1、SurveySANS 2022 SOC SurveyWritten by Chris Crowley and Bar������bara FilkinsMay 20222022 SANS Institute2SANS 2022 SOC SurveyExecutive SummaryThe content of this years SANS SOC Survey explores the ongoing development and progress of the security operations center(SOC).Herein we explore details of who answe
2、red the survey,the key takeaways we observe in their responses,and the challenges everyone seems to face.The survey explores what people consider SOC capabilities,as well as the staff,technology,deployment strategies,and the funding it takes to secure and����� operate this gamut.So how are SOCs evolving?
3、To date,our definition of a SOC remains conceptual,built around the capabilities required by business-specific goals of an organization.A SOC framework is not necessarily ali������gned with a reference architecture but comes from the technologies in use and the individ������uals who make up the SOC team to acco
4、mplish capabilities.In planning this survey,we took a capabilities-based approach to determine the current SOC landscape,with the goal of surfacing results that can help you assess your performance compared with your peers.In that regard,here are the top������� five questions you might want to consider and
5、 our insights from this years survey:1.Are trends going in the right direction?Results from 2021 to 2022 show a decrease in both incidents and breaches from incidents.����This is a positive trend,but the question is,can it continue?2.Does staffing match growth?Hiring,retention,and turnover are key chall
6、enges.Consider comparing how your organization lines up against the survey results.3.Do capabilities match business need?The leadin�������g items for survey respondents are detection/monitoring,vulnerability assessments,incident response,and alert triage and escal��������ation with capabilities balanced between in
7、ternal staffing and outsourced resources.How do the capabilities your organization defined rank against these resul������ts?4.Is the technology working?What technologies received a grade of an A and why?Compare how your organization lines up against the survey resu������lts in the section“Staffing:Meeting the K
8、ey Challenges.”5.Are metrics measuring investment and whats effective?6.Are the discrepancies noted by this repo����rt being taken into account as we move forward?What Makes a SOC?We consider that a SOC is defined by its capabilities and how these capabilities are prioritized by the organization owning
9、the SOC.Capabilities are process������-based,the related �������service driven by the business needs or mission statement of the organization.We consider a SOC architecture as how organizations decide to arrange their staff and technology to gain visibility into protected systems,perform the required work,and ta
10、ke into account the complicated logistical and jurisdictional issues to address when monitoring information systems.Survey Globalization Somethi������ng new this year,which the authors are e������xtremely proud of,is that the survey questions and answers were translated into Spanish and Portuguese.The intention
11、 is that respondents who speak English as a second language or������ non-English speakers can provide responses and share thoughts succinctly and naturally.The intention is to scale this translation into more languages going forward.Optimistical������ly,well cover Europe,the Middle East,and Asia with regionally
12、 specific languages to develop the SOC Survey into a truly global perspective on cybersecurity operations.3SANS 2022 SOC SurveyWe all have our shortcomings,and this sur������vey is no different.Wed l�����ove to hear from our readers on how to make it better if we didnt answer your question in the following con
13、tent.If we didnt answer your questions(or you are skeptical of our findings)and you want to perform your own analysis of the data set in t����his survey,download it from https:/soc- LandscapeWhen most of us think of a SOC,we probably envision some type of command center,housing InfoSec professionals who
14、 will detect,protect,and defend an enterprise from cyberattacks.Indeed,most respondents,at 47%(n=519)indicated that thei��������r SOC services are obligatory for their organization(see Figure 1),with the majority of 53%(n=240)citing their SOC size and structure as single and centralized,followed distantly b
15、y multiple,hierarchical SOCs at 19%(n=85).See Figure 2.But looking ahead 12 months,while survey results show the ������single,centralized SOC(n=138)as the leading deployment model,the real growth is occurring in cloud-based SOC services.1 This open�������s the door to what we envision as the true definition of S
16、OC,one based on capabilities rather than a formal structure.See Figure 3,noting t�����hat the second line(�����“Informal SOC,no defined architecture”)doesnt seem to be an aspirational future state,because it represents low maturity.Within your organization,is use of the internal SOC viewed as mandatory or is
17、it acceptable for members of your organization to acquire services from e�������xternal parties/providers?No,we have no internal SOC.18No,we may acquire services from an external provider.17024388UnknownYes,use of the internal SOC is mandatory.050200100250150Figure 1.SOC Services Optional or Obligatory(Q3.
18、2:n=519)Select the option that best reflects th������e size and structure of your SOC environment.Multiple,standalone/siloed SOCsMultiple,parallel,redundant SOCs looking at same data3337Multiple,hierarchical SOCsMultiple,unorganized SOCs8624�������03325OtherSingle,central SOC050200100250150Figure 2.Structure of
19、SOC(Q3.5:n=454)Infrastructure ArrangementCentralized into a single SOC9192924Cloud-based SOC servicesOtherFull SOCs distributed regionallyInformal SOC,no defined architectureCentralized and distributed regionallyPartia������l����� SOCs in regional locations0208040 Current Next
20、12 months47Figure 3.Infrastructure Arrangement Sorted by Current Deployment(Q3.6:n=454)1 If expressed as a growth percentage(fut�������ure/current counts divided by current count),the growth in the cloud-based SOC services sector is 55%,whereas the growth in the central SOC is 7%.All other arrangements ind
21、icate a decline in the next 12 months.4SANS 2022 SOC SurveyMeeting t��������he Key ChallengesGiven that SOC capabilities mirror key security functions,such as incident response,we looked at the survey responses to see if the challenges to fully utilizing SOC capabilities would follow those barriers faced by
22、 most security professional������s.Not surprisingly,h�����igh staffing requirements is the biggest stumbling block(46 of 235 respondents),followed by a lack of skilled staff(34).A lack of automation and orchestration(32/235)followed.The fourth largest challengea lack of management support(23)brings the top fou
23、r barriers to account for 57%(135/235)of all responses.See Figure 4.We wanted to hear the respondents challenges in their own words,so we gave a free format opportunity to write it down.The word cloud in Figure 5 captures a frequency-weighted ����depiction of the words used in the responses.Human resour
24、ces issues,money,and management support are repeated almost universally.What is the greatest challenge(barrier)with regard to full utilization of your SOC capabilities by the entire organization?Select the best option.Lack of automation and orchestratio������n2313121157Lack of processes or playbooksLack o
25、f context related to what we are seeingToo many alerts that we cant look into(lack of correlation between alerts)Too many tools that are not integratedLack of ente�������rprisewide visibilityOtherSil������o mentality between security,IR,and operationsLack of skilled staff9Lack of management supportReg
