2024 SANS SOC Survey Reveals Critical Trends and Technologies in Cyber Defense — SANS Institute

  • The 2024 SOC Survey provides deep insights into the current state and challenges of Security Operations Centers (SOCs) worldwide.

  • It comprehensively examines the architecture, technology, staffing, and performance metrics of SOCs, serving as a benchmark for organizations aiming to enhance their cybersecurity operations.

  • By understanding best practices and common challenges faced by SOCs, businesses can better prepare to defend against cyber threats and optimize their security measures.

In an era where cybersecurity threats are becoming increasingly sophisticated, understanding the dynamics of Security Operations Centers (SOCs) is more critical than ever. The SANS Institute has released its 2024 SOC Survey, a resource that provides insights into the current state and challenges of SOCs worldwide.

Chris Crowley, SANS Senior Instructor and SOC Survey Author

"The 2024 SOC Survey is not just another report; it is a comprehensive study that examines the architecture, technology, staffing, and performance metrics of SOCs," said Chris Crowley, SANS Senior Instructor and SOC Survey Author. "This survey is a benchmark for organizations striving to enhance their cybersecurity operations. By understanding the best practices and common challenges SOCs face, businesses can better prepare to defend against cyber threats and optimize their security measures."

The SANS Institute has assigned a grade point average (GPA) to technologies and solutions in the market designed to protect organizations.

Key Findings:

  • Top Technology – Endpoint Detection and Response (EDR) focuses on detecting, investigating, and responding to suspicious activities and potential threats on endpoints (such as computers, mobile devices, and other network-connected devices). EDR technology stands out with a GPA of 3.1, highlighting its essential role in SOC operations.

  • Lowest Technology – AI Generative (GPT) technologies remain in an immature state when it comes to security applications. AI Generative technologies scored the lowest with a GPA of 1.8, indicating integration and effectiveness challenges within SOC environments.

  • Decline in TLS Interception — also known as SSL (Secure Sockets Layer) interception — refers to the process where an intermediary device, such as a proxy server or a security appliance, intercepts, decrypts, inspects, and then re-encrypts traffic between a client and a server. This process is used for various security and monitoring purposes. A significant 34% of respondents reported not using any TLS interception to inspect HTTPS or other encrypted communications, up from 25% in 2023, raising concerns about visibility into encrypted traffic.

"These findings highlight both the advancements and persistent challenges within SOCs," said Crowley. "Understanding which technologies are favored and which ones fall short is crucial for organizations aiming to enhance their cybersecurity posture."

The survey also revealed that 67% of respondents provide metrics to senior management to justify SOC resources. The activities performed within SOCs show a strong consensus on their essential capabilities, with nearly every respondent engaging in all critical functions, from alerting to threat hunting.

"What do we consider a SOC? This survey confirms that there is a strong consensus on SOC capabilities. Nearly every respondent performs all the essential activities in some capacity," Crowley added. "The detailed metrics and insights from this survey are invaluable for anyone who interacts with, works in, or oversees a SOC."

For more information or to read the full survey, please visit: https://www.sans.org/.

Staff Reports