Modern Security Operations Center (SOC) Strategies
Modern security operations centers (SOCs) have the potential to protect organizations against an ever-evolving threat landscape through monitoring, detection and response capabilities, but organizational needs and limitations vary. How are leaders currently deploying and maturing modern SOCs?
One minute insights:
- A hybrid approach is the most common SOC target operating model (SOCTOM)
- Respondents are most commonly satisfied with their SOC’s infrastructure, policies and team skills
- Over half assess their SOC’s operating model at least quarterly if not more often
- The majority of organizations use penetration testing and red team exercises to evaluate SOC capabilities
- Most leaders see opportunities for improvement in their SOC’s aggregation and correlation capabilities
Most organizations have SOCs that use a hybrid operating model and leaders are typically satisfied with their SOC infrastructure
The most common SOC operating model is a hybrid approach combining internal and external resources (63%) but just over a third have an internal SOC (34%).
The majority of leaders feel satisfied with their SOC’s infrastructure (83%), IT security policies (80%) and team skills (75%), but costs show room for improvement as just over half (55%) feel satisfied with this aspect.
Gaining true, 100% visibility into our environment has been the biggest goal for our SOC.
Resources and skills are the main challenge for us.
Many leaders asses their SOC models at least quarterly and change them in response to transformation initiatives or evolving threats
Organizations typically changed their SOCTOM due to new or updated digital transformation initiatives (68%), developments in the threat landscape (54%) or changing third-party providers (51%).
Our strategy has evolved with the launch of our own digital services — we now need a responsive, available SOC.
Our SOC has been augmented by a third party to keep up with skills and tools required.
It's a never ending update process.
SOC research and development processes need to be improved, as do aggregation/correlation capabilities
64% of respondents say their research and development processes are among those that require the most improvement. Many also see optimization opportunities in their incident response playbooks (45%), as well as log management (35%) and ticketing (32%) processes.
Over half (57%) find their SOC’s aggregation/correlation capabilities lacking. Data mobility (46%) and reporting (39%) capabilities in the SOC are also common target areas for improvement.
False positive[s] and alert fatigue continue to be a major challenge for our SOC.
Unfortunately, due to the economic crisis, we have to make do with what we have. The team is on continuous high alert and barely have time to breathe due to lack of funding and quiet resignation. It's a really tough period.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.