Story image

Interview: The inside word on Exabeam's State of the SOC report

26 Jul 2018

As security operations centres (SOCs) become commonplace amongst businesses across the globe, the cybersecurity professionals responsible for running the centres have a pretty clear idea of what they need.

That’s according to Exabeam’s latest State of the SOC report, which explores UK and US cybersecurity professionals’ views about their work.

Amongst the highlights, the report found that 91% of SOCs have been operating for three years or more, and 55% believe their SOC is sufficiently staffed.

Respondents also rely on outsourcing: 5% outsource their entire SOC, while 95% outsource parts of it. They rely on outsourcing for detection and monitoring, while response and expertise remain in-house.

We quizzed Exabeam’s chief security strategist Stephen Moore about the report’s key highlights.

What was the thinking behind the report?

Depending on the location of your desk, your perspective and daily professional pain will differ.  From personal experience, I know that the views of teams working on the front line of cybersecurity can be at odds with the executive team. 

We wanted to find out how widespread this issue is and also to better understand how those working in the SOC think about critical areas such as technology, hiring, skill sets etc. – all of which contribute to well run and efficient SOCs.  We questioned the front line worker to the C-suite. 

What did you find?

The report highlights technology challenges; hiring and staffing issues; processes and pain points; as well as finance and funding difficulties, all of which have the potential to limit the ability of SOCs to tackle ever increasing volumes of security alerts and potential cyber attacks. 

It also identifies a number of key differences between US and UK SOCs.  This was especially noticeable around technology, where 79% of managers and frontline employees expressed frustration with oudated equipment, compared to 22% of CIO and CISOs.  However, all job functions highlighted false positives and keeping up with security alerts as a top of mind concern. 

This disconnect was clear when it came to staffing levels too.  45% of SOC professionals believe their SOC is understaffed, and of those, nearly two thirds (63%) think they could use anywhere from an additional 2-10 employees.  

It’s interesting that for most organisations it would take a breach or at least a “near miss” to get approval for another 10 associates. And 62% of managers and frontline employees see inexperienced staff as a key pain point, compared to just one fifth (21%) of CIO & CISOs.

When the survey compared the function of a SOC between the UK and US it found little or no noticeable difference, with the US edging slightly farther ahead perceived abilities in the area of identify and threat assessment, with the UK slightly ahead in data loss prevention and malware analysis.

Where there any other surprises?

Only 51% of the companies who responded had cybersecurity insurance in place.  What’s interesting was the reason not to add it; many executives said it was too expensive and therefore elected not to buy it.  

Without question, the adoption of cyber insurance is a business decision not a technical one.  This could be an indicator that CIOs and CISOs are owning too much of the pain and acting on a decision that better owned outside of technology.  

More UK organisations have it than in the US – but still, the number is low.  Maybe CIOs look at the cost and think it is too expensive to add to their budgets?  Who knows?

How do we change things?

Your business faces a cybersecurity crisis – whether that’s an internal leak, or a data breach - and the SOC must be able to manage, repair and explain the event in a timely manner.  The public reputation and private careers of leadership depend on this overwhelmed resource. 

Even though the burden of technical security is on frontline employees working in the SOC, when questions are asked of a business’ security posture, it’s the C-Suite that needs to have the answers.  From where will these answers come?

Communication is key.  Both groups need to make time to talk.  If there’s a recurring problem that keeps getting brought up in emails and tickets then face it, don’t let it be buried in emails.

If your company gets audited, or breached, all of these forgotten complaints and requests will come to light.  It’s far better to identify it beforehand, ahead of time.  CISOs need to be portrayed as the right person for the job, and they need to lead from the front.  Security is not a job you can’t sit idly on and watch happen.  Make time to communicate with staff, prioritise their pain.

Any final thoughts?

Organisations today face an ever-increasing number and variety of threats – and any disconnect between SOC leadership, and those on the ground managing day-to-day operations – no matter how small - should signal an alarm bell. 

Any disconnect between the executive team and those at the coal-face of cybersecurity practice could leave an organisation open to the worst that cyber criminals have in their war chests – and if that happens it’s too late to talk.

Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.
Ransomware’s decline equals cryptomining’s rise
ESET’s Security Days Conference recently took place to go over the current threat environment and what to look out for next.
IoT and DDoS attacks: A match made in heaven
A10 Network’s Adrian Taylor uses findings from a number of reports to illustrate his point that advances in technology are facilitating cybercrime.
ForgeRock launches Sandbox-as-a-Service to facilitate compliance
The cloud-based testing environment for APIs enables banks to accelerate compliance with Open Banking and PSD2 deadlines.