Working in the security operations center (SOC) is growing increasingly more painful because of an increasing workload and alert fatigue, according to new research, Improving the Effectiveness of the Security Operations Center, published by the Ponemon Institute and sponsored by Devo Security.
Respondents cited malware (98%), known vulnerabilities (80%), spear-phishing (69%) and insider threats (68%) as the most identified exploits in the SOC.
“Most respondents rate their SOC’s effectiveness as low and almost half say it is not fully aligned with business needs. Problems such as a lack of visibility into the network and IT infrastructure, a lack of confidence in the ability to find threats and workplace stress on the SOC team are diminishing its effectiveness,” the report said.
In fact, 65% of respondents said that these pain factors would cause them to consider changing careers or leaving their job, and those frustrations exist even in those organizations that consider the SOC essential to their cybersecurity strategy, according to the report. SOCs are struggling, and most of the participants ranked their SOC’s effectiveness as low, with nearly half reporting the SOC is not fully aligned with business needs.
As a result of these problems, 78% of respondents say the mean time to resolution (MTTR) can be weeks to months – even years. “Only 22 percent of respondents say resolution can occur within hours or days. Forty-two percent of respondents say the average time to resolve is months or years,” according to the report. In addition to the lack of visibility, threat hunting was also ranked as a top challenge.
“Threat hunting teams have a difficult time identifying threats because they have too many IOCs [indicators of compromise] to track, too much internal traffic to compare against IOCs, lack of internal resources and expertise and too many false positives. More than half of respondents (53 percent) rate their SOC’s ability to gather evidence, investigate and find the source of threats as ineffective. The primary reasons are limited visibility into the network traffic, lack of timely remediation, complexity and too many false positives,” the report said.