A security operations center is an essential part of an organization's threat containment strategy. As the Nemertes 2019-2020 Cloud and Cybersecurity Research Study found, having a SOC was associated with a 43% improvement in the ability to contain threats. Eight SOC challenges can occur with people, processes and technologies, no matter if the SOC is managed internally or externally.
The people problem
SOCs can have significant obstacles to overcome related to people. The three big issues are the following:
- staff shortage
- skills shortage
- knowledge shortage
Challenge 1. Staffing shortage
Complaints about the difficulty of finding trained, experienced personnel are longstanding in security. The rapid shift to new operating modes, cloud infrastructures and cloud-native application architectures have only exacerbated the problem. If only a small percentage of enterprise applications are delivered using serverless platforms, how likely is it that a company taking a mission-critical system serverless will be able to find -- and afford -- SOC staff with relevant knowledge and experience?
Challenge 2. Skills shortage
Skills shortages are also a problem. When an organization can't hire to fill a gap in the security skills portfolio, existing staff is left to fill the gap. They step up but not without problems. For instance, if a SOC team cannot use monitoring and management tools expertly to intervene in threats effectively, slower responses and failed responses are likely to result. Slowed responses result from staff finding their way to the right functions to diagnose incidents and then to intervene. Failed responses result from staff either missing indicators the tool presented or missing parts of the interventions necessary to stop an attack.
Challenge 3. Knowledge shortage
Knowledge shortage is closely related to skills shortage. Even those well versed in working all the systems management tools can fail if they know too little about the systems environment being protected. Knowing too little results in failure to recognize problems as such or an increased chance of inappropriate responses to nonexistent problems. SOC teams will experience more false positive responses and more false negative responses and waste time chasing them down. Ultimately, staff will fail to respond to real attacks.
The process problem
On the process side, which includes budgeting, SOCs face two major problems:
- process latency
- budget allocated on the wrong basis
Challenge 4. Process latency
Process latency has two faces: the systems and the human. The systems face of process latency is that SOC processes don't evolve fast enough to deal with shifts in the systems environment the SOC is monitoring. The human face is that both environments and processes evolve faster than people's understanding of them. So, processes lag the environment, and people lag the processes.
Consequently, SOC processes are not the comprehensive framework for action they should be. Scarce staff time is spent improvising and patching together new processes, which results in slow and incomplete response to problems. And, because many ad hoc processes ultimately have to be discarded and unlearned, they incur a double waste of scarce staff attention.
Challenge 5. Budget allocated on the wrong basis
Regarding budgeting, Nemertes has seen in its research that too many IT organizations do not base security budgeting on risk. Instead, they peg security spending to some percentage of overall IT spend or some peer benchmark of spending. Those that do budget based on risk -- the intersection of incident probability with the magnitude of resulting damage -- are more successful in securing their enterprises because they focus on mitigating the threats with the greatest potential for damage, rather than simply a high likelihood of damage occurring.
The technology problem
Technology also creates challenges for SOC teams. The chief three issues are the following:
- lack of adequate tooling
- inadequate analytics and filtering
- lack of automation and integration
Challenge 6. Lack of adequate tooling
Lack of adequate tools for monitoring and management is an all-too-frequent result of rapid shifts in the systems environment being monitored. Systems lifted and shifted from a data center into a cloud environment may need new security tools as well. Applications developed and deployed in containers need protection, but the SOC may not have any tools giving them visibility into those systems or any means of intervening in that environment.
Challenge 7. Inadequate analytics and filtering
Analytics and filtering are necessary tools for a SOC, but they often are inadequate. Throwing a mind-numbing flood of false positive security alerts in the faces of those in the SOC -- especially when staff attention is the scarcest resource in IT -- is an incredibly damaging problem. Tools that do a much better job of recognizing the false positives, weeding out duplicates and correlating alerts across systems to assist in threat detection will be crucial to limiting alert fatigue and to creating and maintaining sustainable SOC operations.
Challenge 8. Lack of automation and integration
Similarly, turning the human in the SOC seat into the point of integration across systems -- aka swivel-chair integration -- invites human error. By locking staff into repetitive tasks as they instantiate standard response workflows to security incidents, organizations increase staff exhaustion and burnout and limit incident response speed to human scales: staff perception time plus staff comprehension time plus staff response time. Automation and integration are essential to avoid these issues.
Circumstances will continue to demonstrate a need for a SOC, but IT must address these eight challenges -- or work with a provider if the SOC is outsourced -- to make sure the enterprise is optimally protected.