26、ulatory or legal requirementsHigh staffing requirements01040205030Figure 4.Challenges to Using SOC Capabilities(Q3.61:n=235����)Figure 5.Barriers to SOC Use(Q3.59:n=130)5SANS 2022 SOC SurveyDemographicsSurvey respondents provided insight from their personal experiences with results heavily influenced by
27、 individuals whom SANS asked to participate in the survey through outreach and marketing efforts.To conduct a survey at this level of detail,�������we depend on respondents to volunteer 30 to 60 minutes of their time to answer thought-provoking and detailed questions.It is the opinion of the authors that w
28、e st�����ill dont have a globally representative sample of cybersecurity operations ������centers,but were striving to get there.Figure 6 provides a snapshot of the demographics for the respondents to the 2022 survey.Demographic Highlights The majority of respondents are from smaller organizations.Of the 519 p
29、articipants who answered,half(50%)are from organizations with fewer than 1,000 people.This tendency toward smaller organizations may be due to fact that the high-tech a�������nd cybersecurity companies function in a technology support role and,traditionally,have smaller staff.Respondents are primarily in h
30、igh tec������h,financial,cybersecurity,or government.If youre in one of these sectors ���and dont have a SOC,your peers likely do.Banking and fi nanceTop 4 Industries RepresentedEach gear represents 10 respondents.Organizational SizeSmall(Up to 1,000)Small/Medium(1,0015,000)Medium(5,00115,000)Medium/Large(15
31、,00150,000)Large(More than 50,000)Each building represents 25 respondents.Top 4 Roles RepresentedSecurity administrator/Security analystSOC analystSecurity manager or directorIT manager or directorEach person represents 10 respondents.Operations and HeadquartersGovernment Technolog��������y Cybersecurity Op
32、s:246HQ:207Ops:235HQ:168Ops:32HQ:10Ops:42HQ:3Ops:42HQ:6Ops:74HQ:21Ops:67HQ:12Ops:150HQ:92Figure 6.SOC Survey Respondent Demographics6S������ANS 2022 SOC Survey Of the 519 respondents,270(52%)have analyst,administrator,or architect roles,while 214(41%)serve as managers,directors,or c-level executives.The r
33、emaining 35(7%)listed their roles as other.The other ��������roles included specific forms of analyst,engineer,specialist,and manager not specifically cited in the list of choices but still cyber-focused.There were several educator,consultant,repair,sales,and other write-in titles which had no corres������ponding
34、 choice in the list.The respondents companies are primarily based in North America,Latin America,and Europe.Previous yea������rs SOC surveys speculated the prevalence of North American and European organizations as a feature of who participated,rather than a feature of the actual prevalence of SOCs global
35、ly.This years report and survey targeted Latin America,and this region took the second among headquarters for the first time.Our mission for this survey going forwa������rd is to continue similar outreach globally.Factors for SOC SuccessSurvey readers tell us that they frequently seek budget,technology,an
36、d staff based on the results and insights described in our SOC surveys.The authors take this seriously.Were providing the guidance in this section around some key questions you should ask yourself and your organization to help you make di������fficult choices.And we have included a few key findings from t
37、his survey to help you guide your decisions and requests.Success Factor One:Are Trends Goi��������ng in the Right Direction?This years survey,more respondents as a percentage(48%)answered“No,”indicating their organization had not suffered an intrusion in the past 12 months.This statistic is better than last
38、 years SOC survey,where 39%2 answered“No.”In the way the question is phrased,more people responding“No”indicates fewer incidents occurring.Of course,there were numerous r�����esponses that expressed ignorance(71,14%)or unwillingness(47,9%)to acknowledge if a breach happened.See Figure 7.Of the respondent
39、s who had an intrusion,we followed up with the next logical question:Did this result in a breach?Of the 128 people who answered Question 3.4,68 responses(53%)indicated that the intrusion didnt result in a breach(see Figure 8).In compariso���n to the 2021 SOC Survey,95 responses were collected to the“re
40、sult in a breach”question,and 47%of those said Figure 7.Intrusions/Incidents in the Past 12 Months(Q3.3:n=519)Has your organization suffered an incident or intr������usion in the ������past 12 months?Yes No Unsure/Unknown Prefer not to answer “A SANS 2021 Survey:Security Operations,Center,”October 20
41、21,www.sans.org/white-papers/sans-2021-survey-security-operations-center-soc/?socsurvey=1,p.2.Registration required.�������Did this incident or intrusion result in a breach,implying the generally accepted definition that your organization had to publicly notify specific������� parties potentially implicated by th
42、e breach?Unsure/Unknown4No684816Prefer not to answerYes020050Figure 8.Breaches in the Past 12 Months(Q3.4:n=136)7SANS 2022 SOC Survey“No.”In other words,in 2022 more people answered that the intrusion did not result in a breach,which is an improvement.Bravo for finding a������nd stopping it!We
43、started asking this question in 2021,and so far,the trend seems to be going in the right direction.We didnt have a follow-on question related to what enab�����led the detection and removal of the intrusion prior to the breach.There are a multitude of other reports and surveys docume����nting the details of b
44、reach and loss from the cybersecurity community.But we wil�����l continue to assess if this trend of succ����ess we are seeing in reduced incidents and subsequent breaches can be attributed to the presence of a SOC.Track metrics to ensure your trends are moving in the right direction.Success Factor Two:Does
45、Staffing Match Growth?This year staffing level�������s remained fairly consistent with the past.The most popular SOC size is 210 people,with 66 of 234 respondents selecting that answer.3 See Figure 9.Despite a constant team size year after year in the survey,staff turnover and retention are leading concern
46、s.Staff turnover remains high:70%for individuals wi�����th five or fewer years of experience,with the majority remaining in their current position for fewer than three.Retaining talent is also critical,requiring a critical and continual pitch by the SOC to organizational management.This pitch needs to be
47、 supported by metrics that demonstrate value and clear planning to articulate expected improvements.Organization management considers the business operational environment and weighs the cyber threats agains������t the business impacts.Compare how your organization lines up against the survey results in th
48、e section“Staffing:Meeting the Key Challenges.”Success Factor Three:Do the Ca���pabilities Fit the Business Need?We will go into detail on capabilities in a later section,but if your team isnt performing against one or more of these capabiliti��������es listed in Figure 16(see page 11),your team probably wont
49、be considered a SOC.The leading items for s�����urvey respondents are detection/monitoring,vulnerability assessments,incident response,and alert triage and escalation,with capabilities balanced between internal staffing and outsourced resources.Rank the capabilities your organization defined against thes
50、e results.3 Please note that this is not organizational size or s������ector adjusted.What is the total internal staffing level(i.e.,all related positions)for your SOC,expressed in terms of fu������ll-time equivalents(FTEs)?70 60 50 40 30 20 10 027Unknown038261006621031(part-time)Figure 9.
