of alerts that require processing and documentation a preponderance of which are false positives and an already meager and overstretched staff runs the risk of burning out, with members either getting plucked by other firms or simply quitting with the hope of finding greener (and more serene) pastures.


2) Lack of Automation and Orchestration

Anxiety over machine learning and artificial intelligence replacing workers is growing worldwide, and SOCs are not immune to those concerns. But most SecOps teams will find that automation in the SOC isn’t about taking away jobs but improving them. This is accomplished by digitizing those repetitive tasks that continually bog you down, such as phishing case workflows which are notorious time suckers. Automation also prepares a case for investigation by an analyst while simultaneously filtering out false positives that consume up to a quarter of an analysts’ day.

Finally, automation frees up security analysts from being solely focused on data collection and alert triaging. Instead they are able to perform functions that move the needle, such as identifying and shoring up weaknesses in the security infrastructure, deconstructing complex attacks to develop more advanced playbooks (aka runbooks),  and proactively hunting for and uncovering hidden threats in the environment. Meanwhile, orchestration helps create harmony between processes and technologies by integrating a wide range of security operations tools (which we’ll address in the next section).

3) Too Many Tools That Are Not Integrated

Companies are spending more money than ever on cybersecurity, and a healthy portion of that investment is being earmarked for security tools, with large companies averaging well over 100. Not surprisingly, many of these solutions don’t work well together. This creates added management complexity, higher costs and the potential to miss something important. Security orchestration, automation and response (SOAR) solutions help combat this struggle by bringing together individual security tools in a way that allows SOC teams to interact with them more efficiently from a single platform. An added benefit will be that you’ll get more out of these tools if you tie them to a formal platform like SOAR solution.

4) Lack of Management Support

C-suite buy-in is a goal for every department in a company, but arguably none is more important than cybersecurity, which is often seen as a cost center – yet also the source where underinvestment has the highest likelihood to sink a company’s coffers. Conveying in understandable terms successes, as well as needs and challenges, of the SOC will go a long way to winning executive interest and support. Metrics are a great tool to get you in the boardroom door. Not all leaders will be interested in the same numbers, however. Your safest bet is to use risk-based measurements that connect security operations to business objectives.

5) Lack of Processes or Playbooks

In the same way that American football teams strategize formations and schemes through playbooks so that every player knows exactly their responsibility, SOCs require similar direction. Alert handling is not only repetitive, it can also be chaotic. Playbooks provide SecOps teams with a single source of truth to turn to in high-pressure situations, helping to ensure response processes are executed systematically. Added benefits include documenting so-called tribal knowledge, defined as unwritten information not commonly known by others within a business, and onboarding new analysts.


What will 2020 bring in terms of security operations? We look forward to finding out. But to move forward, it’s always important to understand where we are now. To download your complimentary copy of the 2019 SANS SOC Survey, click here.

Dan Kaplan is director of content and communications at Siemplify.