4 CRR 4.0 Self Assessment-NIST CSF v1.1 Crosswalk-April 2020
4 CRR 4.0 Self Assessment-NIST CSF v1.1 Crosswalk-April 2020
4 CRR 4.0 Self Assessment-NIST CSF v1.1 Crosswalk-April 2020
The lead author (Crowley) has heard many times that just taking the survey is good for SOC
staff and managers, because it is challenging and thought-provoking. If you’re reading this
and it provides value, please be sure to take the survey in 2024! We’re already planning
enhancements and updates. We’re also hoping to hear from you what you’d like to read
about in the future. If you have analysis that you’d like to perform, the deidentified raw
data set and a Jupyter notebook (Python) is available for download and analysis at
https://soc-survey.com. Among this year’s top findings:
• More than 75% of respondents detected incidents before external notification, 9% via
proactive threat hunting (Q3.31, n = 327).
• 84% of SOCs collect and expose metrics, including these top three:
- Quantity of incidents
• SOAR work style increases effectiveness more than it reduces staffing needs.
• SOC funding follows a traditional IT model: SOC budget requests go up, allocations
come back down.
Figure 1 on the next page provides a snapshot of the demographics for the respondents to
the 2023 survey.
Small/Medium
(1,001–5,000)
Technology
Medium
(5,001–15,000)
Banking and
finance Medium/Large
(15,001–50,000)
Government Large
(More than 50,000)
Each gear represents 10 respondents.
Each building represents 25 respondents.
SOC manager
Ops: 149 or director
Ops: 432
HQ: 338 HQ: 28
We asked about visibility into data and ingestion choices made for data into SIEM. Everything (Q3.5,
171/600, 28.5%) and some selectiveness based on risk (Q3.5, 169/600, 28.2%) were top explanations,
with a monthly review (Q3.7, 105/239, 43.9%) being the most common frequency for those who said
they reviewed ingestion (Q3.6, 256/597, 42.9%) on a periodic basis.
Aligned to VERIS structure of detection sources, we asked respondents to identify the ranking of
incident discovery. A little over two-thirds of respondents (Q3.31, 246/327, 68.3%) indicated that
monitoring/alerting was most frequently responsible for detection. See Figure 2 on the next page.
1 2 3 4 5
100%
85.3%
80%
68.3%
60%
39.4% 41.9%
40% 32.2%
26.9% 25.0% 28.1%
21.1%
20% 16.1% 16.9% 13.6%
9.2% 7.5%
4.2% 2.2% 2.2% 1.4% 1.9% 5.0% 2.2% 0.8% 0.6% 1.4% 2.8%
0%
Monitoring/alerting Hunting User reported Third party/external notification Other
(e.g., law enforcement)
Key Findings
“Do more with less” is a hallmark clarion call, trite and honest. There
are only limited resources in the organization, and SOC managers
who can show connections from increased investment in the SOC to
improvements in business-relevant metrics are in the best position to
benefit from that increased spending on cybersecurity. Nonetheless, in
the past 10 years, cybersecurity budgets have increased substantially.
Metrics are regularly used in SOCs—only a small What is your estimated annual budget for new hardware, software
portion (Q3.47, 39/349, 11.2%) said “No” they don’t licensing and support, human capital, and any additional costs?
(Q3.48, 28/124, 22.6%) expressed being “not satisfied” $4 million–$8 million USD 3.9%
with current metrics. A later section will discuss $8 million–$16 million USD 2.6%
metrics in more detail. $16 million–$48 million USD 1.3%
To understand how SOCs can use metrics to move to Greater than $48M USD 1.3%
better performance, we asked if they have a method 0% 5% 10% 15% 20% 25%
for calculating the value the SOC provides. This is Figure 5. Estimated Annual Budget
(Q3.68, n = 307)
a tricky calculation, because it expresses the value of something not occurring. It’s no
surprise that people are trying, but there isn’t clarity or consistency in doing this, partially
because it isn’t easy. As a result, more than half (Q3.55, 184/327, 56.3%) of the responses
indicated people aren’t trying to calculate this.