51、SOC Size by Number of FTEs(Q3.46:n=234)8SANS 2022 SOC SurveySuccess Factor Four:Is Technology Working?Technology elicits strong opinions from most cybersecurity professionals.This year,we assigned our technologies������� a GPA based on the grades individual respondents assigned to each te�����chnology.The more
52、successful technologies are focused ��������on the mature and stable as opposed to the new and exciting,but even the leading technologies only got a B overall.Explore the section“Technology:What Is Getting a Passing Grade?”to see how to assess your technologies as well as the part on tying the ca������pabilities
53、together.Success Factor Five:Are Your Metrics Really Measuring the Effectiveness of Your Investment?With an increased emphasis on staffing as a leading challenge/barrier to SOC effectiveness,organization������s must consider how executive management not only listens but also acts on what their SOC leaders
54、hip is telling them.Although 39%reported that executive management and SOC leads work closely together in allocating funds for cybersecurity,55%believe the decision is wholly that of executive management,despite any recommendations from the SOC team.And although 41%report that management pa������ys close
55、attention to the recommendations and needs of SOC leads with regard to hiring and retaining skilled,experienced������ staff for defending the enterprise,55%again think that,whi�����le executive management may again listen,they do not act on the urgency to retain,not just hire,skilled staff.Calculate a metric t
56、hat measures the effectiveness of the SOC.Staffing:������Meeting the Key ChallengesLets first talk about people.There is no change in overall SOC team size from previous years.Again,210 staff members is the most commonly cited team size,regardless of the size of the organization.See Figure 10.Size of Orga
57、nization Versus SOC Team Size14 12 10 8 6 4 2 0512145404Fewer than 5011���������,000100603141,0012,0002001042535,00110,000100421 1015,00150����,00001012 20150,001100,000200146 6554032,0015,0001003231010,00115,00003030632More than 100,000 1,000 UnknownFigure 10.Size of Organization Versus SO
58、C Team Size9SANS 2022 SOC SurveyThe top two barriers to full SOC utilization are staffing-related(see Figure 5).What are respondents saying about the challenges they face?Frequent turnover appears to be the first obstacle.In Figure 11,we see that the �����average duration of employment is predominantly l
59、ess than five years,with the most cited(n=84)remaining one to three years before leaving.So,what are most effective methods of retaining staff?The leading approach is to provide staff clear career progression(n=76),as shown in Figure 12.The authors see �����this as providing two benefits:Employees stay w
60、ith the organization longer,reducing the cost������ of hiring and training new staff.People who want to grow and develop within an organization tend to be more productive and effective employees.Employees who have a mind to grow and develop are likely caring workers.If you dont facilitate that growth,they
61、ll find it in a different company that has a plan in place for career growth.Retention seems to be an important part of managing the SOC team,implying likely negotiation between SOC and organizational management to address ������key factors to keep staff:career plan assurance with additional training,mone
62、tary incentives,work-life balance,and relaying the value of the work performed.So,what did the respondents say about their managements investment in staff?Many respondents(n=96)indicated that organizational management coordina�������tes with SOC management and team leads to hire and retain the right people
63、 to defend the environment.But,while this indicates that the situation many be improving from past surveys,the balanc������e(n=129)still feels that executive management may listen,but they do not act on the urgency to retain,not just hire,skilled staff.See Figure 13.What is the average employment duration
64、 for an employee in your SOC environment(how quickly does staff turn over)?35 years10+years292713 years510 years84136815Unknown1 year or less020050Figur��������e 11.Average Employment Dura������tion(Q3.48:n=236)What is the most effective method you have found to retain employees?Meaningful workShifting
65、 roles and responsibil������ities regularly3115MoneyTraining54763726OtherCareer �����progression020050Figure 12 Retention Methods(Q3.49:n=239)The short story of our guidance here is calculate the costs involved in hiring new staff.Show the value proposition by comparing the hiring cost to the cost o
66、f t������raining and developing existing staff.Figure 13.Human Capital Management Approach(Q3.53)How is human capital addressed in your environment?Select the best option.Management does not pay any mind to the unique staffi������ng needs of a SOC and does little to encourage hiring skilled,experienced staff or
67、 retain them.Other14Management listens to the requests of SOC leads/managers regarding hiring skilled,experienced staff but does not understand the urgency to retain these skilled people.Management thinks hiring multi�������ple,less-skilled employees to stare at alerts is an acceptable strategy for mitigat
68、ing cybersecurity threats in their environment.699646�����9Management pays close attention to the needs of SOC leads/managers with regard to hiring and retaining skilled,experienced staff to defend their environment����.02080401006010SANS 2022 SOC SurveyWorking RemotelyThe pandemic forced a new reality on th
69、e workplace.Working remotely is now the norm.And that includes the SOC team.You probably already allow your SOC staff to work remotely.If you dont,youre competing for that staff with companies that do.See Figure 14.Organizations now n�������eed to balance the ease of hiring and retaining staff who expect t
70、o work remotely versus the increased difficulty in training,developing,and onboarding staff working from home.So,what facto�������rs do organizations take into consideration for a SOC staff analyst to work remotely from home?The leading consideration(n=165)is if the platform supports it.(See Figure 15.)We
71、take this to mean that the data sensitivity is weighed against the risk of accessing the data from off-premis������es,and a risk-weighted decision is made about the work from home.This seems a reasonable c�������onsideration that can be made in coordination with risk management around the sensitivity of the syst
72、ems protected.The next few considerations,however,are more of a SOC management judgment call based on the individuals per�����formance and perceived skill set(n=139).But the growth in remote work/wor�������k from home due to the pandemic appears to have changed how organizations determine whether an individual
73、can work remotely.In 2022,work ethics rose to the third most important evaluation factor(n=115):43%in 2022 versus 33%in 2021.(Note:While an individuals work ethic seems a reasonable basis for consideration for remote work,it might be hard to quanti����fy fairly.Ostensibly,the rationale here is that thos
74、e with a lesser work ethic are motivated to be more effective by the oversight provided on-premises.)Figure 14.Remote Work(Q3.13:n=371)Do you allow SOC staff analysts to work remotely?Yes No Unknown2965322The au������thors concur that few o������rganizations can justify an on-premises-only SOC based on data sen
75、sitivity.While some organizations must maintain this security posture for specific reasons,in general this position is becoming more difficult to justify.What factors are considered in determining whether a SOC staff analyst can work remotely?Check������� all that apply.Work ethics96OtherSeniorityIndividua
76、lly negotiated�������Skill set3278RolePlatforms securely support remote workforce04016080120Figure 15.�����Factors in Work From Home(Q3.14:n=266)11SANS 2022 SOC SurveyCapabilities:Does Your Team Count as a SOC?Do you ever wonder if your team counts as a SOC?Youre not alone.We asked respondents to ide
77、ntify the capabilities they have within their SOC.F������igure 16 shows a count-based,ranked list of what the most respondents said they do.The leading items are detection/monitoring(376),vulnerability assessments(373),incident response(373),and alert triage and escalation(373).We define a SOC through cap
78、abilities and architecture.So,if youre not performing the capabilities listed in Figure 16 either internally and/or by outsourcing,that particular group wouldnt be considered a SOC.Much of what SOCs do can be outsourced�������,so we wanted to understand what SOCs choose to outsource.There is basical���ly no c
79、hange in the outsource portfolio from previous years SOC surveys.See Figure 17,where the da����ta from Figure 16 is re-sorted by how many respondents outsource that capability.Figure 16.Capabilities Ranked on Total Reporting(Q3.10:n=383)Capability Sorted by TotalIncident responseSecurity tool configurat
80、ion,integration,and deploymentSOC architecture and engineering(specific to the systems running your SOC)Threat intelligence(attribution)Digital forensicsThr����eat Intelligence(production)Purple-teamingSecurity administrationPen-testingThreat Intelligence(feed consumption)Security architecture and engin
