Blog Post

SANS SOC Survey: What’s Missing from the SOC Toolbelt?

We recently joined forces with the SANS Institute for a survey giving insight into what security operations centers (SOCs) look like across the globe, what makes them succeed and what challenges they’re facing. Interestingly, beyond the well-documented skills crisis in cybersecurity, the SANS survey uncovered several technology-related issues that are contributing to the security gap by decreasing visibility and creating roadblocks for those tasked with protecting their organizations.

Ineffective Asset and Inventory Tools

SANS SOC survey visibility challenges
Visibility is a top security challenge for organizations. Security analysts can’t protect what they don’t know is there, so having access to current and accurate hardware and software inventory is key. Unfortunately, the survey found that the majority, about 60% of respondents, have insight into less than 75% of their assets.

soc dissatisfaction asset discovery
This isn’t for lack of trying – asset discovery and inventory tools got an “F” from respondents, with only 59% satisfaction rating. This indicates an enormous problem with currently used products.

Ineffective Automation Technologies

Automation technologies are also currently failing SOC teams. Despite the influx of SIEM and big data products, most event correlation continues to be manual. In fact, 53% of respondents reported that inadequate automation/orchestration is one of the biggest challenges they face.
entityIQ device profile
Meaningful event correlation has the potential to put the right information at the analyst’s fingertips, dramatically reducing the time it takes for them to resolve an alert. The difficulty is that the role of a security analyst requires a large amount of background knowledge and adjacent expertise to derive actionable insights from the data collected into SIEMs and other security tools. Further, human behavioral and institutional context is then necessary to decide that something is unauthorized or to determine the risk to the organization. To put it more concretely, it is one thing to know the threat affects, it’s another to know instantly that this is Connor’s laptop and he is a VIP with access to sensitive data.

Skills Crisis or Tech Crisis?

These visibility and automation challenges are being compounded because the products and tools that we use are focused on point problems – not the on-the-ground reality of workflows.

To begin with, security team sizes are small. Well over 1 in 4 respondents (29%) reported that they have “informal/not defined” SOCs. Even for those with a SOC, nearly a third (31%) are staffed with just 2–5 people and another third (36%) have just 6-25 personnel. Security professionals may know what needs to be done but finding the “best / most efficient” solution for the problem (while keeping up with the day-to-day reality of threats) is difficult with a streamlined team.

This problem is being exacerbated by tools that set the bar too high, requiring expertise just to organize data so humans can derive insights. While security practitioners have tools, “too many tools that are not integrated” was one of the most common SOC challenges, cited by 48% of respondents. Organizations are therefore left to rely on small security teams to do much of the comparison and correlation of data manually, rather than having tools that can institutionalize this procedural knowledge and eliminate the grunt work.

All of this raises the question: Are we short of people, or are we just doing a poor job of enabling the people we have to be effective?

Addressing the Underlying Challenges

These problems are where we at Awake Security have focused our efforts. Working with security teams in real-world organizations and scenarios, we’re creating technology that performs network traffic analysis to address the ongoing challenges that analysts face with existing tools. We’re helping organizations:

  • Understand what they have. Rather than relying on the accuracy of asset inventory sheets, our technology constantly monitors and watches for entities (devices, users, applications etc.) on your network. We help analysts quickly understand whether devices are new or just moving across the network and streamline analysis of those devices in real time.
  • Look for attacker playbooks. queryIQ attacker TTP discovery Gone are the days of Zeus where you could easily look for malware and other threats. New threat behaviors are continuously emerging and they blend in with regular, business justified activity. Today they are discovered through experts investing time to search for these specific needles in a haystack of other needles. Awake detects those attacker TTPs bringing these “advanced” capabilities to all organizations.
  • Automate hunting. detectIQ entity threat timelineThreat detection used to be possible with signatures, then heuristics, and now machine learning, in some regard. But today, forensic detection that mirrors a human expert is a must. Awake autonomously gathers and correlates information in the same way an analyst would, putting all of the vital information at human analysts’ fingertips for higher-level decision making, investigation and hunting.

If you’re interested in seeing the full results of the SANS 2018 Security Operations Center Survey, you can download a copy of the report here. You can also listen to an archived version of our webinar on the survey here.


If you liked what you just read, subscribe to hear about our threat research and security analysis.

Rudolph Araujo
Rudolph Araujo

VP, Security Strategy, Business Development and Marketing