1
https://www.gartner.com/newsroom/id/3539117
less reduction in handling and incident impact cost. Handling Cost Incident Cost
10.5%
To facilitate the estimate of reduction we’re asking 90% reduction of handling cost
18.2%
about in Q3.56, there’s typically a value assigned to Multi-fold (2x or more) 2.6%
reduction of handling cost 7.8%
assets: when those assets are challenged by an actual
Actually, handling cost is higher 2.6%
attacker, the SOC gets to claim a reduction due to its with the SOC than without it 2.6%
preparation (reduced handling costs) and ability to 0% 10% 20% 30% 40% 50%
intervene (reduced incident costs) to minimize damage. Figure 6. Estimated Handling and Incident
So, what’s the basis of the value claimed? We asked respondents if they Cost Reduction (Q3.56, n = 76,77)
have a cost per record. Most (Q3.53, 160/323, 49.5%) said no, but there’s a Have you calculated a “cost per record”
high (Q3.53, 63/323, 19.5%) percentage who don’t know if they have a cost per from an actual incident?
record or not. See Figure 7. We’ll delve deeper into these record types and
costs later in this paper.
It takes qualified people to run a SOC. This has been a consistently reported 19.5%
aspect for the past six years of the survey. Again this year, we asked many 31.0% Yes
survey questions related to staff and appropriate qualifications. But the most No
common question encountered in the authors’ experience related to SOC
Unknown
staff is “How many are required?” This is typically in the form of something 49.5%
like, “If [company] in [industry] has [number of employees], then how many
people are needed to staff the SOC?” The cynical author has started simply
answering, “around 25,” because in the survey data, the most common (Q3.58,
Figure 7. Cost per Record Based on
83/335, 24.8%) SOC size is between 11 and 25 staff. See Figure 8.
Incident Data (Q3.53, n = 323)
What is the total internal staffing level (i.e., all related positions) for your SOC, expressed in terms
of full-time equivalents (FTEs)? What is the number of FTEs specifically assigned to the management of your SOC systems,
not just to analysis of the data from your SOC systems?
30%
25% 24.8%
21.8%
20%
15% 14.0%
12.5%
11.3%
10% 9.3%
6.6% 5.7%
5.1% 4.8% 5.1%
5% 3.6%
2.5%
0.9% 1.2%
0%
<1 (part-time) 1 2–10 11–25 26–100 101–1000 >1000 Unknown
Key Challenges What is the greatest challenge (barrier) with regard to full utilization of your
SOC capabilities by the entire organization? Select the best option.
Now that we’ve identified some key elements
Lack of context related to
within the results, let’s address the key what we are seeing
16.0%
2
www.sans.org/white-papers/sans-2022-soc-survey
Red-teaming
the survey define a SOC?” The way this 194 85 189
Other
that the capabilities we inquire about are 67 47 54
0 100 200 300 400 500
done. Figure 12 shows a list of capabilities
Figure 12. Capabilities Performed
sorted on if they’re done, regardless
Sorted by Total (Q3.13, n = 545)
of whether they’re done internally,
outsourced, or both.
not a requirement and, hence, not done. SOC architecture and engineering 12
(specific to the systems running your SOC) 5
The authors see the categories more likely to be
11
Vulnerability assessments
outsourced—forensics, pen-testing, and threat 6
3
www.sans.org/security-resources/glossary-of-terms
Centralized, all in one physical location SOCs might still allow work from home,
for example. But the physical work location where the staff “sit” is still one
geographic region. The other aspect of this centralized and distributed notion is
where the data used by analysts to view alerts resides. The
centralization of all data into a SIEM from cloud resources Select the option that best reflects the size and structure
of your SOC environment.
doesn’t always make sense from a value proposition.
So, where the people are and where the data is are not Single, central SOC 48.7%
necessarily the same. Related, some jurisdictions and Multiple, hierarchical SOCs 19.9%
industry verticals prefer (or are legally obligated) to Multiple, unorganized SOCs 13.6%
keep data within the country or within organizationally
Multiple, standalone/siloed SOCs 8.3%
owned systems. This makes architecting the SOC systems Multiple, parallel, redundant 5.9%
SOCs looking at same data
complicated. What’s more, SOC staff may have strong
Other 3.6%
opinions on working together as a team—meaning being
0% 10% 20% 30% 40% 50%
together in one place. If scarcely available staff insist on a
Figure 16. Structure of SOC
specific arrangement, it is likely to manifest in the SOC architecture. (Q3.8, n = 557)
In Figure 16 we see the continuation (in this
How is your SOC infrastructure (i.e., your SOC architecture) deployed
survey’s history) of the single, central SOC today, and how might it change over the next 12 months?
dominating (Q3.8, 271/557, 48.7%) the responses. Select the best choice for each. If you select the same answer
for Present and Future, SANS will assume no change.
