New SOC research highlights that ‘overconfident security teams’ fail to focus on threat dwell time

Published: Thursday, 18 June 2020 08:48

Exabeam has released its annual ‘2020 State of the SOC Report,’ examining the processes and effectiveness of corporate security operations centers / centres (SOCs).

This year’s study reveals that 82 percent of SOCs are confident in the ability to detect cyber threats. Exabeam says that this confidence is unfounded, with just 22 percent of frontline workers tracking mean time to detection (MTTD), which helps determine hacker dwell time.

The survey, conducted among 295 respondents across the US, the UK, Canada, Germany and Australia, was also fielded to determine how analysts and SOC management view key aspects of their operations, hiring and staffing, retention, technologies, training and funding.

“From 2018-2019, we learned that dwell time - or, the time between when a compromise first occurs and when it is first detected - has grown. Based on this, it is surprising for SOCs to report such inflated confidence in detecting cyber threats,” said Steve Moore, chief security strategist at Exabeam. “We see great progress in the SOC with attention paid to employee well-being, measures for better communication and more. However, disparate perceptions of the SOCs’ effectiveness could be dangerously interpreted by the C-suite as assurances that the company is well-protected and secure, when it’s not.” 

Highlighting the imbalance, says Exabeam, is that SOC leaders and frontline analysts do not agree on the most common threats facing the organization. SOC leaders believe that phishing and supply chain vulnerabilities are more important issues, while analysts see DDoS attacks and ransomware as greater threats.

Technology trends

Small- and medium-sized teams especially are more concerned with downtime or business outage (50 percent) over threat hunting as an operational metric, yet threat hunting stands out as a must-have hard skill (61 percent).

Other prominent findings include:

In general, monitoring and analytics, access management and logging are higher priorities this year for all SOC roles.

To support this, most SOCs expect to see security orchestration, automation and response (SOAR) tools take precedence over other technologies in upcoming years. 

More details.