81、eering(of systems in your envir�����onment)Threat huntingRed-teamingCompliance supportRemediationData protectionSecurity road map and planningAlerting(triage and escalation)Vulnerability assessmentsThreat researchSecu����rity monitoring and detection0300100400200SOC maturity self-assessmentOther In-house Out
82、sourced Both20958638898223539074799267366626839595375837056 2248Whats interesting to the author(Crowley)is how much consensus exists in this response set.If“Other”is exclude�������d(112)
83、,then the range is 348376 from 383 respondents.There were only 20 other text responses,and 14 of these were none or N/A.A coup�����������le were comments about the question.There were three relevant other responses:business review,research,and NIST framework management.The research wed put with“threat research
84、”and the NIST framework we would exp������ect to group with“compliance support.”12SANS 2022 SOC SurveyWhile you might have good reasons to retain pen testing and its variants,threat intelligence,and forensics internally,many of your peers continue to outsource these capabilities,probably for two ������basic rea
85、sons.Retaining this expertise on staff can be cost-prohibitive,because talented specialized staff are rare.An added complexity is the requirement for training specialized staff,because keeping up to date with constantly changing technology and techniques,such as in p����en testing����(and related)and threat
86、 intelligence,can be difficult.Finally,budgeting for a full-time individual specialist in a small team usuall�������y doesnt make financial sense,as general-purpose analysts are usually internal staff.So,focused expertise is procured in an outsourced fashion.In larger teams,calculating the value propositio
87、n of outsourcing usually directs the outsource action.So,what compels retention of staff internally?The rationale for capabilities which tend to be perfor������med internally are those which require tailoring to the organization.The institutional knowledge to perform the tailoring is necessary for this wo
88、rk as the work tends to stay internal(also,the perceived need of of data control and privacy for���� thes�����e capabilities and the data handled therein).Defensible or not,this is the stance that many organizations use to keep the activity internal rather than outsourced.Technology:What Is Getting a Passing
89�����、 Grade?From a technology perspective,we discussed technology deployed and how far along it is in the de�����ployment.Of course,we also asked what technologies people like and dont like.The two questions we asked to discover this information included long lists of choices and took at least 10 minutes to a
90、nswer������,so we allowed people to skip them,but 53%(Q3.26,n=308)agreed to answer them�����.Figure 17.Capability Ranked Greatest to Lowest for Outsourcing(Q3.10:n=383)Capability Sorted by Percentage OutsourcedThreat intelligence(attribution)Threat researchSOC architecture and engineering(specific to the syste
91、ms running your SOC)Security architecture and engineering(of systems in your environment)Threat huntingIncident responseSecurity road���� map and planningDigital forensicsAlerti��������ng(triage and escalation)Data protectionVulnerability assessmentsRemediationSecurity administrationThreat intelligence(producti
92、on)Security m����onitoring and detectionPurple-teamingSec����urity tool configuration,integration,and deploymentRed-teamingThreat intelligence(feed consumption)SOC maturity self-assessmentPen-testing0300100400200Compliance supportOther In-house Outsourced Both209586388982235
93、39074799267366626839595375837056 224813SANS 2022 SOC SurveyA perennial problem for IT environments is the“partial deployment”of systems.In the authors experience,many SOCs �����maturity,efficiency,and improvement effo
94、rts are pending completion of some technology deployment.Figure 18 indicates where the respondents organizations are in their deployment efforts.Category:QuestionP������roduction (All Systems)Production(Partial Systems)ImplementingPurchased Not ImplementedPlannedHost:Vulnerability remediation 58 42 24 5 1
95、4Host:Malware protection s�����ystem(MPS)60 43 22 6 12Host:Behavioral analysis and detection 51 29 27 9 24Host:Data loss prevention 42 35 27 13 26Host:Ransomware prevention 56 27 26 ����11 19Host:User behavior and entity monitoring 39 34 23 10 30Host:Endpoint or extended detection and response(EDR/XDR)59 28
96、26 5 19Host:Application whitelisting 46 34 23 11 24Host:Continuous monitoring and assessment 61 37 18 11 16Log:Endpoint OS monitoring and logging 57 38 18 12 17Log:Endpoint application log monitoring 54 33 27 10 15Log:Log management 56 40 23 10 13Log:DNS log monitoring 47 43 25 6 20Net�����:Network segme
97、ntation 64 41 15 10 9Net:Email security(SWG and SEG)72 33 15 8 12Net:DNS security/DNS firewall 70 33 21 4 13Net:Asset discovery and inventory 47 39 26 12 17Net:VPN(access pro������tection and control)79 30 17 9 7Net:Full packet capture 32 35 26 9 32Net:Packet analysis(other than full PCAP)41 33 23 10 26Ne
98、t:DoS and DDoS protection 51 48 15 13 15Net:Network traffic monitoring 52 42 21 11 15Net:Web applic����ation firewall(WAF)53 52 16 11 10Net:Next-generation firewall(NGF)73 30 15 11 13Net:Egress filtering 53 42 22 5 18Net:Deception technologies such as honey potting 33 29 22 11 39Net:Web proxy 58 36 19 6
99、 16Net:Network access control(NAC)46 31 23 14 25Net:NetFlow analysis 32 33 23 16 30Net:����Malware detonation device (inline malware destruction)33 31 23 11 36Net:Network intrusion detection system (IDS)/intrusion prevention system(IPS)67 41 19 7 7Net:SSL/TLS traffic inspection 40 39 23 6 24Net:Ingress
100、filtering 56 39 18 10 15Analysis:Risk analysis and assessment 53 38 27 9 11Analysis:SIEM(security informati����on and event manager)63 34 25 6 12Analysis:Customiz�����ed or tailored SIEM use-case monitoring 53 32 22 13 19Analysis:AI or machine learning 36 26 20 6 42Analysis:Frequency analysis for network con
101、nections 38 33 25 7 27Analysis:Exte����rnal threat intelligence (for online precursors)44 32 23 12 22Analysis:Threat hunting 38 36 28 9 23Analysis:Threat int���������elligence platform(TIP)40 28 27 8 33Analysis:Threat intelligence (open source,vendor provided)42 29 29 14 22Analysis:E-discovery(support legal requ
102、ests for specific information collection)36 29 22 5 40Analysis:SOAR(security orches���tration,automation,and response)39 30 19 9 37Other 13 10 11 5 12Figure 18.Technology in Use and Deployment Status(Q3.26:n=150)14SANS 2022 SOC SurveyThis view is useful,but it might also be beneficial to consider this
103、in terms of accomplishing“all systems”deployment.To this end,Figure 19 shows a sorted view of the data ������shown in Figure 18.It loses the categorical grouping as a result.But this figure might be used as a guide on the likelihood of getting your intended technology fully deployed.Category:QuestionProdu
104、ction (All Systems)Percentage (All Systems)Production(Partial Systems)ImplementingPurchased Not ImplementedPlannedNet:VPN(access protection and control)55.6%79 30 17 9 7Net:Next-generation firewall(NGF)51.4%73 30 15 11 13Net:Email security(SWG and SEG)51.4%72 33 15 8 12Net:DNS sec����urity/DNS firewall
105、49.6%70 33 21 4 13Net:Network intrusion detection system (IDS)/intrusion prevention system(IPS)47.5%67 41 19 7 7Net:Network segmentation 46.0%64 41 15 10 9Analysis:SIEM(se�������curity information&event manager)45.0%63 34 25 6 12Host:Continuous monitoring and assessment 42.7%61 37 18 11 16Host:Malware prot
106、ection system(MPS)42.0%60 43 22 6 12Host:Endpoint or extended detection and respo�����nse (EDR/XDR)43.1%59 28 26 5 19Host:Vulnerability remediation 40.6%58 42 24 5 14Net:Web proxy 43������.0%58 36 19 6 16Log:Endpoint OS monitoring and logging 40.1%57 38 18 12 17Log:Log management 39.4%56 40 23 10 13Host:Ransom
107、ware prevention 40.3%56 27 26 11 19Net:Ingress filtering 40.6%56 39 18 10 15Log:Endpoint application log monitoring 38.8%54 33 27 10 15Net:Web appli�������cation firewall������(WAF)37.3%53 52 16 11 10Net:Egress filtering 37.9%53 42 22 5 18Analysis:Customized or tailored SIEM use-case monitoring 38.1%53 32 22 13
108、19Analysis:Risk analysis and assessment 38.4%53 38 27 9 11Net:Network traffic monitoring 36.9%52 42 21 11 15Net:DoS and DDoS protection 35.9%51 48 15 13 15Host:Behavioral analysis and detection 36.4%51 29 27 9 24Log:DNS log monitoring 33.3%47 43 25 6 20Net:Asset discovery and invento����ry 33.3%47 39 26
109、 12 17Net:Network access control(NAC)33.1%46 31 23 14 25Host:Application whitelisting 33.3%46 34 23 11 24Analysis:External threat intelligence (for online precursors)33.1%44 32 23 12 22Host:Data loss prevention 29.4%42 35 2�������7 13 26Analysis:Threat intelligence (open source,vend�������or provided)30.9%42 29 2
110、9 14 22Net:Pac�����ket analysis(other than full PCAP)30.8%41 33 23 10 26Analysis:Threat intelligence platform(TIP)29.4%����40 28 27 8 33Net:SSL/TLS traffic inspection 30.3%40 39 23 6 24Host:User behavior and entity monitoring 28.7%39 34 23 10 30Analysis:SOAR(security orchestration,automation,and response)29.