In Figure 17 we see the same signaling we’ve
Current Next 12 Months
seen for the past three years. “Cloud-based
19.8%
services” is projected to be the architecture Cloud-based SOC services
24.7%
next year. (Q3.9, 130/527). But, based on the 9.2%
Partial SOCs in regional locations
5.9%
percentage of “current” in 2021 (12.9%), 2022
(15.2%), and now in 2023 (19.8%), we’re seeing 11.0%
Full SOCs distributed regionally
12.9%
only a modest change represented in the
19.0%
Centralized and distributed regionally
responses in the survey. We don’t track individual 18.8%
responses from year to year so we don’t know if Centralized into a single SOC
32.1%
32.6%
people are saying they will change but not doing
7.0%
it, or if the respondent composition year after Informal SOC, no defined architecture
3.2%
year has the same forward-looking thought but 2.0%
Other
1.9%
doesn’t achieve the change.
0% 10% 20% 30%
(Q3.23, 80/434, 18.4%) indicating they do not run 24 Yes, outsourced only 24.2%
hours a day, as shown in Figure 18. The architectural Yes, mixed internal/outsourced 24.9%
decision of running non-stop drives quite a bit of
No 18.4%
outsourcing, with 49% of the overall answers (Q3.23,
Unknown 1.2%
213/434, 49.0%) and 61% of the yes answers (Q3.23,
0% 5% 10% 15% 20% 25% 30%
213/349, 61%) indicating outsourcing was used in
Figure 18. SOC 24/7 Operations
whole or in part to accomplish non-stop operations. (Q3.23, n = 434)
We’ll describe composition of staff and staff roles in a moment. First,
Do you allow SOC staff analysts
keeping with the architectural focus, we consider remote work for SOC to work remotely?
staff as an architectural attribute. When we dive into the staff section, we
will describe what factors enable individual employees to work remotely.
7.6%
Almost three-quarters of respondents (73%) say staff are allowed to work
remotely (Q3.24, 318/435, 73.1%). See Figure 19.
19.3% Yes
Necessarily, some of the respondents who said they work in a centralized
No
SOC also responded that the SOC allows remote work. So, we delved into this
set. Of the respondents (Q3.8, n = 271) who say they have a single central SOC, 73.1%
Unknown
58% (Q3.24, 157/271, 57.9%) indicate that remote work is allowed. See Figure 20.
SOC Staff
Do you allow SOC staff analysts to work remotely?
How many staff are there currently in the SOC, and is that the
Yes No Unknown
right number? This is an important question with multiple
attributes to explore. 157
Single, central SOC 33
Each SOC could probably do more or operate at higher quality 3
with more qualified people. The SOC is a space where adding 81
people risks detracting from performance despite added Multiple, hierarchical SOCs 21
6
expense. Most SOCs struggle to effectively incorporate new or
54
junior staff. They can only tolerate onboarding a small volume
Multiple, unorganized SOCs 17
of staff who need substantial on-the-job training to develop 14
the required knowledge, skills, and abilities. Why? It is the 25
Multiple, standalone/
opinion of the authors that: siloed SOCs
14
7
1. SOCs aren’t designed, built, or operated to address the
17
human capital cycles that actually occur; and Multiple, parallel, redundant
11
SOCs looking at same data
1
2. SOCs are chronically understaffed to the degree
8
that tasking those busy people to help address the Other 0
shortcoming is essentially loading on one more new 2
skillset (training others) for the SOC staff to try to master. 0 50 100 150
4
www.inc.com/business-insider/tech-companies-employee-turnover-average-tenure-silicon-valley.html
Other 1.9%
Encryption 1.3%
Telecommunications 0.3%
0% 2% 4% 6% 8% 10% 12%
Most readers of this document don’t need to meet the strict physical, technology, and
administrative requirements of a USDOD Secret (or higher) network. So, they’re left to
decide if the data can go to a SOC analyst’s home computer or not—usually without any
rigorous standard of quantitative assessment. We
suggest using the aforementioned “value of a record What factors are considered in determining whether a SOC
staff analyst can work remotely? Select all that apply.
calculation” as a start to this effort, but regrettably
can’t provide a simple equation to do this risk vs. Role 43.3%
expense calculation. Platforms securely support 43.3%
remote workforce
See Figure 27 describing the factors involved in Skill set 40.5%
allowing a SOC analyst to work remotely. Tied for first Individually negotiated 32.2%
(Q3.25, 125/289, 43.3%) were the role of the SOC staff, Seniority 31.5%
and if secure access to data is feasible. We presume 27.3%
Work ethics
that some SOCs deal with data that is considered “on
Other 10.7%
premises only,” and analysts supporting those SOC- 0% 10% 20% 30% 40% 50%
monitored systems aren’t allowed to work remotely. Figure 27. Remote Work Factors
There might also be a rationale for citing that the data doesn’t need to be on premises (Q3.25, n = 289)
per se, but remote access technology is not adequate for the security sensitivity. Most
SOCs would err on the side of caution within these parameters.
