Blog Post

New Cybersecurity Research: A Confidence Gap in the SOC

In today’s ever-changing cyber threat climate, attackers are increasingly using non-malware-based threats and blending in with normal business activity. In this environment, Security Operations Centers (SOCs) and the tools at analysts’ disposal have never been more important.

Thankfully (? 😊), a slew of cybersecurity tools and processes emerged to help security analysts bolster their SOCs, and many organizations are taking full advantage, with global cybersecurity spending already exceeding $100 billion annually.

But with so much capital being devoted to cybersecurity initiatives, why are attacks still so prevalent? Furthermore, why are they still so costly and difficult to detect? And what’s the general attitude of security professionals about the state cyber defense?

To get to the bottom of these questions, we surveyed 300 cybersecurity professionals to assess just how effective their existing tools really are at helping them detect and investigate cyber threats. We supplemented our findings with additional research from the SANS Institute, and derived four key conclusions:

  • Emotions are running high: Survey respondents who don’t have security investigation tools in place at their organizations were twice as likely to feel worried, stressed, and overwhelmed compared to those who do have the right tools. For those with the right tools in place, “manageable” was the top-reported emotion.
  • Confidence is fleeting: Nearly two thirds (61%) of respondents said they have the technology and processes in place to effectively investigate threats, however, when asked about the most urgent issues, 51% said they can’t stay ahead of new and emerging threats. Also, 56% indicated they are seeking new tools to address the fact that they can’t stay ahead of threats with their current tools.
  • Critical blind spots remain: Respondents proved they continue to have difficulty seeing the full picture of their SOC. For instance, when asked to rank different categories of security tools, guess what finished at the bottom of the list? Asset discovery and inventory. This is compounded by that fact that SOCs and Network Operations Centers (NOCs) appear to be disjointed. In fact, very few who have a NOC (just 14%) reported having fully-integrated functions and workflows with their organization’s SOC.
  • Too much manual effort is not helping: Respondents admitted to relying on time- and resource-intensive methods for detecting new threats, with 73% reporting a single alert investigation can take hours or even days. 33% said they had to take more than 10 steps for every alert, and 53% said they use three or more data sources to get to the bottom of an investigation. In part, this can be attributed to the fact that most event correlation is still being conducted manually within SIEM and big data products. And needless to say, this leads to a bad outcome: 54% of respondents said critical alerts go completely uninvestigated and that 30% of their alerts that have been prioritized never get investigated.

To access the full Awake and SANS survey findings, and to learn more about how Awake Security’s Network Detection and Response Platform is addressing the key challenges currently plaguing security analysts and their organizations, please download the Top 4 Roadblocks to SOC Productivity white paper.

Rudolph Araujo
Rudolph Araujo

VP, Marketing