You may be already planning your 2018 budget, and a new or expanded security operations center (SOC) could be high on the list. New data shows that almost one in three organizations have their sights on having a leading SOC within three years, up from one in seven today. How should you invest? How should you measure impact?

A new report sponsored by McAfee, “Disrupting the Disruptors, Art or Science?,” surveyed 700+ security professionals to uncover the best bang for your buck. It looked at what threat hunters and SOCs were doing, what processes and tools they used, and the benefits they were capturing, all characterized based on the maturity of their SOC.

The results were striking. Threat hunting capabilities and processes are now hallmarks of the most effective SOCs, significantly improving key performance indicators (KPIs):

  1. Faster time to close: 71% of the most advanced SOCs closed incident investigations in less than a week, and 37% closed threat investigations in less than 24 hours. Benefit: Reduced dwell time reduces risk by shrinking the opportunity to persist, move laterally and execute the attack.
  2. More thorough investigation and eradication: Hunters at the minimal level only determine the root cause of 20% of attacks, compared to leading hunters’ verifying 90%. Benefit: Reduced risk that the analyst will identify merely symptoms rather than fully scoping, characterizing and cleaning up the avenues the attacker used. It’s more likely an attacker will remain inside or can re-enter.
  3. More time being proactive: Threat hunters in more mature SOCs spend 50% more time on actual threat hunting. Benefit: Detect malicious activity before the attacker has succeeded, minimizing and containing the scope of the damage. Identify potential weaknesses that can be mitigated before they are exploited.
  4. More value from tools: More advanced SOCs capture as much as 45% higher improvement in workflow, cost and time savings, and useful insights from workhorse sandbox malware analysis tools. Benefit: Better use of precious human and technical resources, since machines do more of the work. People can replace automate-able tasks with higher value work that is more dependent on people and more satisfying to the employee.

What are some of the secrets of these successful SOCs? Akin to the difference between a Michelin starred chef and a line cook, they work with the same ingredients (tools, programs, intelligence), but they use different techniques and combinations.

  1. Pay for good intelligence: Mature SOCs are two-times more likely to use private threat intelligence feeds and pay for threat data than immature SOCs, and also to implement honeypots and capture local intelligence. Benefit: This more relevant data addresses the two top challenges of the SOC – too much data and the challenge of validating threats.
  2. Dig into payloads: The mature SOCs use a sandbox in 50% more investigations than entry level SOCs, going beyond conviction to investigate and validate threats in files that enter the network. Benefit: Sandboxes can extract more IOCs and data about the intent and capability of malware which can inform investigative paths.
  3. Automate: More mature SOCs are two-times more likely to automate parts of the attack investigation process. Benefit: faster, more consistent actions and rapid proliferation of new insights, in addition to better use of analyst time.
  4. Roll their own: Mature SOCs spend 70% more time on the customization of tools and techniques, relying more heavily on scripts and open source than less advanced organizations. Benefit: Hunters often prefer to use specialized tools and implement their own processes, to suit their needs and also stay ahead of hackers who routinely test against commercial software.

One key takeaway, a surprise and yet logical, was how many tools were available to all levels of the SOC. Motivated companies start off buying a host of tools beyond security and information event management (SIEMs) and sandboxes, including endpoint detection and response (EDR), user behavior analytics (UBA), and deception technologies. Writing a check is easy. The hard work comes from defining and maintaining processes that are effective and can be automated, yet can be perpetually enhanced as the threat and technology universe evolves. This takes experts, patience and a commitment to continuous improvement. Once again, no silver bullet.