The SOC Paradox: Do you Need More Headcount for Your Security Team?
The average security operations center (SOC) requires a minimum of 15 headcount. However, the vast majority of organizations require even more resources to effectively monitor, detect, and respond to security events on a 24/7 basis. This issue is often left unmet due to budget constraints or a lack of board-level metrics that can show the security return on investment (ROI).
So, do you need more headcount for your SOC? Yes, you do. But the solution is not to merely hire more people to reach your capability goals – you must strategically leverage third-party services.
In this article, we will lift the lid on current SOC challenges and future objectives, and explore recommendations for deploying a successful SOC program.
Today’s SOC Faces an Unmanageable Workload
The modern threat landscape is continually evolving. Current security practices are disjointed, operating independently with a wide variety of processes and tools to conduct incident response, network defense, and threat analysis. Because of these disparate mitigations, organizations are becoming increasingly vulnerable to malicious events.
Increased ransomware activity, spearphishing campaigns, credential theft and account takeover, and vulnerability exploitation leave today’s security operations center (SOC) under siege from attackers and overabundant alerts. These obstacles overwhelm the efficiency and productivity of security operations teams in large organizations – those with more than 10,000 employees. And in a recent survey, nearly all organizations (99%) reported that alert volume is creating problems for the security team, while 93% are unable to address all alerts the same day.
Increased security alerts aren’t the only security concern for organizations. In conjunction with juggling business, compliance, and consumer obligations, almost all organizations believe they can benefit from having additional staffing in key security functions, including attack detection and analysis (63%); incident response (57%); and security awareness training (57%). But 61% of survey respondents indicated that their cybersecurity teams are understaffed, while 31% said that human resources (HR) regularly understands their cybersecurity hiring needs.
In tandem with the growing cybersecurity skills gap, security teams are understaffed and overworked. So where do we go from here? We build an obtainable strategy that improves your SOC’s throughput, enables risk management, and enhances threat detection and response.
Security Operations is no Longer a Center, but a Strategy
A reactive security operations program is no longer an option. The increasing sophistication of threats demands a streamlined yet adaptable mitigation and remediation process. Security operations must provide several fundamental functions, including:
- Real-time monitoring, detecting, and triaging of data from both internal and external sources.
- In-depth analysis of indicators and incidents, leveraging malware analysis, correlation and rule tweaking, and forensics and eDiscovery techniques.
- Vulnerability patch management and network and host scanning.
- Incident response, remediation, and reporting; information and intelligence must be disseminated to relevant stakeholders as part of security operations.
- Comprehensive logging and ticketing capabilities that document and communicate events throughout the threat collaboration environment.
- Tuning and tweaking of technologies to ingest collected data and enhance the analysis process.
- Enhance overall organizational situational awareness by tracking and reporting on security trends, escalating incidents, and sharing adversary tactics, techniques, and procedures (TTPs).
The need for a physical security hub has evolved into the virtual fusion of prevention, detection, analysis, and response efforts. When all four functions operate as a unified process, your organization will be able to proactively combat changes in the threat landscape.
Enterprise organizations require various SOC functions depending on their sector, geography, risk appetite, capabilities, size, and maturity; there is no one size fits all approach to SOC staffing. To appropriately evaluate their needs, SOC managers should:
- Enhance their security program by implementing and streamlining next-generation security operations processes.
- Improve organizational situational awareness by collaborating with core threat teams, enriching internal security events with external threat intelligence, and enhancing security controls.
- Develop a comprehensive threat analysis and dissemination process to align people, process, and technology to scale security to threats.
- Identify the appropriate technological and infrastructure-based sourcing decisions.
- Design a step-by-step security operations implementation or improvement process.
- Build a measurement program that actively evaluates program effectiveness for continuous improvement.
Assessing Your In-House and Third-Party Needs
To arm their organization with necessary defenses, security leaders must collaborate with stakeholders to build and deploy a security operations strategy. A successful security operations strategy improves visibility into immediate threats in the environment; increases operational collaboration between prevention, detection, analysis, and response efforts; advances the organization’s security posture; and improves communications with executives about relevant security risks to the business.
To keep up with the current state of the cybersecurity threat landscape, SOC managers should consider:
- Constructing a SOC operating strategy that incorporates existing risks and threats, as well as business goals and threat identification and response use cases.
- Obtaining a managed detection and response (MDR) service to offset the cost of 24/7 SOC operations while mitigating coverage and talent shortages.
- As needed, expanding the SOC’s capabilities to include more than just SIEM solutions to provide insight into all aspects of the business. This includes environments in IT, operational technology (OT), and internet of things (IoT).
- Extending SOC activities to include threat detection and response, as well as proactive threat hunting and threat intelligence in addition to reactive incident monitoring.
- Improving automation and orchestration capabilities to programmatically detect, investigate, and remediate security events. This can offset tedious tasks and enable security teams to focus on larger or more pressing projects.
Striking the fine balance between, people, processes, and technology within the SOC is a tall order. In conjunction with the above considerations, Stratascale recommends leveraging the following table to assess what SOC functionalities (i.e., threat intelligence, threat hunting, detection and response, automation, endpoint monitoring, etc.) should be kept in-house or outsourced:
More Headcount is not the End-All Be-All to SOC Success
Given recent increase of cyberattacks and data exposure, and the hybrid workforce, many organizations have enlisted the help of external providers. Additionally, organizations are actively adopting multifunction SOCs. This model broadens the scope of the SOC’s responsibilities to include incident response, threat intelligence, and threat hunting, as well as bolstering protections around OT an IoT.
Security leaders face a tremendous challenge to protect and secure their data, applications, and assets. While additional SOC headcount may be the answer for some organizations, we recommend that security leaders also consider the following:
Managed Services. As security teams’ roles and responsibilities continue to evolve, and the cybersecurity skills gap continues to expand, security leaders should consider enlisting the help of an MSSP. Researchers found that, “almost nine in 10 organizations use a managed security service provider for at least one security function. The most commonly outsourced security functions include monitoring and managing SIEM systems, vulnerability scanning, and log monitoring and analysis.”
Security Orchestration and Automation Response (SOAR) tools. To offload time-consuming and low-level tasks, security managers should also consider implementing SOAR tools. Ponemon found that “fully deployed security automation helped companies reduce the lifecycle of a data breach by 74 days compared to companies with no security automation deployment.” Automating your security processes enable security staff to focus on more complex projects or responsibilities.
Whether you’re looking to expand capabilities in specific areas or mature your security posture overall, Stratascale can help you improve your organization’s SOC program and strategy. This will enable you to address today’s cyber risk issues while also preparing for tomorrow’s challenges.