SOC Best Practices – 2019

The SANS Institute released its 2019 SOC Survey report – Common and Best Practices for Security Operations Centers – earlier this month. The survey was designed to “provide objective data to security leaders and practitioners who are looking to establish a SOC or optimize their existing SOCs”. The average size of the SOC teams represented in the survey was 10, with a majority of the respondents based either in North America or Europe, and drawn predominantly from the cybersecurity industry, followed by government, banking and finance, technology, and a few others.

Defining a Security Operations Center

SOC teams, in general (both in-house and external), handle a long and varied list of operations including, at the very least, incident response, security monitoring and detection, data protection and monitoring, security administration and remediation. The 2018 SANS SOC survey report defined a Security Operations Center as “a combination of people, processes and technology protecting the information systems of an organization through: proactive design and configuration, ongoing monitoring of system state, detection of unintended actions or undesirable state, and minimizing damage from unwanted effects.” This year’s report reiterates that “the ability to identify and respond to issues is the key aspect of the SOC and is frequently an internal capability.”

Technology favored by survey respondents

The 2019 survey finds that artificial intelligence and security automation are failing to live up to their promise in the real world, with most security professionals who were surveyed being less than happy with the performance of the AI / ML solutions they had adopted. On the other hand, perimeter security, which is often given short shrift in current security-related discussions, continues to deliver solid, consistent results. A number of traditional perimeter protection tools like VPN / access control, web proxy, next-generation firewall and ingress filtering were rated highly by survey respondents. Among identification and SIEM tool functionalities, log management was rated the most effective, followed by asset discovery and inventory, and risk analysis and assessment. In the detection and response categories, network-based detection tools and DDoS filtering devices received the highest satisfaction ratings.

Biggest obstacles

As regards the hurdles faced by SOC teams, a lack of skilled staff is still considered by most to be the biggest obstacle to effective SOC performance, with a lack of automation and orchestration a close second. Other significant challenges include too many unintegrated tools, lack of management support, lack of processes and playbooks, and a lack of enterprise-wide visibility. “Technology is often looked at as a way to overcome obstacles, but it is considered a problem itself when it doesn’t solve them.” A number of respondents considered overhyped technologies (specifically automation and AI) ineffective, at least for now, with their ability to solve staff shortage problems exaggerated in mainstream IT media.

Action items

Moving forward, the report says, security leaders’ focus should be on better communication between IT security and business teams and building good use cases to clearly explain how the business benefits from the services of the Security Operations Center. Another important action item is finding ways to retain good employees, which can vastly improve the overall performance of a SOC. There are a few ways to accomplish this, including involving analysts in use case and detection development, providing career growth, and enabling regular rotation opportunities to keep people learning. “The best of both worlds is a stable team that has taken the time to document the processes used, shortening the training time for new employees, making the typical surge staffing during emergencies more effective and reducing the disruption of unplanned staff leaves”.