BUSINESS TECHNOLOGY MEDIA COMPANY
Companies
Sectors
Surveys

SURVEY: Reporting key for outsourced SOC/MDR

By
Johannesburg, 28 Jun 2021

Martin Potgieter, Nclose technical director.
Martin Potgieter, Nclose technical director.

A recent survey, conducted by ITWeb in partnership with Nclose, examined how South African businesses and security decision makers approach incident response.

It sought to uncover the pain points around outsourced Security Operations Centres (SOCs) or Managed Detection and Response (MDR) functions, and asked how respondents felt about using AI in a SOC/MDR solution.

Here are the key findings:

1. 73% of the respondents have a documented incident response procedure.

2. 84% believe they have the technical capability to investigate critical security incidents when they occur.

3. Just over half (51%) of respondents said their SOC was run within the organisation and they were happy with its progress and maturity.

4. A third (37%) said their SOC/MDR was outsourced and they were happy with the service.

5. 7% said their SOC/MDR was outsourced and they weren’t happy with the service.

6. 39% of respondents would rather outsource their SOC than build their own.

7. The majority (61%) said they would consider building their own SOC because outsourcing would be too costly (26%), they couldn’t rely on a third party (21%) or they didn’t outsource anything (14%).

8.Top three security technology investments: SOAR, MDR and SOC.

9. 58% said that threat hunting was absolutely necessary in a SOC/MDR solution, while 42% would like to see this function automated.

10. 48% felt that AI was absolutely necessary in a SOC/MDR solution, 42% said it has its place and 10% felt that AI wasn’t capable yet.

Results analysis

Nearly three-quarters (73%) of the survey’s respondents said they had a documented incident response (IR) procedure. Nclose Technical Director Martin Potgieter says, “While it’s encouraging to see that so many respondents have documented IR procedures in place, it is important to ensure these procedures are tested regularly.”

He adds that he’s surprised to see that 84% of respondents said they had the technical capability to investigate critical security incidents when they occur. “Several global surveys are swayed the opposite way, and that – combined with the known global skills shortage in this space – makes this an unexpected outcome.”

The TCO of building an effective SOC is often under estimated.

When it comes to capabilities within organisations, 35% said they had an insourced or outsourced SOC, 27% had Security and Events Management (SIEM) and 23% had a MDR solution. Potgieter says that he’s glad to see that many organisations have matured from just running a SIEM to having full SOCs or outsourced SOC/MDR.

Just over half (51%) of respondents said their SOC was run within the organisation and they were happy with its progress and maturity. A third (37%) said their SOC/ MDR was outsourced and they were happy with the service. “It’s good to see that 88% of respondents are happy with their SOC/ MDR service.”

While 49% of respondents were happy with their SOC/MDR provider, the main pain points around outsourced SOC/MDR were ranked as follows: the reporting doesn’t illustrate the business value (37%), the cost of sources (logs or events per second) is prohibitive (28%) and being sent too many alerts (23%). “While these results aren’t surprising, they do seem to somewhat contradict the previous point’s result, indicating that respondents may be accepting the pain points as ‘the norm’.”

Graphed results

To view the complete graphed results of the ITWeb/Nclose Incident Response Survey, click here.

Respondents whose SOC/MDR provided 24/7 monitoring were asked whether they were equipped to handle afterhours incidents. 38% responded in the affirmative.

39% of respondents said they would rather outsource their SOC than build their own. The majority (61%) said they would consider building their own SOC for the following reasons: outsourcing would be too costly (26%); they couldn’t rely on a third party to respond to these types of security incidents (21%); they didn’t outsource anything (14%). Potgieter points out that the TCO of building an effective SOC is often under estimated. “Businesses that are considering it should ensure a complete analysis is done prior.”

Respondents who are building their cyber security capability were asked to rank technology investments in terms of priority. Security Orchestration, Automation and Response (SOAR) headed the list, followed by Managed Detection and Response (MDR), Security Operations Centre (SOC), Crosslayered Detection and Response (XDR), Passive Network Monitoring (NDR) and Endpoint Detection and Response (EDR).

More than half (58%) of respondents said that threat hunting was absolutely necessary in a SOC/MDR solution, while 42% would like to see this function automated. Nearly half of respondents (48%) felt that AI was absolutely necessary in a SOC/MDR solution, 42% said it has its place and 10% felt that AI wasn’t capable yet.

ABOUT THE SURVEY

ITWeb, in partnership with Nclose, conducted an online survey during February/March 2021, on the current status of Security Operations Centres (SOCs) in South Africa.

A total of 190 responses were captured, with 56% of participants being at executive or middle management level. 

Some 38% of respondents came from the IT sector and 18% came from the financial, insurance, banking and accounting sector. Ten percent of respondents came from the public sector.

Follow the Key Findings and the Graphs links