C-level executives are engaging more frequently in incident response and threat hunting
- Published: Tuesday, 18 June 2019 07:12
Exabeam has released its annual ‘State of the SOC’ report, identifying shifting roles and responsibilities as one of the most pressing challenges for security operations centre / center (SOC) managers. As an example of this shift, C-suite executives are doing more in incident response and threat hunting, while frontline employees are completing fewer operational tasks. Similar to last year, the report also found that SOC staffing remains an issue, as do processes like reporting and documentation, along with alert fatigue and false positives.
The survey sought the opinions of IT professionals in the US and UK, with management responsibilities in operations and security. Common roles targeted were CIO/CISO, SOC manager or frontline employee, such as threat researchers, security architects, engineers, analysts and risk officers.
Interestingly, only 5 percent of respondents reported seeing 100 percent of events in the security incident and event management (SIEM) system. In fact, keeping up with security alerts presented the largest pain point experienced by SOC personnel (39 percent). The top reason cited for this pain was the inability of legacy applications to log events. Without full visibility into events happening throughout the enterprise, SOC managers are more likely to miss security alerts, resulting in greater vulnerability to cyberattacks.
Other key findings:
- A third of respondents feel their SOC is understaffed by as many as 6-10 employees;
- The importance of soft skills, like communication, is growing, with 65 per cent of respondents saying personal and social skills play a critical role in the success of a SOC, but employees’ actual abilities in these areas are also improving;
- Hard skills have increased in importance; threat hunting is up 7 points to 69 percent, while data loss prevention jumped 8 points to 75 percent.
- SOC effectiveness remained unchanged year-on-year, with US SOCs having significantly more ability to monitor and review events (71 percent) than their UK counterparts (54 percent). And smaller SOCs with fewer than 24 members reported an increase in effectiveness at ‘responding to incidents’ (79 percent). However, a gap has emerged (54 percent) in the perception of the SOC’s ability to perform auto-remediation. This is a 14 percent decrease from 2018, and likely due to SOC personnel’s lack of understanding of the full security picture. Other pain points for them include:
- Reporting/documentation (33 percent), false positives (27 percent) and alert fatigue (24 percent)
- Disparity with half the CISOs regarding importance of incident response (52 percent) and incidents escalated (46 percent) versus SOC analysts for their view on importance of incident response (24 percent) and incidents escalated (33 percent)
- Nearly 50 percent of understaffed SOCs indicated they don’t have sufficient funding for technology, while respondents of larger SOCs said that despite recent or increased funding for technology, they recommend continued investment in newer, more modern technologies (39 percent).