Today, almost all mediums (1,000 to 5,000 employees) or large companies (more than 5,000 employees) run some type of SOC, and half of them have had one for more than a year, according to the latest Intel Security study. As the number of incidents continues to increase, security organizations appear to be maturing and using what they are learning to educate and improve prevention in a virtuous cycle. For example, respondents documented investments to expand SOCs and attributed an increase in investigations to an improved ability to detect attacks. Those who reported a decline in incident investigations attributed this advantage to better protection and processes, which mature organizations carry out as the final phase of a security investigation.
These are some of the conclusions in a study commissioned by Intel Security on the current state of security management environments and threat detection capabilities, as well as priority areas for future growth.
Nearly nine out of ten organizations reported having an internal or external SOC, although medium-sized companies are slightly less likely to have one (84%) compared to large companies (91%). Small organizations in general are implementing SOCs a little later, as only 44% had one for more than 12 months, while 56% of the SOCs of large companies have been running for so long. Most SOCs (60%) are currently managed internally, with 23% operating in a mix of internal and external support and 17% totally external. For the few who have not established a SOC, only 2% of companies have no plans to do so.
Of the 88% of organizations that operate a SOC, the majority (56%) reported using a multifunctional model combining SOC and network operations center (NOC). Organizations in the United Kingdom (64%) and Germany (63%) are even more likely to operate on this model. Dedicated SOCs are in use by companies 15% and are prevalent in the United States (21%). Virtual SOCs are the third model, also used by around 15% of respondents, followed by a distributed or co-managed SOC, with 11%.
This distribution of implementations has several implications. Most operate at the midpoint of the SOC's maturity or move toward the goal of a proactive and optimized security operation. However, more than a quarter (26%) still operate in reactive mode, with ad hoc approaches to security operations, threat hunting and incident response. This can significantly extend detection and response times, leaving the business at greater risk of significant damage, as well as facing a higher cleaning cost.
Whether due to the increase in attacks or better monitoring capabilities, the majority of companies (67%) reported an increase in security incidents, with 51% saying that they increased slightly, and 16% that increased a lot. This data is similar to the data leak prevention study released in September 2016 in the McAfee Labs threat report. That study found that organizations that looked at data more closely for leakage reported more incidents of data loss.
Only 7% in general indicates that incidents have decreased and the remaining 25% say they have remained stable in the past year. There was little variation reported by country, but the incidents increased as organizations got smaller, possibly indicating that criminals have broadened their attack targets. Only 45% of the largest organizations (more than 20,000 employees) reported an increase, compared with 73% of the smallest (less than 5,000 employees).
The small group that reported an overwhelming decrease in incidents (96%) believes that this was due to better prevention and prosecutions. Of those who said the incidents increased, most felt it was due to a combination of better detection capabilities (73%) and more attacks (57%).
Most organizations are overwhelmed by alerts and 93% are unable to classify all relevant threats. On average, organizations are unable to sufficiently investigate 25% of their alerts, without significant variation by country or company size. Almost a quarter (22%) feel they have been lucky to escape with no business impact as a result of not investigating these alerts. The majority (53%) had only a minor impact, but 25% claim to have suffered a moderate or severe commercial impact as a result of uninvestigated alerts. Larger organizations, perhaps because of their better monitoring capabilities and stable levels of incidents, are more likely to not report a business impact (33%).