Last Day to Save $200 on Cutting-Edge Cyber Security Training at SANS Chicago 2019!


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SOCs Grow Up: Results of a SANS Survey

SOCs Flexible but Lack Visibility; Becoming Multifunctional and Maturing; Need to Improve Integration with NOCs

  • Bethesda, MD
  • May 8, 2017

Security operations centers (SOCs) are growing up, according to a new SANS survey to be released in a two-part webcast on May 17 and May 18. In it, respondents indicate the SOC's primary strengths are flexibility of response and response time, while their biggest weakness is lack of visibility into events.

"Survey results indicate that organizations still can't detect previously unknown threats, which is a consistent problem across many other SANS surveys," says SANS Analyst and Instructor Christopher Crowley. "Although the survey indicates that SOCs need more automation, particularly for prevention and detection, it also shows that they are maturing and utilizing a mixture of cloud and internal-based SOC services."

Today's SOCs have a broad range of capabilities, with 91% providing prevention capabilities through network IDS/IPS, 86% providing detection capabilities through network IDS/IPS, and 77% providing response capabilities through EDR (endpoint detection and response), to name just the highest-rated capabilities.

Responses indicate that SOCs gather, analyze and react to tremendous amounts of information on a daily basis. The key is making it useful to all SOC-related functions and improving integration with network operations centers (NOCs). Right now, only 32% of respondents report having close integration between their SOC and NOC, with 12% having strong technical integration.

"This lack of integration may, in part, be the variety of architectures respondents' utilize," continues Crowley. "There is no doubt that there are clear opportunities to improve security operations, starting with better relationships and coordination with IT operations."

Full results will be shared during a two-part webcast. Part 1 will be held on May 17, 2017 at 1 PM EDT, and the Part 2 webcast will air on May 18, 2017 at 1 PM EDT. Both webcasts are sponsored by Carbon Black, Endgame, LogRhythm, NETSCOUT, ThreatConnect, and Tripwire and hosted by SANS. Register to attend the May 17 webcast at and the May 18 webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and security operations center expert, Christopher Crowley.

Tweet This:

SANS SOC Survey | SOCs Growing Up | May 17 |

SANS SOC Survey | Future Plans for SOCs | May 18 |

Learn what SOCs are doing now and where they're headed | Part 1, | Part 2,

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (