Opportunities and Challenges for SOCs in the European Union
Leading Security Operations Centers based in the region share their views about the market
Much has happened since the concept of SOCs started and their development and growth is accelerating rapidly. Evolving from the Network Operations Centers (NOCs), the rise of cyber attacks and breaches increased the focus in security, and changed from a purely reactive function to one that emphasized proactive monitoring and threat intelligence.
The adoption of SIEM and SOAR solutions in the early 2000s gave SOCs the right tools to integrate multiple data sources and correlate events, detect anomalies, and respond effectively to incidents.
Now, Security Operations Centers have become the backbone of the prevention, detection and response processes of companies all around the world. Some organizations have their own, internal SOC while others rely on third-party providers.
They currently employ multiple tools, developed internally or from renown vendors, and they are extending their services to include Managed Detection and Response, Red Teaming, Threat Hunting, and are actively integrating AI tools.
Due to their important and growing role, I interviewed representatives from three leading european SOCs - S2Grupo, ESET Netherlands and SOC360 - to understand what are the opportunities and challenges they see ahead for their organizations and the market.
Through this article we are going to dive into the many insights they have. Let's start with the challenges they see and how they are tackling them.
Addressing Customer Diversity
Security Operations Centers provide services to a variety of companies. That’s a challenge by itself, as they need to adapt to diverse and varied environments where they can’t always use the tools they prefer.
"We work with some high quality EDR, XDR, NDR tools that really help us to do our job. If we only could make all of our clients to use the tools we like... We often have to work with tools owned by clients and make best of those.”, describes SOC360.
Moreover, this is not only about the different technology stacks used by the customers that SOCs need to adapt to, but also non-technical aspects that can be completely different across their clients.
"Our biggest challenge - if not a problem - is to provide our clients with services tailored to their specific needs that allow them to detect incidents and respond to them efficiently. Offering this service to clients from different sectors, various sizes, diverse geographical locations, cultures, risk appetites, or regulatory requirements means we must be able to adapt to each reality. This adaptability depends on efficiency, which involves defining scalable services, automating processes, leveraging supporting technologies, and, most importantly, the people who work with our clients.”, describes S2Grupo.
Every customer is a completely different challenge for SOCs, a combination of technical and non-technical aspects that need to be taken into account and addressed in order to provide them with the security services they require.
Managing Alert Volume and Complexity
According to the Global Security Operations Center Study by IBM and Morning Consult, SOC teams only manage to review 49 % of all the alerts they receive, leaving over half of potential threats unexamined.
The massive number of daily security alerts that SOCs must handle, many of which are false positives or not fully relevant, is extreme. The challenge is to quickly filter these alerts to identify and respond to genuine threats, requiring efficient tools and processes.
According to SOC360, “One of the biggest challenges in a SOC is managing the sheer volume and complexity of security alerts.” This overload makes it difficult to prioritize and manage security incidents effectively.
The key is to identify alerts that are meaningful to detect and prevent incidents. Classifying them appropriately and automation are the tools that SOCs have to achieve this. "We automate what we already know with appropriate control mechanisms and dedicate our analysts’ expertise to extraordinary findings”, S2Grupo summarizes.
Adapting to Rapid Changes
The number of cyberattacks is on the rise, constantly. Checkpoint Research reports that they have increased by 30 % in Q2 2024, and that, in average, an organization needs to deal with 1,636 attacks per week.
Moreover, they have grown in complexity and continue to incorporate different strategies, like targeting supply chain rather than taking a direct approach.
"The biggest challenge is to keep up with the pace in the Red Queen’s race… in the cybersecurity universe, nothing is constant. We need to take all the run we can do, to keep in the same place, AND, if we want to get somewhere else, we must run at least twice as fast as that.”, shares SOC360 with us.
The Red Queen's hypothesis is a hypothesis in evolutionary biology proposed in 1973, that species must constantly adapt, evolve, and proliferate in order to survive while pitted against ever-evolving opposing species.
When 46 % of SOC Teams report that the average time to detect and respond to a security incident has increased over the past 2 years, according to the IBM report mentioned above, there’s a clear impact of how the external changes are affecting security professionals.
S2Grupo considers that the best way to address these constant evolution is “a scalable, autonomous model where process automation and machine learning are fundamental”.
Multi-Stakeholder Engagement
There are other challenges that SOCs face besides security incidents: building relationships at different organizational levels. ESET Netherlands considers this “crucial”, as Security Operations Centers must not only engage operational teams but also senior leaders to position themselves as strategic assets.
“The challenge lies in establishing a communication structure that facilitates broader engagement.”, explains ESET Netherlands. "It’s not just about providing tactical or operational value but also delivering strategic value. The challenge lies in establishing a communication structure that facilitates this broader engagement”
In many cases, vulnerabilities persist and incidents take longer to be addressed due to the conflicting priorities and processes within an organization. With the wide array of stakeholders that security teams need to interact with due to the proliferation of technologies in organizations, even when they detect issues, they are not always able to solve them.
Establishing the SOC function as strategic and giving it a strong authority over what needs to be done to prevent and resolve incidents is the approach to be taken in order to solve some of the challenges they face, as well as reduce the exposure of the organization to breaches.
Talent and Skills Shortage
Much is said about the lack of knowledgeable cybersecurity professionals in the market. The three interviewees - SOC360, S2Grupo and ESET Netherlands - agree that having skilled cybersecurity professionals within their organizations is a significant challenge.
However, it’s not only about having talent available, but how to manage it. “The bigger challenge is keeping talent engaged in a competitive market”, points out ESET Netherlands.
SOCs not only need to compete with cybercriminals, as we have discussed above, but also with other SOCs. As S2Grupo puts it, ”Retaining the best talent while competing with international cybersecurity giants from Spain puts us in a privileged but risky position”.
"Onboarding is just the beginning; continuous engagement and development are where the magic truly happens. Our focus is on creating an environment where people feel welcome, challenged, and valued. We prioritize people first, business second, and finance third.”, ESET Netherlands
As with many challenges, it can be transformed into an opportunity, and that’s exactly what SOC360 has done: “As MDR/SOC as a Service company, we turned the famed skills and talent shortage to our advantage. (…) We hire them and provide them with skills and experience. We have developed a training program that we call SOC360 Academy.”
S2Grupo has taken a similar approach: "Talent management is one of our pillars. We make a continuous effort to retain our talent - and generate new - through initiatives like ENIGMA, our own cybersecurity academy.”
If you want to solve any skill or talent shortage, the best solutions are always based on two things: retention and education. SOCs know that investing into their people is their biggest asset and the only way to address this challenge.
Technology Integration and Automation
Technology is critical for SOC efficiency, as we can already see from reviewing the above topics. However, it is also a challenge itself.
In order to perform their job, Security Operations Center need to deal with multiple solutions and data sources in heterogeneous environments. Not every customer from a SOC provider uses the same technologies, and many medium and large organizations have a diverse technology stack.
Among SOC teams that currently leverage automation, only half are applying it to threat hunting (55 %) and incident enrichment (53 %), according to the IBM research mentioned above.
The task of integrating those technologies, classifying their data, and producing outputs that are useful for security teams to detect and respond to incidents is something that each SOC has to address, and not all of them do it in the same way.
For instance, S2Grupo highlights that they "automate what we already know with appropriate control mechanisms and dedicate our analysts’ expertise to extraordinary findings” and that they are "working to evolve towards an autonomous SOC guided by AI in what is called Customized Remote Managed Security”.
Slightly different is the approach from SOC360, advising caution when it comes to AI. "An AI assistant can be a helpful tool for the experienced analyst, but if we overuse it, we will not have any more experienced analysts.”, they point out.
According to SANS 2024 SOC Survey, when respondents were asked about the level of satisfaction with the technologies they use, AI/ML are the ones they are the least satisfied with.
The automation that can help SOCs also depend on the possibility of integrating those technologies. That’s not always possible, which increases the challenges, due to the diverse customer environments we highlighted before.
Lastly, many tools that SOC teams could use aren’t available or they may not be cost-effective in the competitive market where these service providers operate. This forces them to be creative and build their own tools.
That’s exactly how SOC360 addressed one of those issues: ”What we really need is a case management system that would allow us to tag and note each and every object, link objects, and that would support SOC analysts suggesting the right questions based on tags and and objects relationship. Questions, not answers. But there is no vendor offering such a system. Therefore we've developed one in-house.”
Every SOC agrees that technology integration and automation plays a significant role, and that they need to be used for more than solving security incidents. "Technology can play a significant role in addressing this challenge. Tools like SIEM and comprehensive reporting systems need to be designed with the understanding that SOC services must be communicated and valued at different organizational levels. It's not enough for these tools to only support technical staff; they should also provide insights that are meaningful to executives and board members”, summarizes ESET Netherlands.
After going through some of the most significant challenges, and already discussing some ways to address them, comes the time of discussing what are the opportunities ahead for SOCs, according to them.
Transforming SOCs into Strategic Partners
Despite 90 % of CEOs saying they consider cybersecurity a differentiating factor for their products or services to help them build trust among customers, only 15 % have dedicated board meetings to discuss cybersecurity issues, according to Accenture’s The Cyber-Resilient CEO report.
Moreover, 44 % of the CEOs believe that cybersecurity requires episodic intervention rather than ongoing attention. “A SOC’s true value is realized when it transitions from merely detecting threats to actively enhancing the organisation’s strategic security posture”, believes ESET Netherlands.
The CEOs that lead on cybersecurity resilience, according to Accenture, adopt and enterprise-wide strategies to reinvent their functions and business units, and embed security in their strategies from the outset.
These “cyber-resilitient” CEOs are achieving higher business value than their peers according to above report:
Two to three times lower breach costs than peers
Sixteen percent higher incremental revenue growth
Twenty-one percent more cost reduction improvements
Nineteen percent healthier balance sheet improvements
Accenture’s research shows that there is an opportunity to increase the strategic value of Cybersecurity - and SOCs - and that can have a tangible impact on the company results. However, in order to take advantage of that opportunity, ESET Netherlands points out that "to be effective as a risk-based partner, it is crucial to build strong relationships not only with operational contacts but also with board members and senior leadership”.
