SOCs are maturing, but need more automation

Security operations centers (SOCs) are growing up, according to a new SANS survey. Respondents indicate the SOC’s primary strengths are flexibility of response and response time, while their biggest weakness is lack of visibility into events.

soc maturity

“Survey results indicate that organizations still can’t detect previously unknown threats, which is a consistent problem across many other SANS surveys,” says SANS Analyst and Instructor Christopher Crowley. “Although the survey indicates that SOCs need more automation, particularly for prevention and detection, it also shows that they are maturing and utilizing a mixture of cloud and internal-based SOC services.”

Today’s SOCs have a broad range of capabilities, with 91% providing prevention capabilities through network IDS/IPS, 86% providing detection capabilities through network IDS/IPS, and 77% providing response capabilities through EDR (endpoint detection and response), to name just the highest-rated capabilities.

Responses indicate that SOCs gather, analyze and react to tremendous amounts of information on a daily basis. The key is making it useful to all SOC-related functions and improving integration with network operations centers (NOCs). Right now, only 32% of respondents report having close integration between their SOC and NOC, with 12% having strong technical integration.

“This lack of integration may, in part, be the variety of architectures respondents’ utilize,” continues Crowley. “There is no doubt that there are clear opportunities to improve security operations, starting with better relationships and coordination with IT operations.”