111、1%39 30 19 9 37Analysis:Threat hunting 28.4%38 36 28 9 23Analysis:Frequency analysis for network connections 29.2%38 33 25 7������ 27Analysis:E-discovery(support legal requests for specific information collection)27.3%36 29 22 5 40Analysis:AI or machine learning 27.7%36 26 20 6 42Net:Deception technologie
112、s such as honey potting 24.6%33 29 22 11 39Net:Malware detonation device (inline malware �����destruction)24.6%33 31 23 11 36Net:Full packet capture 23.9%32 35 26 9 32Net:NetFlow analysis 23.9%32 33 23 16 30Other 25.5%13 10 11 5 12Figure 19.T������echnology in Use and Deployment Status,Sorted by Percentage“All
113、 Systems”(Q3.26:n=150)15SANS 2022 SOC Surv����eyWhile each organization has distinct challenges,there is some benefit to projecting based on this chart.The authors(Crowley)speculation on why the projects at the top of the list of all systems have gotten there is that netw����ork security controls have been
114、in place for many years.A�������� network-implemented solution represents the older paradigm of perimeter protection.These solutions can be deployed with the IT teams a�������s networks are updated.While users are affected by VPN solutions in a way that requires changes in behavior,the rest of the technologies top
115、ping the list have no requirement of user behavior change.Related,a VPN forces users through a new channel to access data,but once configured,it is minimall�����y impactful on the user.Technology,regardless of deployment status,is a source of strong opinions from most cybersecurity professionals.To asses
116、s the reasons why some technology scored well,such as VP������N(Grade=+79),which is the highest-ranked technology in Figure 20,will require speculation.The highest-ranking tools score at the top because they do something well and the tools are likely in the enlightenment or productivity phase of the hype
117、cycle.4 In this continued speculation,the lowest scorers are relatively new or fail to do the task for which they were purchased.That may be no fault of the technology(full-PCAP not allowed to ca�����pture due to legal restrictions)or failure of the technology to adapt(full-PCAP being outmaneuvered by ad
118、vancing encryption protocols).�����Finally,the middle of the pack looks like the technology that works well only when youve applied the appropriate customization and tailoring for your environment.This takes ti�������me,dedicated staff,and cooperation with the protected systems owners and IT administrators.Coop
119、eration and time are often an unnecessarily scarce commodity in the cybersecurity space.Figure 20(shown on the next page)represents th�������e GPA for each technology based on the grades respondents assigned to that technology.The GPA is calculated on a 4-point scale,where A is 4 and F is 0,divided b����y the
120、number of responses per technology.To be fair,the GPA is based on the�������� respondents opinion,and we do not have a fully developed assessment rubric for this.Take this respondents opinion-based GPA scori��������ng as anecdotal opinions on a product category,not specific products.4 “Gartner Hype Cycle,” 2022 SOC
121、 SurveyFigure 20.GPA Rating(Q3.27:n=132)Category:QuestionBACDFGPANet:VPN(access protection and control)53 52 16 11 2 3.11Analysis:SIEM(security information and ev�������ent manager)49 44 25 7 5 3.08Log:Endpoint OS monitoring and logging 47 42������� 29 7 9 3.03Net:Next-generation firewall(NGF)45 44 30 8 6 2.99Hos
122、t:Endpoint or ext������ended detection and response(EDR/XDR)45 37 27 10 7 2.98Net:Web application firewall(WAF)43 47 25 11 6 2.97Host:Ransomware prevention 46 36 25 13 8 2.96Log:Endpoint application log monitoring 38 41 37 3 9 2.96Host:Vulnerability r�������emediation 44 42 38 6 3 2.95Net:Network segmentation 44
123、 36 28 11 7 2.95Analysis:Customized or tailored SIEM use-case monitoring 39 45 28 10 7 2.93Host:Malware protection system(MPS)40 50 30 11 3 2.91Net:Ingress filtering 40 41 34 9 3 2.90Net:DNS security/DNS fir����ewall 38 47 29 11 8 2.90Net:Egress filtering 39������ 34 39 7 8 2.88Net:DoS and DDoS protection 45
124、33 38 11 7 2.88Net:Email security(SWG and SEG)44 35 2������9 15 9 2.88Log:DNS log monitoring 38 45 28 13 8 2.87Net:Web proxy 38 33 35 9 14 2.87Host:Continuous monitoring and assessment 39 38 37 10 6 2.85Analysis:Risk analysis and assessment 31 45 34 7 8 2.85Net:Network intrusion detection system(IDS)/intr
125、usion prevention system(IPS)41 38 32 14 5 2.85Other 10 7 11 2 7 2.83Log:Log management 36 49 28 15 5 2.83Net:Network a�����ccess control(NAC)36 36 30 13 13 2.83Host:Behavioral analysis and detection 39 39 36 13 5 2.82Net:Network traffic monitoring 33 40 41 9 6 2.79Analysis:Threat intelligence platform(TI
126、P)32 36 30 13 13 2.78Host:Application whitelisting 30 41 30 13 13 2.77Analysis:Frequency analysis for network connections 31 28 34 11 21 2.76Analysis:External threat intelligence(for onl�����ine precursors)32 36 29 16 10 2.74Net:Deception technologies such as honey potting 31 26 33 13 22 2.73Analysis:Thr
127、eat intelligence(open source,vendor provided)28 37 43 10 9 2.70Analysis:E-discovery(support legal requests for specific information collection)24 39 30 14 14 2.68Net:SSL/TLS traffic inspection ����29 32 37 14 14 2.68Analysis:Threat hunting 32 30 36 17 10 2.67Net:Packet analysis(other than full PCAP)24 4
128、0 30 16 15 2.65Analysis:AI or machine learning 27 26 37 13 20 2.65Host:User behavior and entity monitoring 27 41 34 18 �����7 2.64Net:Malware detonation device(inline malware destruction)25 27 37 13 23 2.63Host:Data loss prevention 30 32 35 20 15 2.62Net:Full packet capture 27 30 36 17 17 2.61Net:Asset d
129、iscovery and inventory 31 27 46 16 10 2.61Net:NetFlow analysis 27 24 43 13 12 2.61Analysis:SOAR(security orchestration,automation,and response)23 26 38 12 17 2�������.6117SANS 2022 SOC SurveyIf you want to see these two charts combined(like we did),see Figure 21.Figure 21.Deployment State and GPA Rating(Q3
