The state of the SOC: skills shortages, automation and gaining context remain a challenge for SOCs

Written by Antony Perridge, VP International, ThreatQuotient

The security operations centre (SOC) has been on the front line facing the pandemic-induced escalation of cybersecurity threats in the past eighteen months. A 2020 study by Forrester found that the average security operations team receives more than 11,000 alerts per day and that figure is likely to have grown in the intervening period. While they were deeply engaged responding to the crisis, SOC teams were simultaneously facing the disruption common to all formerly office-based workers. They were switching to remote working and learning how to continue collaborating successfully with colleagues at a distance.

As SOCs take stock of the changes and challenges of the past year, it is an opportune moment to explore some of the factors that characterise the modern SOC and the common issues experienced in this crucial sector. The SANS 2021 Survey: Security Operations Center (SOC)  does just that in its fifth annual survey. By collecting and analysing the views of security analysts and team managers across a broad spectrum of industry sectors, the study draws insight across a range of issues. It is a valuable benchmark for SOCs who wish to compare their approach and actions with others in the industry.

Several findings stood out for me as priorities as we aim to equip SOCs for the future.

The cybersecurity skills shortage continues to bite

It’s not new, but it is a continuing issue: the number one barrier preventing full utilisation of a SOC’s capabilities is a lack of skilled staff. With a typical team numbering between two and ten full time equivalent employees, it seems that within this mix organisations would still like more human resources devoted to SOC activities, and also the acquisition of additional skills by existing staff.

Supporting in-house skills development should be a key priority for SOC leaders as it doesn’t just improve SOC performance, it also encourages staff to remain with the organisation for the long term. The most common tenure for a SOC analyst is between one and three years and the report found that training opportunities and career development are the key factors encouraging employees to remain with an organisation.

There are further benefits to growing your own expertise. The report found that the top “missing skill” in teams was threat hunting experience, something that can be costly to bring in from outside. It also noted that threat hunting and intelligence monitoring are the activities most commonly outsourced by the SOC. Yet these are two areas where intimate knowledge of internal systems and infrastructure considerably improves effectiveness. If analysts are given the opportunity to acquire these skills and supported with tools that lift the burden of intelligence assimilation, this will amount to a double benefit for the business: they retain key staff and build stronger internal capability in the areas that would most benefit.

Work from home becomes the norm

Linked to the challenge of staff retention are changes to the work environment. Unsurprisingly, 87% of those surveyed said that working from home was permitted in their organisation. It may have raised some issues around how to collaborate effectively, but the general success of remote working has liberated SOC analysts. Where previously they may have looked for employment within an easy commute, now they can search further afield. This means organisations will have to work harder to attract and retain employees and gives analysts greater leverage over pay and working conditions.

This should lead to greater focus on analyst workload, which is long overdue. Currently, organisations lack an appropriate method of calculating analyst workload with the majority of survey respondents saying their SOC doesn’t calculate it, and the next most common answer being that they use a basic time-per-ticket method. With 83% of SOCs operating 24/7 and the majority of these delivering this capability through in-house resources, managing workload is important to maintain team wellbeing.

As the workforce embarks on the “great resignation”, all the above factors should sound warning bells alerting employers that they need to develop and protect their employees if they want to retain them.

Automation and data context drive efficiency and security improvements

Another efficient way to mitigate the impact of escalating workloads on the SOC is through automation and orchestration, and here teams are also struggling. Automation and orchestration was only just behind skills shortages as the most significant challenge facing SOCs.

When you are short of staff and skills it is critical that mundane, repetitive and low value tasks are automated as far as possible, freeing analysts to focus on higher value activities that reduce time to detection and response and are more individually fulfilling. It also supports teams to meet performance objectives and handle the escalating volume of alerts.

There are some quick wins that can be implemented here. The study cites one respondent that has successfully deployed a portal integrating dozens of data sources which enabled consolidation of information from across the business. This resulted in a reduction in Level 0 to Level 2 response times by 25%.

A number of respondents cited the lack of context related to the data they are seeing as a major barrier to operating an efficient SOC. The SOC of the future will be increasingly data-driven, ingesting information from multiple sources within and outside the enterprise, but data without context or relevance simply overwhelms analysts.

This is a challenge ThreatQuotient has addressed in the latest iteration of our ThreatQ platform. It incorporates a DataLinq Engine for connecting disparate systems and sources to enable XDR, along with Smart Collections for driving automation, plus an enhanced ThreatQ Data Exchange for bi-directional sharing of data, context and threat intelligence. It allows teams to be more thorough in their investigations, collaboration, response and reporting – which is particularly critical in a remote working environment – and results in more efficient, effective operations. The benefits are measurable in terms of time savings and FTEs gained, improved risk management and greater confidence when detecting and responding to an event.

Supporting the SOC of the future

As SOCs look to the next phase, focusing on people, data and the technology that enables the two to work effectively together is key. By balancing automation to allow machine-based support where possible, together with the right tooling for human analysts, SOCs can drive improvements while also keeping analysts engaging and giving them more time to upskill into key areas such as threat hunting.

For more insight from the SANS 2021 Survey: Security Operations Center, visit: