Leading SOCs based in the region share their views about the market

Much has happened since the concept of SOCs started and their development and growth are accelerating rapidly. The adoption of SIEM and SOAR solutions gave SOCs the right tools to integrate multiple data sources and correlate events, detect anomalies, and respond effectively to incidents. Security Operations Centers have become the backbone of the prevention, detection and response processes of companies all around the world. 

They currently employ multiple tools, developed internally or from renown vendors, and they are extending their services to include Managed Detection and Response, Red Teaming, Threat Hunting, and are actively integrating AI tools. 

Due to their important and growing role, Ignacio Sbampato (Excalibur) interviewed representatives from three leading European SOCs - S2Grupo, ESET Netherlands and SOC360 - to understand what the opportunities are and challenges they see ahead for their organizations and the market.

• Addressing Customer Diversity 

Security Operations Centers provide services to a variety of companies. That is a challenge by itself, as they need to adapt to diverse and varied environments where they can’t always use the tools they prefer. Moreover, this is not only about the different technology stacks used by the customers that SOCs need to adapt to, but also non-technical aspects that can be completely different across their clients.

• Managing Alert Volume and Complexity 

According to the Global Security Operations Center Study by IBM and Morning Consult, SOC teams only manage to review 49 % of all the alerts they receive, leaving over half of potential threats unexamined. 

The challenge is to quickly filter these alerts to identify and respond to genuine threats, requiring efficient tools and processes. The key is to identify alerts that are meaningful to detect and prevent incidents. Classifying them appropriately and automation are the tools that SOCs have to achieve this.

• Adapting to Rapid Changes 

The number of cyberattacks is on the rise, constantly. Checkpoint Research reports that they have increased by 30 % in Q2 2024, and that, on average, an organization needs to deal with 1,636 attacks per week. Moreover, they have grown in complexity and continue to incorporate different strategies, like targeting supply chain rather than taking a direct approach. 

When 46 % of SOC Teams report that the average time to detect and respond to a security incident has increased over the past 2 years, according to the IBM report mentioned above, there’s a clear impact of how the external changes is affecting security professionals.

• Multi-Stakeholder Engagement 

There are other challenges that SOCs face besides security incidents: building relationships at different organizational levels. ESET Netherlands considers this “crucial”, ask Security Operations Centers must not only engage operational teams but also senior leaders to position themselves as strategic assets.

In many cases, vulnerabilities persist, and incidents take longer to be addressed due to the conflicting priorities and processes within an organization. With the wide array of stakeholders that security teams need to interact with due to the proliferation of technologies in organizations, even when they detect issues, they are not always able to solve them. 

To address challenges and reduce breach risks, the SOC should be positioned as a strategic asset with the authority to make critical decisions on preventing and resolving incidents.

• Talent and Skills Shortage

Much is said about the lack of knowledgeable cybersecurity professionals in the market. The three interviewees - SOC360, S2Grupo and ESET Netherlands - agree that having skilled cybersecurity professionals within their organizations is a significant challenge. 

However, it’s not only about having talent available, but how to manage it. “The bigger challenge is keeping talent engaged in a competitive market”, points out ESET Netherlands. 

SOCs not only need to compete with cybercriminals, as we have discussed above, but also with other SOCs.

If you want to solve any skill or talent shortage, the best solutions are always based on two things: retention and education. SOCs know that investing in their people is their biggest asset and the only way to address this challenge.

Our focus is on creating an environment where people feel welcomed, challenged, and valued. We prioritize people first, business second, and finance third- ESET Netherlands

As with many challenges, it can be transformed into an opportunity, and that’s exactly what SOC360 has done: “We turned the famed skills and talent shortage to our advantage. (…) We hire them and provide them with skills and experience. through the SOC360 Academy.” 

S2Grupo has taken a similar approach: "Talent management is one of our pillars. We make a continuous effort to retain our talent - and generate new - through initiatives like ENIGMA, our own cybersecurity academy.

• Technology Integration and Automation 

Technology is critical for SOC efficiency, as we can already see from reviewing the above topics. However, it is also a challenge in itself. To perform their job, Security Operations Center needs to deal with multiple solutions and data sources in heterogeneous environments. Not every customer from a SOC provider uses the same technologies, and many medium and large organizations have a diverse technology stack. 

Among SOC teams that currently leverage automation, only half are applying it to threat hunting (55 %) and incident enrichment (53 %), according to the IBM research mentioned above.

The task of integrating those technologies, classifying their data, and producing outputs that are useful for security teams to detect and respond to incidents is something that each SOC must address, and not all of them do it in the same way.

According to SANS 2024 SOC Survey, when respondents were asked about the level of satisfaction with the technologies they use, AI/ML are the ones they are the least satisfied with. 

The automation that can help SOCs also depends on the possibility of integrating those technologies. That’s not always possible, which increases the challenges, due to the diverse customer environments we highlighted before.

 Lastly, many tools that SOC teams could use aren’t available or they may not be cost-effective in the competitive team where these service providers operate. This forces them to be creative and build their own tools.