130、.26 and Q3.27:n=142,132)Category:QuestionSUM Prod (Full+Partial)GPATotalNet:VPN(access protection and control)109 3.11 132Net:Network intrusion detection system(IDS)/in������trusion preventi������on system(IPS)108 2.85 125Net:Web application firewall(WAF)105 2.97 126Net:Network segmentation 105 2.95 119Net:Emai
131、l security(SWG and SEG)105 2.88 123Net:Next-generation firewall(NGF)103 2.99 127Host:Malware protection system(MPS)103 2.91 131Net:DNS security/DNS firewall 103 2.90 125Host:Vulnerability remediation 100 2.95 130Net:DoS and DDoS protection 99 2.88 127Host:Continuous monitoring and assessment 98 2.8������5
132、 124Analysis:SIEM(security information and event manager)97 3.08 125Log:Log manageme�����nt 96 2.83 128Log:Endpoint OS monitoring and logging 95 3.03 125Net:Ingress filtering 95 2.90 124Net:Egress filtering 95 2.88 119Net:Web proxy 94 2.87 115Net:Network traffic monitoring 94 2.79 123Analysis:Risk analys
133、is and assessment 91 2.85 117Log:DNS log monitoring 90 2.87 124Host:Endpoint or extended detection and response(EDR/XDR)87 2.98 11�������9Log:Endpoint application log �����monitoring 87 2.96 119Net:Asset discovery and inventory 86 2.61 120Analysis:Customized or tailored SIEM use-case monitoring 85 2.93 122Host:
134、Ransomware prevention 83 2.96 120H�������ost:Behavioral analysis and detection 80 2.82 127Host:Application whitelisting 80 2.77 114Net:SSL/TLS traffic inspection 79 2.68 112Net:Network Access Control(NAC)77 2.83 115Host:Data loss prevention 77 2.62 117Analysis:External threat intelligence(for online precur
135、sors)76 2.74 113Analysis:Threat hunting 74 2.67 115Net:Packet analysis(other than full PCAP)74 2.65 110Host:User beha�������vior and entity monitoring 73 2.64 120Analysis:Frequency analysis for network co�������nnections 71 2.76 104Analysis:Threat intelligence(open source,vendor provided)71 2.70 118Analysis:SOAR(
136、Security Orchestration,Automation,Response)69 2.61 99Analysis:Threat intelligence platf������orm(TIP)68 2.78 111Net:Full packet capture 67 2.61 110Analysis:E-discovery(support legal requests for specific information collection)65 2.68 107Net:NetFlow analysis 65 2.61 107Net:Malware detonation device(inline
137、 ma���lware destruction)64 2.63 102Net:Deception technologies such as honey potting 62 2.73 103Analysis:AI or machine learning����� 62 2.65 103Other 23 2.83 3018SANS 2022 SOC SurveyTying Pieces TogetherThe equation for successful SOC operation is additive:people(staff)plus capabilities(process)plus technolo
138、gy.Our survey addressed several instances that tie these elements together.MonitoringDrilling down into the monitoring capability,we asked exactly w��������hat this entailed.(This question is new this year.)Detection of threats is at the top.But in many cases,�������it seems that the monitoring team doesnt support
139、 incident handling,at 47%(174/368).This is an area of improvement the authors think warrants focus:better integration between monitoring and incident ha������ndling.See Figure 22.Because most computer networks never shut down,the SOC should probably monitor 24 hours a day,every day.We asked if this is the
140、 case,and it is in most cases(details are in Figure 23).Only 62 respondents(�����17%)indicated that the SOC doesnt operate 24 hours per day.The“Yes”contingent answered that a purely in-house(144,38%)24-hour operation is the most popular approach to this,trailed substantially by mixed(89,24%).See Figure 2
141、3.While running 24/7 operations,the primary task is identification of issues(see Figure 24).We have a section later about technolo�������gy,but capability is integrally connected to the technology used to perform it.So,we asked how the data correlation of event data for identification of issues is performe
142、d.To the authors,t������he top answer“through our SIEM”(151,47%)is no surprise.Our projection is that this obvious dominance changes soon,as more SOCs shift this effort into SOAR(36,11%),XDR(35,11%),and MDR(24,7%)platforms.See Figure 24.What is included in your security monitoring activities?Select all th
143、at apply.Protection of dataSupport for IR2228Access and usage monitoringDetermine th�����reat landscape/Identify emerging threats305315258194OtherDetection of threats0150300250Figure 22.Security Monitoring Details(Q3.11:n=368)Primary Technology for Event Data CorrelationThrough our EDR/XDR pla
144、tformThrough home-developed APIs and dashboardsThrough a workflow toolThrough a threat intelligence platform2414155Through our security orchestration,automation,and response(SOAR)platformThrough our aggregated log management systemThrough services provided by our MDR vendorDont know.�����It all happ�������ens i
145、n the cloud.361513515218OtherThrough our SIEM05025Figure 24.Event Correlation Technology(Q3.20:n=324)Fig�������ure 23.24/7 Operations or Not?(Q3.12:n=373)Does your SOC operate 24/7?Yes,in-house only Yes,outsourced only Yes,mixed internal/outsourced No Unknown19SANS 2022 SOC SurveyThe
146、author(Crowley)isnt suggesting this is necessary or necessarily advantageous based on the technologies involved.But rather,his opinion is that t������he staffs assessments of performance of the tool drives replacem�������ent of the tool rather than reconsidering the implementation and programmatic elements surro
147、unding the technology.This opinion is not derived directly from surv�����ey responses.It is a fusion of assessment and observation of SOCs,the marketing pressures within the technology market,and generalizations around human behavior when faced with criticism over SOC performance.The tools dont usually s
148、�������peak up to defend themselves and point out the deficiencies of implementation or tool operator.Visibility Across SystemsAs these SOCs are correlating events,there are varying categories of systems into which they p����rovide visibility.This occurs to a greater degree on different types of systems,so we
149、inc������lude smart devices in Figure 25 and mobile devices in Figure 26.Most respondents(158,48%)indicated that they either partially or fully support smart devices.When asking what is being used for this,the MDM is clearly ahead,but not by enough to call it a certain choice if there are n������ew deployments.
