The average security operations center (SOC) requires a minimum of 15 headcount. However, the vast majority of organizations require even more resources to effectively monitor, detect, and respond to security events on a 24/7 basis. This issue is often left unmet due to budget constraints or a lack of board-level metrics that can show the security return on investment (ROI).
So, do you need more headcount for your SOC? Yes, you do. But the solution is not to merely hire more people to reach your capability goals – you must strategically leverage third-party services.
In this article, we will lift the lid on current SOC challenges and future objectives, and explore recommendations for deploying a successful SOC program.
The modern threat landscape is continually evolving. Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. Because of these disparate mitigations, organizations are becoming increasingly vulnerable to malicious events.
Increased ransomware activity, spearphishing campaigns, credential theft and account takeover, and vulnerability exploitation leave today’s security operations center (SOC) under siege from attackers and overabundant alerts. These obstacles overwhelm the efficiency and productivity of security operations teams in large organizations – those with more than 10,000 employees. And in a recent survey, nearly all organizations (99%) reported that alert volume is creating problems for the security team, while 93% are unable to address all alerts the same day.
Increased security alerts aren’t the only security concern for organizations. In conjunction with juggling business, compliance, and consumer obligations, almost all organizations believe they can benefit from having additional staffing in key security functions, including attack detection and analysis (63%); incident response (57%); and security awareness training (57%). But 61% of survey respondents indicated that their cybersecurity teams are understaffed, while 31% said that human resources (HR) regularly understands their cybersecurity hiring needs.
In tandem with the growing cybersecurity skills gap, security teams are understaffed and overworked. So where do we go from here? We build an obtainable strategy that improves your SOC’s throughput, enables risk management, and enhances threat detection and response.
A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Security operations must provide several fundamental functions, including:
The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Enterprise organizations require various SOC functions depending on their sector, geography, risk appetite, capabilities, size, and maturity; there is no one size fits all approach to SOC staffing. To appropriately evaluate their needs, SOC managers should:
To arm their organization with necessary defenses, security leaders must collaborate with stakeholders to build and deploy a security operations strategy. A successful security operations strategy improves visibility into immediate threats in the environment; increases operational collaboration between prevention, detection, analysis, and response efforts; advances the organization's security posture; and improves communications with executives about relevant security risks to the business.
To keep up with the current state of the cybersecurity threat landscape, SOC managers should consider:
Striking the fine balance between, people, processes, and technology within the SOC is a tall order. In conjunction with the above considerations, Stratascale recommends leveraging the following table to assess what SOC functionalities (i.e., threat intelligence, threat hunting, detection and response, automation, endpoint monitoring, etc.) should be kept in-house or outsourced:
Given recent increase of cyberattacks and data exposure, and the hybrid workforce, many organizations have enlisted the help of external providers. Additionally, organizations are actively adopting multifunction SOCs. This model broadens the scope of the SOC's responsibilities to include incident response, threat intelligence, and threat hunting, as well as bolstering protections around OT an IoT.
Security leaders face a tremendous challenge to protect and secure their data, applications, and assets. While additional SOC headcount may be the answer for some organizations, we recommend that security leaders also consider the following:
Managed Services. As security teams’ roles and responsibilities continue to evolve, and the cybersecurity skills gap continues to expand, security leaders should consider enlisting the help of an MSSP. Researchers found that, “almost nine in 10 organizations use a managed security service provider for at least one security function. The most commonly outsourced security functions include monitoring and managing SIEM systems, vulnerability scanning, and log monitoring and analysis.”
Security Orchestration and Automation Response (SOAR) tools. To offload time-consuming and low-level tasks, security managers should also consider implementing SOAR tools. Ponemon found that “fully deployed security automation helped companies reduce the lifecycle of a data breach by 74 days compared to companies with no security automation deployment.” Automating your security processes enable security staff to focus on more complex projects or responsibilities.
Whether you're looking to expand capabilities in specific areas or mature your security posture overall, Stratascale can help you improve your organization's SOC program and strategy. This will enable you to address today's cyber risk issues while also preparing for tomorrow's challenges.
Kacey Clark investigated offensive security methods and trends, defensive strategies, and security solution technologies.