Empowering Security Teams for Success: 4 Key Takeaways from the SANS 2024 SOC Survey

As cybersecurity threats continue to evolve, empowering security teams with the right strategies and tools is essential for protecting organizations effectively. Commissioned by SANS, the highest standard in cybersecurity education, the 2024 SOC Survey provides a comprehensive look into the current priorities and challenges faced by security leaders.

Here, I’ll delve into my impressions of the study's key findings, offering actionable insights that can empower security professionals to refine their approaches to threat detection, response coordination, and operational resilience. By embracing these key takeaways, security teams can enhance their readiness to combat cyber threats and strengthen organizational defenses.

When asked about their estimated annual budgets for new software licensing, staffing, etc., the most common response among surveyed SOC specialists by far was “Unknown.” This speaks to a fundamental misalignment between the SOC staff and management around the organizational budget process. Misaligned SOC budgets often lead to inefficiencies and gaps in cybersecurity defenses, making it difficult to allocate resources effectively and respond to threats promptly. This can result in increased vulnerabilities and potential security breaches.

The study also highlights a universal challenge faced by CISOs: budgets are not increasing, and in many cases, they are either flat or shrinking. This financial constraint makes it imperative for organizations to be more strategic in their spending. To do more with less, the emphasis should be on multi-channel platforms that extend their capabilities across various architectural areas rather than investing in solutions that serve a single purpose.

Automation and orchestration have been buzzwords in the cybersecurity space for over a decade, yet there remains a significant gap in their effective implementation. While some progress has been made with the introduction of SOAR (Security Orchestration, Automation, and Response) solutions, much work still needs to be done. This goes beyond the need for a dedicated automation platform.

Cybersecurity tools should come equipped with open APIs to facilitate better integration and interaction, allowing for more sophisticated defensive strategies. For example, ‌automated processing of user-reported phishing emails can greatly enhance the speed and efficiency of response times, potentially stopping cyber threats in their tracks. These are the types of capabilities that would enhance your SOC team’s output.

The survey results also revealed a notable dissatisfaction with artificial intelligence (AI) and machine learning (ML) tools, which isn't surprising given the recent hype. Many vendors claim their solutions are "powered by AI," which leads to a fair amount of skepticism across the industry—especially when those same vendors cannot explain what that means.

A friend of mine was recently evaluating MDR vendors and found one that touted AI capabilities, only to learn it was used merely to generate reports post-analysis. This superficial use of AI, rather than its integration into core functionality, contributes to ‌disappointment. With so many gimmickry and misleading claims, security professionals spend considerable time distinguishing genuine solutions from those that are merely marketing AI.

In contrast, real AI (at its fullest potential) excels at consuming vast amounts of diverse data, identifying underlying patterns, and making decisions based on historical data. When used effectively, AI/ML can ingest and analyze internal data sources and telemetry, learning, and adapting without explicit programming to detect rapidly evolving threats. We should seek solutions that leverage AI/ML at their core to detect anomalies. Instead of asking if something is bad, our security solutions should determine if it is normal.

When asked about the biggest barrier in their SOC currently, a significant number of respondents (29%) cited answers directly related to staffing—“high staffing requirements” and “lack of skilled staff.” Unfortunately, staffing issues in the SOC are nothing new. It takes skilled analysts to hang in there and work under high pressure for a long time. Retention is always a concern. In fact, the average tenure is one to three years, but the survey reveals that this is slowly increasing to three to five years.

While the study does not delve deeply into solutions for this cybersecurity staffing issue, the advancements in automation and AI mentioned above could play a crucial role. By automating routine tasks and enhancing the capabilities of existing tools, organizations can manage more efficiently with smaller teams. Moreover, this can allow cybersecurity professionals to focus on more strategic and creative aspects of cybersecurity, potentially making the field more attractive to new talent.

The SANS 2024 SOC Survey underscores the need for a strategic overhaul in how cybersecurity is approached in organizations. By investing in versatile tools, embracing automation, and setting realistic expectations for AI and ML, cybersecurity professionals can not only enhance their defensive capabilities but also ensure a more robust alignment with organizational goals and resources. As the landscape of cyber threats continues to evolve, so too must our strategies to combat them.

Interested in learning more about current SOC trends? Get the full report below!