Making sure the work–life balance is appropriate for the long term and adding tooling
to relieve analysts of needless and frustrating tedium are likely to give them a sense of
career progression, wherever they work.
tech-satisfy-host-exdr 2.88
See Figure 30 for the big Analysis: Risk analysis and assessment 7.5%
Net: VPN (access protection and control) 7.2%
jump (more than double Analysis: Customized or tailored
SIEM use-case monitoring
7.2%
the next lower value) and
Analysis: SOAR (Security Orchestration,
Automation, Response)
7.2%
the ranking of the rest of
Net: Asset discovery and inventory 6.5%
the items.
Net: Next-generation firewall (NGF) 6.5%
In the long-form qualitative Net: DoS and DDoS protection 5.9%
Analysis: AI or machine learning 5.9%
responses, SOC managers’
Host: User behavior and entity monitoring 5.6%
most common need Net: DNS security/DNS firewall 5.6%
was analysts with broad Net: Email security (SWG and SEG) 4.2%
technical knowledge vs. Log: Endpoint application log monitoring 3.6%
Figure 32. MSSP Metrics/KPIs/SLAs Used, Enforced, and Consistently Met (Q3.50, n = 256)
Based on popularity, the top values for each type are: Credit card Other
13.6%
• Internal user account $1–$5 (Q3.54, 24/103) Unknown 14.6%
16.5%
14.6%
• Customer account information: $1–$5 (Q3.54, 23/103) 14.6%
<$1 7.8%
• Credit card: $5–$10 (Q3.54, 22/103) 7.8%
4.9%
23.3%
The definition of “cost per record” varies and is hard to estimate—a $1–$5 22.3%
19.4%
high percentage of respondents indicated they were not using cost per 10.7%
20.4%
record. Large incidents can be the most damaging, but actually show 18.4%
$5–$10 21.4%
the lowest cost per record. Conversely, ransomware attacks can disrupt 7.8%
an entire business by encrypting one key file with a small number of 5.8%
$10–$25 11.7%
8.7%
records, if any. 4.9%
6.8%
The SOC metric of time to detect/response/restore represents the $25+ 8.7%
9.7%
only part of cost/record that the SOC actually owns. Having accurate 5.8%
0% 5% 10% 15% 20% 25%
estimation of that metric enables the SOC to support business needs
Figure 33. Cost per Record
for a cost/record estimate. (Q3.54, n = 103)
Budget and Funding What is your estimated annual budget for new hardware,
software licensing and support, human capital, and any additional costs?
How much does all this cost? Figure 34 shows
the responses at varying budget sizes. That Unknown 22.1%
the most popular answer is “Unknown” by a Less than $100,000 USD 9.8%
reinforce bad behavior to show Time to discover all impacted assets and users 23.0%
management that the SOC is Number of incidents closed in one shift 22.7%
needed by running up the count Downtime for workers or duration of
20.6%
business outage per incident
of incidents. The more likely
Losses accrued vs. losses prevented 19.1%
use of this metric is showing
Threat actor attribution (using threat intelligence) 17.7%
how many issues arise that
Monetary cost per incident 17.0%
need appropriate detection and
Thoroughness and accuracy of enterprise sweeping (check
all information systems for indicators of compromise)
12.8%
response, and possibly using
Other 3.9%
this for a “cost per record” type
0% 10% 20% 30% 40% 50%
justification.
Figure 35. Metrics Used to Justify
The next two most highly cited metrics (time to detect/eradicate and percentage of Funding (Q3.75, n = 282)
incidents exploiting unknown vulnerabilities) are much more value for both corporate
management and SOC operations. The board is not interested in how many raindrops are
hitting the roof; they want to know if we are getting better at finding the leaks and fixing
them before the business damage occurs.
Summary
We asked a lot of questions, but
we also wanted to know what
respondents would ask other
SOCs. Here at the closing, the
authors have selected their favorite
question: “How have you managed
to be effective despite heavy staff
and resource constraints?”
In 2023 there will be several additional discussions of the survey and the data. It also
should be noted that a deidentified data set and Jupyter notebook is provided by the lead
author (Crowley) for follow-up analysis. This is intended to help readers and respondents
answer their own questions. If you have specific questions that you would like answered,
the authors are interested in understanding how to improve the report for the future, and
what additional information would be valuable to the community.
Sponsors