 That’s exactly how SOC360 addressed one of those issues: We realized the lack of certain tools, crucial for our systems. Therefore, we've developed one in-house to tag and note each object that would support our SOC analysts, suggesting the right questions and tags.” Every SOC agrees that technology integration and automation plays a significant role, and that they need to be used for solving security incidents. ". 

Tools like SIEM and comprehensive reporting systems need to be designed with the understanding that SOC services must be communicated and valued at different organizational levels. These tools should also provide insights that are meaningful to executives and board members”, summarizes ESET Netherlands.

After going through some of the most significant challenges, and already discussing some ways to address them, comes the time of discussing what are the opportunities ahead for SOCs, according to them.

1. Transforming SOCs into Strategic Partners

Despite 90 % of CEOs saying they consider cybersecurity a differentiating factor for their products or services to help them build trust among customers, only 15 % have dedicated board meetings to discuss cybersecurity issues, according to Accenture’s The Cyber- Resilient CEO report. 

Moreover, 44 % of the CEOs believe that cybersecurity requires episodic intervention rather than ongoing attention. The CEOs that lead on cybersecurity resilience, according to Accenture, adopt enterprise- wide strategies to reinvent their functions and business units, and embed security in their strategies from the outset.

These “cyber-resilient” CEOs are achieving higher business value than their peers according to above report:

• Two to three times lower breach costs than peers
• Sixteen percent higher incremental revenue growth
• Twenty-one percent more cost reduction improvements
• Nineteen percent healthier balance sheet improvements

2. Leveraging Advanced Technologies 

“The entry of generative AI has changed the rules of the game”, says S2Grupo, and indeed, Artificial Intelligence, Machine Learning and Automation present opportunities to boost efficiency and accuracy. 

These technologies are seen as “force multipliers” and “transformative" by the interviewees, due to how they can enhance threat detection and response, as well as provide relief to SOC analysts when dealing with thousands of daily alerts.

There is a clear way forward where these technologies will improve the performance of Security Operations Center, and leveraging the right balance between them and the experience of analysts will present incredible opportunities to improve the overall cybersecurity posture of organizations.

3. Increased Demand driven by Regulatory Compliance 

The European Union has been working on new regulations since the implementation of GDPR six years ago. NIS2 is to enter effect during this month, with DORA becoming mandatory in January next year. These norms aim to increase the cyber resilience of organizations across the region, and to do that, companies and institutions need to invest time, money and people in fulfilling the requirements, many of them related directly to the services that SOCs provide. 

Compliance requires expertise and SOCs are uniquely equipped. NIS2, DORA and other regulations create the space for them to grow even more.

4. Enhancing Cyber Awareness and Training

The latest Data Breach Investigations Report (DBIR) by Verizon states that 74 % of incidents include a human element, like clicking on a phishing link. Other sources put that number anywhere between 65 to 95 %. 

When asked specifically about this topic, the answer varies, but every one of the interviewees highlights the relevance of training to the employees of the organizations they protect. 

“Our cybersecurity services always take the human factor into account, and as such, we care for and promote the awareness of client employees and stakeholders in general”, emphasizes S2Grupo. They have a specific area dedicated to this topic, named Behavioural Security, formed by dozens of specialized professionals that deliver yearly training to their customers to reduce the possibility of breaches caused by human error. 

Moreover, S2Grupo assesses the state of the cybersecurity practices of their new clients and based on that designs specific awareness and training activities to increase their defences. “We are proud that that there are no incidents related to human error across our oldest clients as a result of these activities”. 

ESET Netherlands believes in a "balanced approach to security awareness training”, and they have introduced a Digital First Responder training for individuals “to respond adeptly in crisis situations” and “be capable of contributing meaningfully to the organization’s security posture”. 

Besides delivering training for their clients and their security teams, SOC360 offers the option to have them working with them for some time to better know and understand how their SOC works. 

Although they don’t provide security awareness training platforms, they do provide managed phishing campaigns services. “It's essential to transform employees into proactive sensors rather than reactive firewalls”, concludes ESET Netherlands, emphasizing on the opportunity of transforming the human element from a cause of breaches into another layer of security.

The Road Ahead

 SOC360, S2Grupo and ESET Netherlands all agree that there are multiple opportunities for Security Operations Center to grow and contribute to a more secure world.

There are technological aspects that will help them to evolve, with automation at the core of many of their tasks, without diminishing the role of the experienced SOC analysts. The key is in how to maximize the time of their teams to perform meaningful tasks and be ready for how the attacks change over time as well as to deal with the complexities of the environments they need to secure. 

A close relationship with their customers, creating truly strategic partnerships with them, is of high importance as well. Effective talent management, growing technology knowledge, integrated platforms, and cooperation across the board are the pillars that the SOCs can be built upon to ensure success for their activities.

Published on 22th of October 2024 in the Cyberhive by Ignacio Sbampato (Excalibur)