This year’s (2019) much-anticipated SANS Security Operations Center (SOC) Survey was just released and is an important read for security stakeholders of all levels and job descriptions. It’s also worth tuning into the webinar presenting the findings, or listening to the recording if you missed it live.

The traditional SANS SOC survey provides objective data to security leaders involved in running or establishing their own SOC and has truly become the ‘canary in the mine’ for the SOC industry specifically and the security industry as a whole.

We’ll summarize some of the survey’s key findings below. Yet, what stands out most from a top-line review of this year’s results is what’s still lacking in the industry, as much as what’s happening.

The majority of survey respondents still feel they are short on the staff and tools that can help them achieve SOC excellence. 58% (down slightly from 60% last year) cited lack of skilled employees and 50% (the same as last year) decried “absence of effective orchestration and automation”.

SANS 2019 Survey Findings

Which Assets are Monitored?

Coverage of diverse and distributed organizational networks is a recurring theme in security, and 2019 was no exception. The vast majority (~95%) of survey respondents admitted that their organizations do not have a full inventory of network endpoints. And 90% of respondent organization SOCs do not support non-traditional endpoints like IoT sensors. This is not unusual since staffing and budget limitation often limits SOCs to IT systems only – leaving operational technology (OT) and other systems uncovered.

There is a ray of light in this year’s survey – a small but growing number of responders who are already monitoring OT and IoT devices and responding to their alerts and incidents. Yet there is much work to be done.

SANS Smart Systems
SANS 2019: Smart systems remain outside security operations center monitoring

The takeaway? Organizations need to either enhance organic monitoring capacity or adopt third-party solutions that can do so. There’s no reason not to work backward, SANS concludes, and expand monitoring to systems already deployed.


Despite the adage that “the perimeter is dead”, perimeter-based tools remain the most effective response tool that SOCs have. This year again, VPNs were the most popular protection tools (87% satisfaction rating) in the organizational Cyber Security Framework (CSF) toolbox. The least popular (53% satisfaction) in the detection category were AI/ML (machine learning)-powered solutions.

It’s clear that VPN remains popular as a response tool because it is specific – it only blocks the attacked point, while allowing others to continue working unobstructed. Other tools – AI-based solutions among them – are less specific. This lack of specificity can lead to “collateral damage” during protection, wherein “non-combatant” assets may be inadvertently impacted. This may be the partial reason for the lack of confidence in AI-based solutions in this year’s survey.

Moreover, the fact that AI was only mentioned in the detection category, as opposed to the protection category, may imply that AI-powered technology is not yet perceived as well-rounded and mainstream.

The takeaway? When considering AI-based technology, keep in mind that these solutions can effectively augment skilled staff, but cannot solve staffing shortfalls alone. Most AI complaints have to do with false positives, so look for a vendor with high detection rates and low levels of false positives to get more – and more relevant – detection alerts for your SOC.

MSSP/Client Communication

One of the more interesting takeaways presented by SANS regards the growing use of outsourced SOCs run by MSSPs. The survey found the metrics for tracking SOC success need to consider contributing factors, including tasks assigned to teams inside and outside of the organization, communication surrounding incidents and centralized documentation.

The reason? One of the big pitfalls of the MSSP relationship appears to be inconsistent communication – both internally and between the customer and MSSP. With emails, messaging, CMS or support tickets, and even phone calls – the visibility of SOC interactions can sometimes be diffuse.

To avoid this, MSSPs should make sure that their information-sharing process is smooth, clear, automated and auditable, and the customer gets a full and consistent accounting of communication, even if it’s with different MSSP analysts and different customer staff members.

Knowledge Management

SOC knowledge management continues to be a challenge for security stakeholders. 2019 SANS interviews found that tools for documenting process-related knowledge – which is crucial to support operational repeatability and quickly bring new analysts up to speed – were inconsistent.

Especially among organizations with smaller SOCs (less than five analysts), informal tools like OneNote documents or SharePoint were common. Even among the larger SOCs, none used formal playbooks – meaning knowledge garnered from incidents is not being captured and repurposed optimally.

SANS Survey 2019: The Bottom Line

SOC 2019: People and Tools

Since the critical findings of this year’s SANS Security Operations Center (SOC) Survey have to do with staffing, probably the most important takeaway has to do with staff hiring and retention. Organizations that can hire quickly and retain staff through incentives and other means will ultimately enjoy tighter network security. For more information and insights, you can find a recording of the live SANS SOC survey findings presentation here.

See a Cyber Range Training Session in Action