Pre-RSA Twitter Poll: 3 Interesting Observations on SOC, SIEM and Cloud

In advance of the RSA Conference 2020, we wanted to get a pulse of attendees’ perceptions on a few topics, specifically challenges facing modern SOCs (security operations centers) and the value they are getting from technologies such as analytics, automation, and their SIEM tools.

To get this, we fielded a series of questions to the Twitter-verse and received nearly 17,000 votes! After going through the results, we found a few interesting things…

Many orgs still face cloud migration challenges

When we asked “What is your current cloud environment?” 28 percent of respondents said they are not in the cloud, and almost 15 percent said they are still considering it. Well then, where the heck are they? Kidding aside, this highlights an important point -- organizations commonly face a myriad of requirements, cloud migration concerns, or institutional preference that could be a blocker to cloud transformation. This underscores why it’s crucial for SOCs to have tools like a SIEM that is capable of handling all of their cloud environments AND their on-premises infrastructure (which may never go away). A great question to ask your SIEM vendor is ‘How well can you scale?’ to ingest your cloud data, but also keep pace with your hybrid and on-prem data sources. ‘Yeah, but at what cost?’ should instinctively be your follow-up question.

SIEM administration, not deployment, frustrates folks the most

You’d think the toughest struggle teams experience with a SIEM solution would be deployment, basically getting it up and running and ensuring all the right data is captured and parsed correctly. However, when we asked what specific SIEM complexity people struggle with the most, nearly 40 percent of respondents said “SIEM administration” is what makes them pull their hair out. This makes sense, especially when you have software and hardware to maintain or a “cloud” SIEM deployment that requires you to constantly manage the provisioning and monitoring of adequate resources. Adding to the complexity, when a SIEM vendor has an update, you’re left working on applying the release or patch and have to wait and see if anything broke in the process. The good news is that the time and resources to administer a SIEM can be reduced or eliminated by completely with a cloud-native SIEM platform and free up those dedicated folks to high-value work, such as hunting for threats.

SOC analysts are hyped to using analytics and automation

When we asked, “What excites you most about SOC analytics and automation?”, the top three responses were: improved productivity (29%), unlimited scalability (27%), and enhanced visibility (25%). This shows me that security analysts truly see the potential benefits of using innovative technology. I’m glad to see the majority were excited most about the idea of gaining improved productivity. Nobody can add more time to our day, but productivity gains mean an analyst can finally catch their breath and even redirect extra cycles toward more critical security functions instead of manually sorting through thousands of alerts. With Sumo Logic Cloud SIEM Enterprise, you can amplify analyst productivity even further by automating the triage of alerts, so they can focus their attention on the real threats, while enhancing visibility -- all at elastic scale via a cloud-native platform.

Is this an unscientific poll? Absolutely, but hopefully these insights and observations will give you some food for thought.

If you want to learn more about how Sumo Logic is addressing modern SOC challenges, check out our announcement on our new Cloud SIEM Enterprise offering. Or if you are going to RSA USA conference, come visit us at our booth (Moscone South, #252).

Thanks for reading!