Leveraging Advanced Technologies
“The entry of generative AI has changed the rules of the game”, says S2Grupo, and indeed, Artificial Intelligence, Machine Learning and Automation present opportunities to boost efficiency and accuracy.
These technologies are seen as “force multipliers” and “transformative" by the interviewees, due to how they can enhance threat detection and response, as well as provide relief to SOC analysts when dealing with thousands of daily alerts.
AI-enhanced automation can be used to handle routine tasks, points out S2Grupo, and they “are working to evolve towards an autonomous SOC guided by AI”.
ESET Netherlands sees also value in these tools in how GenAI and LLMs can be leveraged in terms of reporting, and how those technologies can help translating technical data into strategic insights.
However, there are caveats, with SOC360 advising caution, based on experiments they have carried out:
"We compared skills development of SOC analysts who were allowed to use LLM chats during their work to those who didn't use it. Guess what: When you just ask a question and gen an answer ,you can easily skip the cognitive process. AI can and often is wrong. Therefore you need to understand the matter to assess what you get form it.
So we've found that an AI assistant can be a helpful tool for the experienced analyst. However, if we overuse it, we will not have any more experienced analysts. That is, we can quickly find ourselves in a situation where we will not have people who will be able to assess the quality of the results provided by AI assistants. So we keep trying, but we need to be very careful.”
There is a clear way forward where these technologies will improve the performance of Security Operations Center, and leveraging the right balance between them and the experience of analysts will present incredible opportunities to improve the overall cybersecurity posture of organizations.
Increased Demand driven by Regulatory Compliance
The European Union has been working in new regulations since the implementation of GDPR six years ago. NIS2 is to enter into effect during this month, with DORA becoming mandatory since January next year.
These norms aim to increase the cyber resilience of organizations across the region, and in order to do that, companies and institutions need to invest time, money and people in fulfilling the requirements, many of them related directly to the services that SOCs provide.
SOC360 is observing increased interest due to the above, and their analysis show that just in Poland, approximately 30,000 businesses will need SOC services in order to be compliant with the new demands from the EU.
S2Grupo is also seeing exponential market growth driven by regulations, and they believe this offer an incredible opportunity for SOCs to become a trusted choice for companies and organizations across the European Union.
Compliance requires expertise and SOCs are uniquely equipped. NIS2, DORA and other regulations create the space for them to grow even more.
Enhancing Cyber Awareness and Training
The latest Data Breach Investigations Report (DBIR) by Verizon states that 74 % of incidents include a human element, like clicking on a phishing link. Other sources put that number anywhere between 65 to 95 %.
When asked specifically about this topic, the answer varies, but every one of the interviewees highlights the relevance of training the employees of the organizations they protect.
“Our cybersecurity services always take the human factor into account, and as such, we care for and promote the awareness of client employees and stakeholders in general”, emphasizes S2Grupo. They have a specific area dedicated to this topic, named Behavioural Security, formed by dozens of specialised professionals that deliver yearly trainings to their customers to reduce the possibility of breaches caused by human error.
Moreover, S2Grupo assesses the state of the cybersecurity practices of their new clients and based on that designs specific awareness and training activities to increase their defences. “We are proud that that there are no incidents related to human error across our oldest clients as a results of these activities”.
ESET Netherlands believes in a "balanced approach to security awareness training”, and they have introduced a Digital First Responder training for individuals “to respond adeptly in crisis situations” and “be capable of contributing meaningfully to the organization’s security posture”.
Besides delivering trainings for their clients and their security teams, SOC360 offers the option to have them working with them for some time to better know and understand how their SOC works. Although they don’t provide security awareness training platforms, they do provide managed phishing campaigns services.
“It's essential to transform employees into proactive sensors rather than reactive firewalls”, concludes ESET Netherlands, emphasizing on the opportunity of transforming the human element from a cause of breaches into another layer of security.
The Road Ahead
SOC360, S2Grupo and ESET Netherlands all agree that there are multiple opportunities for Security Operations Center to grow and contribute to a more secure world.
There are technology aspects that will help them to evolve, with automation at the core of many of their tasks, without diminishing the role of the experience SOC analysts.
The key is in how to maximize the time of their teams to perform meaningful tasks and be ready for how the attacks change over time as well as to deal with the complexities of the environments they need to secure.
A close relationship with their customers, creating truly strategic partnerships with them, is of high importance as well.
Effective talent management, growing technology knowledge, integrated platforms, and cooperation across the board are the pillars that the SOCs can be built upon to ensure success for their activities.
"Our adversaries are people, not technologies. These people are driven by the rapidly growing cybercrime economy”, concludes SOC360. "In this changing world, we see a sea of opportunities for SOC organizations and professionals. We just have to run at least twice as fast to get there".