150、Importantly,this question(Q3.18)asked respondents to include all that apply for monitoring technology ������for multiple items,and some respondents answered multiple items.MDM,EDR,and XDR are specifically intended for this type of nontraditional compute device monitoring.The authors see continued developm
151、ent of this technology,in addition to the use of cloud-provider-native monitoring tools.Figure 25.Smart Device ���Support(Q3.16:n=332)Does your SOC support nontraditional computing devices such as smart sensors,building devices,building monitoring,manufacturing,industrial control sys��tems,OT(operations
152、technologies),and system assets considered as part of the IoT?Partly.Our SO�����C supports some of our connected,at-risk smart systems.Yes.Our SOC supports all our at-risk smart systems.No.We are planning to support nontraditional comp������uting devices within the next 12 months.No.We have no plans to support
153、 smart systems.We havent assessed and inventoried smart systems yet,but we plan to.Unknown Other7979456933261What are you using to monitor your mobile devices,extranet,and cloud partner(AWS,Azure,e���������tc.)resour�����ces?Select all that apply.XDREMM8335EDRCASBOtherMDM0402060120100Figure
154、26.Monitoring Technology(Q3.18:n=311)20SANS 2022 SOC SurveyAlso,on the topic of nontraditional arrangements,we inquired into the techniques for monitoring OT networks.Of the respondents who monitor OT as part of their SOC,most(103,32%)do so �������converged with IT systems.This is closely followed by separ
155、ately(80,25%)as the next most������ common.Another technique is to use separate technology but the same staff for monitoring,and if these two groups are considered together(because physical separation of the visibility and protection instrumentation is consistent for both groups),then that grouping(127,39
156、%)excee�������ds the“together”responses(see Figure 27).This is important because there appears to be a strong urge for compartmentalization of these resources onto their own network,and the conceptual boundary appears to be extended to the defensive monitoring systems as well.This compartmentalization appr
157、oach has stro�������ng advocates on both sides of the subject in the OT cybersecurity community.From this survey,its about ev��������enly split in terms of how the SOCs monitor OT.RelationshipsIn discussing OT/IT convergence,its apropos to also highlight the SOC to IT operational monitoring.It is the opinion of th
158、e author(Crowley)that there are opportunities for tool reuse,converged visibility,collaboration,and coordinated hunting activities if these teams are empowered to share data and ideas.In Figure 28,it looks like a lot of the SOCs agree.The strongly segmented r����esponses“very l�����ittle direct communication
159、”(54)and“there is no relationship”(27)are 19%(81)of responses,whereas the strongly positive“int���egral part not technically integrated”(119)and“integrative dashboards”(77)are 45%of the responses(196).This is a call to action to leverage your scarce resources to further the collaborati�������on or integration
160、 of two core operational capabilities:SOC and IT.The only likely counter-ind������ication the authors see in this situation would be that the SOC might lose some oversight capability of potentially malicious or negligent system administrators;the IT admin could also see what the SOC sees about his or her(
161、insider/malicious)activity and adjust to avoid detections.The value of the visibili�����ty as a deterrent likely outweighs the risk of a crafty insider threat intentionally evading monitoring.Our advice?Monitor IT admin access by using a behavioral monitoring strategy to identify patterns that could be a
162、ttributable to malicious insider activity.This would cover the other c������ommon fear of sharing the security visibility data with IT peers,if an attacker seizes credentials and is using your tools t����o see what you see about the attacks.This scenario of loss of control and use would likely represent a beh
163、avioral change from the normal baseline of tha����t account,giving you a potential alert late in the phase of an attacker intrusion.Are you monitoring your OT(operations technologies)systems separately or with IT SOC resources?Select the best option.Separate systems for monitoring but same SOC sta������ff8Sep
164、arately8010����347OtherTogether with IT SOC resources0251005075Figure 27.OT Monitoring Strategy(Q3.17:n=326 but n=88 excluded from chart because theres no OT)What is your SOCs relationship to your IT operations?Note:This question refers to IT operations in whatever form,such as general IT or a network o
165、perations center(NOC).Our IT/NOC team and SOC team are kept well-informed through integrative dashboards with shared information,APIs,and workflow,where needed.54OtherWe dont have an IT/NOC team.There is no relationship.Our SOC and IT/NOC teams work �����together only when there are emergencies.173710111
166、97727Our SOC and IT/NOC teams have very li�����ttle direct communication.Our IT/NOC team is an integral part of our detection and response,although our SOC and IT/NOC activities are not technically integrated�������.0251001255075Figure 28.SOC to IT Relationship(Q3.8:n=432)21SANS 2022 SOC SurveyInvestment:The De
167、termining FactorLooking at SOC b������udgets reveals some interesting observations.First,30%of respondents(71/240)are not aware of the overall SOC budget.(See Figure 29.)This may ������be indicative of respondent role according to Q2.5 where 270(52%)were analyst,administrator,or architect roles.However,the next
168、 most popular fund�����ing amounts �������in Figure 29 indicate budgets of less than$500,000:$100,000(39),$100,001$250,000(28),and$250,001$500,000(21).While regional staff salary variation could certainly play a part here,this doesnt represent a realistic view of the investment to run a SOC,especially if theres
169、 a 24/7 performance expectation.In short,a realistic model of required investment should be developed,specifically around the SOC team size of 2 to 10 members.Most respondents(56%,n=133/236)follow a form��������al budget process.(See Figure 30.)But there may be issues in actually determining funding.We aske
170、d how the funding was determined,and Figure 31 shows the breakdown.Most respondents(n=93)indicated that the SOC management and organization management work closely on this.Ho�����wever,the majority still believe that management does not heed recommendations from SOC leaders in allocating funds(n=83+25+25
171、).What is your estimated annual budget for new hardware,sof����tware licensing and support,human capital,and any additiona����l costs?$100,001$250,000 USD2112122411$1 million$2 million USD$8 million$16 million USD$2 million$4 million USD$4 million$8 million USD$500,001$750,000 USDGreater than$48M USD$750,00
172、1$1,000,000 USDLess than$100,000 USD3$250,001$500,000 USD$16 million$48 million USDUnknown008030Figure 29.Overall Budget(Q3.51:n=240)How would you characterize your process for establishing IT/security budget f��������or next-year funding?Unknown3Informal(akin to ad hoc)6213338OtherFor
173、mal0251005012575Figure 30.Budgeting Method(Q3.56:n=236)How is funding allocated in your organization?Select the best option.Management takes recommendations from SOC leads/managers but frequently goes against SOC managements recommendations.Other25Management takes recommendations from SOC leads/ma�����na
174、gers but ultimately decides how to allocate funds,sometimes against SOC managements recommendations.Management pays little heed to the recommendations of SOC managers and allocates the cybersecurity budget as they see fit.83932514Management and SOC leads/managers work together closely to decide how��
175、to allocate funds for cybersecurity.020804010060Figure 31.Funding Allocat������io�������n(Q3.52:n=240)22SANS 2022 SOC SurveyWhile there seems to be more cooperation and less frustration expressed with organizational management not heeding SOC management advice on funding,a problem may still remain,suggesting tha
176、t a formal budgeting method should be derived from metrics showing the need for the work.So,we checked to see if the respondents who said they provided metrics tended to operate in an environment with a formal budgeting process.Figure 32 shows that there is �����a clear difference,where formal budgeting
