New SOC research highlights that ‘overconfident security teams’ fail to focus on threat dwell time
- Published: Thursday, 18 June 2020 08:48
Exabeam has released its annual ‘2020 State of the SOC Report,’ examining the processes and effectiveness of corporate security operations centers / centres (SOCs).
This year’s study reveals that 82 percent of SOCs are confident in the ability to detect cyber threats. Exabeam says that this confidence is unfounded, with just 22 percent of frontline workers tracking mean time to detection (MTTD), which helps determine hacker dwell time.
The survey, conducted among 295 respondents across the US, the UK, Canada, Germany and Australia, was also fielded to determine how analysts and SOC management view key aspects of their operations, hiring and staffing, retention, technologies, training and funding.
“From 2018-2019, we learned that dwell time - or, the time between when a compromise first occurs and when it is first detected - has grown. Based on this, it is surprising for SOCs to report such inflated confidence in detecting cyber threats,” said Steve Moore, chief security strategist at Exabeam. “We see great progress in the SOC with attention paid to employee well-being, measures for better communication and more. However, disparate perceptions of the SOCs’ effectiveness could be dangerously interpreted by the C-suite as assurances that the company is well-protected and secure, when it’s not.”
Highlighting the imbalance, says Exabeam, is that SOC leaders and frontline analysts do not agree on the most common threats facing the organization. SOC leaders believe that phishing and supply chain vulnerabilities are more important issues, while analysts see DDoS attacks and ransomware as greater threats.
Small- and medium-sized teams especially are more concerned with downtime or business outage (50 percent) over threat hunting as an operational metric, yet threat hunting stands out as a must-have hard skill (61 percent).
Other prominent findings include:
- SOC outsourcing in the US has declined year-on-year (36 percent to 28 percent)
- UK outsourcing had a year-on-year increase (36 percent to 47 percent)
- Germany reported 47 percent outsourcing, primarily of threat intelligence services
- Australian SOCs struggle in most categories and need improvement in technology updates, monitoring events and responding to/analyzing incidents.
In general, monitoring and analytics, access management and logging are higher priorities this year for all SOC roles.
- More than half of SOCs were found to log at least 40 percent of events in a SIEM
- The UK utilises logging the most, compared with geographic counterparts
- SOCs are least able (35 percent) to create content, the skill around the creation of detection logic, validation, tuning and reporting
To support this, most SOCs expect to see security orchestration, automation and response (SOAR) tools take precedence over other technologies in upcoming years.