Latest SOC Survey Anticipates Shift Toward MDR and XDR

The challenges faced by Security Operations Centers (SOCs) around the world—workforce shortages, lack of visibility and automation, tool sprawl, and alert overload—continue to have a negative impact on SOC effectiveness and will likely result in increasing adoption of Managed Detection and Response (MDR) services and Extended Detection and Response (XDR) solutions.

“Looking ahead 12 months, while survey results show the single, centralized SOC as the leading deployment model, the real growth is occurring in cloud-based SOC services,” according to the SANS 2022 SOC Survey, released last month. “This opens the door to what we envision as the true definition of SOC, one based on capabilities rather than a formal structure.”

Cybereason SANS SOC Survey

The global survey of 500 SOC managers and analysts from enterprises of all sizes concluded that MDR and XDR would be critical to the future capabilities-based SOC. One of the key questions the survey asked respondents was how they performed data correlation of event data for identification of issues.

While 47 percent of respondents said they used their Security Information and Event Management (SIEM) platform, SANS analysis indicates this is likely to change sooner rather than later. “Our projection is that this obvious dominance changes soon, as more SOCs shift this effort into SOAR (11%), XDR (11%), and MDR ( 7%) platforms,” the survey stated.

SIEMs often generate false positives and too many alerts. This noise contributes to alert fatigue that can limit security teams’ ability to respond to legitimate security concerns.

Workforce Challenges Remain Major Issue

Over an eight-year period tracked by Cybersecurity Ventures, the number of unfilled cybersecurity jobs grew by 350 percent, from one million positions in 2013 to 3.5 million in 2021.

In the U.S. the cybersecurity workforce has more than 950,000 workers — with around 465,000 of them yet to be filled, according to CyberSeek, a project supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce.

The most popular SOC size identified by the SANS survey is 2–10 people, regardless of the size of the organization. Smaller team sizes, however, are adding to stress levels and analyst burnout, resulting in high turnover rates.

“Despite a constant team size year after year in the survey, staff turnover and retention are leading concerns,” the survey states. “Staff turnover remains high: 70% for individuals with five or fewer years of experience, with the majority remaining in their current position for fewer than three.”

Cybereason and The Capabilities-Based SOC

The most important SOC capabilities identified by survey respondents are detection/monitoring, vulnerability assessments, incident response, and alert triage and escalation, with capabilities balanced between internal staffing and outsourced resources.

This is where Cybereason MDR can make a significant contribution to SOC readiness and effectiveness. 

Cybereason MDRCybereason MDR is a fully managed detection and response security solution that provides proactive threat hunting, detection and remediation 24x7x365.

Powered by the Cybereason Defense Platform in combination with a full service SOC, the Cybereason MDR solution delivers deep visibility and context into every MalOp™ (malicious operation) across all endpoints on a network. A MalOp is not an alert, but a contextualized view of the full narrative of an attack.

Cybereason MDR removes the burden and arduous process of alert triaging and prioritization, and gives time back to security teams to conduct remediation and focus on other priorities.

The Cybereason MDR structure and methodology (outlined in the below graphic) are strategically designed to enable security providers to deploy in minutes, providing almost instantaneous time-to-value with proactive threat hunting, detection, triage, and remediation for their customers:

Cybereason MDR methodology

Acting as a stand alone security solution or as an additional layer of security to an existing SOC, Cybereason MDR immediately matures any organization’s security posture.

XDR is also critical to the capabilities-based SOC, particularly given the challenges around enterprise visibility. The Cybereason XDR solution provides the enterprise visibility necessary to end malicious operations with the full attack story from root cause across every affected endpoint, device, user identity, application, and cloud deployment.

Cybereason XDR extends threat detection and response capabilities across an entire IT environment, not just the endpoint. It does this without relying on expensive data models or being limited by external integrations. 

Additionally, leveraging artificial intelligence (AI) and machine learning (ML) to correlate telemetry from across an organization’s infrastructure is a vital aspect of a mature XDR solution. The application of AI/ML allows Defenders to move from a detect and respond mode to a more proactive “predictive response” posture where the likely next steps in an attack are anticipated and blocked, eliminating the opportunity to progress the attack to the next stage.


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise to everywhere the battle is taking place. Learn more about the Cybereason MDR here or schedule a demo to see more.

Dan Verton
About the Author

Dan Verton

Dan Verton is Director of Content Marketing at Cybereason. Dan has 30 years of experience as a former intelligence officer and journalist. He is the 2003 first-place recipient of the Jesse H. Neal National Business Journalism Award for Best News Reporting – the nation’s highest award for tech trade journalism and is the author of the groundbreaking work, Black Ice: The Invisible Threat of Cyber-Terrorism (McGraw-Hill, 2003). He most recently served as an intelligence advisor and co-author of a nationwide TSA anti-terrorism awareness training program.

All Posts by Dan Verton