������177、is more present where metrics are delivered.We suggest taking this as an attribute of maturity for your SOC.Measuring for SuccessMetrics are a critical component of the SOCs interaction with the organization,in the authors opinion.Yet,most of the metrics used fail to effectively characterize the val
178、ue the SOC pro�����vides to the business.Admittedly,were taking the optimistic view that the SOC does provide value and could calculate it.Among respondents,70%(193/274)indicated that they provide metrics to accomplish this communication.See Figure 33.We asked about satisfaction with these metrics,and of
179、 those who answered,78%(136/187)are either satisfied(92)or very ����satisfied(54)with the metrics.See Figure 34.We have been conducting this������� survey for several years,so we looked back to see what the responses from previous years said about metrics and metrics satisfaction.We are using percentages to co
180、mpare because the numbers varied in each year.In 20�������19,57%said they provided metrics,but the survey didnt include questions on metrics satisfaction.In 2021,77%provided metrics,o����f which 67%were satisfied.This years survey shows a 7%drop from 2021 in providing metrics but an overall increase in satisfa
181、ction of about 12%on how these metrics help gauge the effectiveness of the SOC.Figure 32.Budget Method and Metrics(Q3.35 and Q.56:n=240)Budget versus Metrics25 20 15 10 5 016252Yes582No331Unknown Formal Informal(akin to ad hoc)Unkn�������ownFigure 33.Metrics Provided(Q3.35:n=274)Does your SOC provide metri
182、cs that can be used in your reports and dashboards to gauge the ongoing status ��������of and effectiveness o������f your SOCs capabilities?Yes No Unknown1935130Figure 34.Metrics Satisfaction(Q3.36:n=187)How satisfied are you with current SOC metrics used in reports and dashboards to help gauge the ongoing status
183、 and effectiveness of your SOCs capabilities?Very satisfied Satisfied Not satisfied/Need serious improvement Unknown925440123SANS 2022 SOC SurveyLooking at Metrics That Tie Value to EffectivenessBut how to tie fundi�����ng to metrics that ascertain how SOC value is determined?Questions 41 to 44 aimed to
184、determine this b��������y first investigating cost-per-record values related to cybersecurity incid��������ents and then exploring potential methods of calculating loss prevention provided by the SOC.Ultimately,it is the promise of loss prevention that compels organizations to fund SOCs.Lets trace out what the resp
185、ondents said.It seems like most respondents are not calculating cost-per-record values.Figure������� 35 shows that 58%answered that they dont calculate this.The authors recommendation to these respondents and the readers of this r����eport:Start this effort.It will be imprecise at first,so be patient and nurtu
186、ring.But this tactical operational value should be correlated to funding to secure the right amount of funding to protect the organizations information.Where they have been calculated,the numbers����� are all over the map,with no clear consensus,as is displayed in Figure 36.Consolidating this to elimina����t
187、e the distinction between the record types,theres still no clarity on which is the most common value,as shown in Figure 3�����7.This suggests that the calculations arent consistent and that the conditions of intrusions arent consistent among the respondents.A per-record cost should be consistent between
188、organizations for the same record type.The takeaway here is that this measurement isnt done often enough and has yet to achi�������������eve consistency across various organizations.But theres still value to the effort.As one example,your insurers are using an estimated value for their calculations of your insur
189、ance premiums rel����ated to this.You should have an idea of handling costs and impact costs.Figure 35.Cost-per-Record Calculation Percentage(Q3.41:n=239)Have you calculated a“cost-per-record”from an actual incident?Yes No Unknown6913931Value per Record Type Other Credit card Customer account informatio
190、n Internal user ac������count 16 14 12 10 8 6 4 2 01661210$25+1211412$5$107179$15398$10$251471214$1$59119 9UnknownFigure ����36.Cost-per-Record by Type(Q3.42:n=42)All Record Types50 40 30 20 10 038Unknown47$1$525$10$2524$139$5$1044$25+Figure 37.User Account Cost-per Record(Q3.42:n=42)24SANS 2022 SOC SurveyOf
191、course,we went on to ask the next obvious question(in the authors manner of������ thinking):whether respondents are calculating the value of the SOC by using some form of comparison between the SOC intervening and the SOC not intervening.Like cost-per-record shown in Figure 37,most(58%,n=140/244)said that
192、 they dont calculate this,as shown in Figure 38.You can see where this is going.If the respondent is calculat�����ing it,we wanted to know.So,the next question asked is what help the SOC is(if it is,in fact,helping).Only �������a small number said the SOCs existence made the handling effort more costly than wit
193、hout the SOC(n=7),and the impact more costly(n=4).But many more saw����� 10%handling(n=19)and impact(n=24)reduction.The most popular response for handling reduction was 50%reduction(n=22),������with the incident impact reduction of 50%for(n=18)respondents(see Figure 39).This provides a compelling story to show
194、 value to management when you go into that formal budget to try to assure the organization management works closely with you to allocate the SOC budget.SummaryWeve covered a lot of territory with this survey.It represents a major expansion of our linguistic offering,and were optimistic that wel������l soo
195、n offer the survey natively in other languages.We have taken a capabilities-based approach to the concept of a SOC.The way to use this survey is to assess your capabilities compared to your peers.In doing so,youll s������ee that most SOCs have the same capabilities but accomplish them through varying leve
196、ls of internal performance and outsourcing.Most SOCs deliver metrics,and many are starting to deliver calculations on the value of the defense provided.For SOCs with lesser maturity,adding missing capabilities is the next step.Doing so through outsourcing of�������ten provides speed and high-value proposit
197、ion without the accompanying tailoring and customization.The next step would be assuring performance of metrics.For more mature SOCs,delivering calculations related to data protected and loss prev�������ention provided is the step to take.Do you have an estimated or calculated“incident with a SOC vs.incide
198、nt without a SOC”value?Yes No Unknown7414030Figure 38.Estimated or C�������alculated Value Provided by the SOC(Q3.43:n=244)Figure 39.Estimated SOC Value(Q3.44:n=73)Estimated Relative Handling Cost with SOC50%reduction of costActually,cost is higher with the SOC than without it90%reduction of cost10%re������ducti
199、on of costN/A or unknown reduction of costMultifold(2x or more)red����uction of cost702515 Incident cost Handling cost25SANS 2022 SOC SurveyFollow These Calls to������� Action Match your organization against our demographics and related results.4 Compare the size of your organizations wor
200、kforce versus survey-reported workforce size.4 Check SOC staffing levels in comparison to your business growth over time.4 Evaluate the capabilities of your SOC against those reported in this survey as commonly present to develop what you lack.4 Compare what survey respondents frequently outsou�������rce w
201、ith what your organization outsources to evaluate whether theres an opportunity to outsource capabilities or bring them back in-house.Be sure that the trends which are important to your organization are going in the right direction!4 Define �������and track the critical metrics to your organization.4 Make
202、sure you have at least one metric that depicts ������the value your SOC provides.Explore the“Technology:What Is Getting a Passing Grade?”section to see how your organization stacks up against the community.4 Compare your implemen������tation of technology with how other organizations have implemented it.4 Ask t
203、�����he following hard questions:Are you still just investing in technologies that most other organizations have successfully transitioned to production?When you buy technology for your SOC,do you have a plan to get it deployed to full production?Are you considering the effectiveness of the SOC in budgeting for its resources?4 Make sure your orga�������nizational management listens to SOC leadership where important!4 Keep your metrices in mind!SponsorSANS would like to thank this surveys sponsor:
sgpjbg002
工作日 8:30 - 17:30
报告分类
