Security awareness

SOCs spend nearly a quarter of their time on email security

Daniel Brecht
June 10, 2021 by
Daniel Brecht

Email security continues to be a significant challenge for the Security Operation Centers (SOCs); research from Avanan, a cloud email security vendor, on the state of email security shows. An excessive amount of time and effort is spent by SOC teams in detecting incidents and directing countermeasures.

This study is important as it is one of the first hard looks at how much time is spent on these issues. Before this survey, the State of Email Security, this aspect was not fully explored. Data was only available through work by research and advisory company Gartner that found how each phishing event can take two hours and 45 minutes to remediate.

Email threats, whether data is compromised or leaked, can affect a business in many ways, depending on its nature, scope and severity. Malware distributed through email attachments as well as phishing attempts can lead to data breaches and severely impact brand strength and reputation. Protecting the medium through which messages are exchanged requires continuous monitoring and rapid response.

Role-appropriate training to your entire workforce

Role-appropriate training to your entire workforce

Get a free year of cybersecurity skills training with your security awareness training purchase.  

Security operation centers

The major functionalities of SOC services include monitoring, detection and event analysis. This undertaking can confirm if a security incident is taking place on key IT systems in an organization. The SOC is responsible for locating the actual malicious activity to ensure it is correctly identified, analyzed, addressed, investigated and reported. An SOC report can give companies great insight into their security by assessing the controls in place and the effectiveness of its policies and procedures.

Having an internal or external SOC available and operational at all times with a team that can include cybersecurity analysts, security engineers and managers — as well as incident responders, threat hunters and compliance auditors — tasked with detecting, analyzing, preventing and responding to incidents is a great resource.

But how much time do they spend in mitigating email threats? Showered with alerts and suspicious log entries, SOC analysts use security solutions like Security Information and Event Management (SIEM) to help them focus on the events that are most likely more dangerous and allow them to aggregate data from a multitude of sources to better address them. However, not all tasks can be automated and SOC professionals are still left with many manual tasks to analyze data and input from tools, respond to users’ concerns and investigate findings.

The quantification of email threats and the burden placed on SOC teams

To quantify the scope of email threats and how companies deal with them, researchers at Avanan, in December 2020, released a detailed survey on the state of email security. They asked 500 IT managers and leaders about the time it takes to deal with malicious emails, such as phishing attempts, and the duties their effort involves from three perspectives: prevention, response and investigation.

  • Prevention: this refers to all that relates to the configuration and management of emails to prevent attacks. For example, the revising of allow/block lists, screening of mails through rules and updating advanced threat protection (ATP) anti-phishing policies.
  • Response: this refers to tasks related to responding to an attack that has already happened, including phishing emails delivered to the mailbox of an end-user or malicious content downloaded through clicking on an embedded link.
  • Investigation: this refers to all activities related to finding out whether an attack was perpetrated if any systems or data were compromised and which should be locked out to protect the entire infrastructure. 

According to Avanan, the average SOC spends about 22.9% of its total activity time in managing email threats as follows: 

  • SOC teams spend 46.9% of that time on investigation
  • SOC teams spend 26.6% of that time on response
  • SOC teams spend 26.5% of that time on prevention

The survey shows how the SOC team works 5.59 hours on prevention tasks; they receive an average of 68.7 end-user reports per week and take approximately 7.7 minutes to inspect each suspicious email to find that 33.8% are malicious and require flagging and quarantining before they impact the networks. An average of 16 requests per week deal with release from quarantine; 30.73% are false positives which turn out not to be real security incidents but still cost the SOC 2.1 minutes per email which amounts to 1,592 minutes, or 26.53 hours, per week and 1,380 hours a year.

SOC activity for email threats

So, what do SOC professionals have to do to address email threats?


The following prevention tools were found as the most used by survey respondents and take an average of 5.59 hours/week:

  • Allow/block lists: 79.6%
  • ATP policies: 64.9%
  • Implement new email flow rules: 56%
  • Update sensitivity and confidence: 44.3%
  • Update signature files: 28.9%


SOC teams receive an average of 3,574 end-user reports in a year, with 1,207 recognized as phishing emails and costing 1,183 hours of work to review and determine appropriate action including:

  • Identify and lock down compromised account(s): 15.6% of the time
  • Discover which link was clicked: 15.3%
  • Review the event log: 15.1%
  • Identify compromised data: 14.2%
  • Remove the malicious email from all other users’ inboxes: 14%
  • Release info on the breach to stakeholders: 12.9%
  • Remediate infected workstations: 12.9%


Investigating each email is also a time-consuming task, and SOC analysts were found to use up to 652 hours, or over 27 full days per year, using severable available tools to perform the following tasks:

  • Analyze messages and headers: 23.4% of the time
  • Investigate links: 23%
  • Analyze attachments: 21.1%
  • Investigate senders: 17.3%
  • Identify other recipients: 15.2%

More findings

Another interesting part of the survey gives a glimpse of how companies are set up. Researchers found that 78% of surveyed companies used Microsoft 365 email servers with 88.44% using cloud-based ones. In 43.09% of cases, the solution of choice to protect the email servers was Microsoft ATP with 23.09% using a secure email gateway and 17.4% API-based email security.

A whopping 76.1% of the surveyed professionals identified collaboration tools like Slack and  Microsoft Teams as a concrete security risk that needs to be the focus of attention to boost prevention. The main concerns were leakage of sensitive data (72.6% of respondents), phishing links (60.7%) or malicious files (53.3%) in messages.  

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Confronting email security 

It is no surprise that SOC professionals feel overwhelmed by dealing with preventing, responding and investigating malicious emails that make it through the automated security layers and occupy 2-3 hours of their time per day. This is an important function of their job but by no means the only one.

Despite the increasing focus of all organizations and companies of any size on email security best practices, SOC members can still spend about 1,183 hours per year reviewing end-user phishing reports, and 1,380 hours to review requests of quarantine release. Much of the team’s time is spent preventing, responding and investigating malicious or suspicious activities, like phishing. It’s no wonder “60% of SOC employees have considered leaving their jobs or changing careers altogether because of burnout,” the Avanan’s survey shows.

The solution to the increasing amount of time spent reviewing threats is not only the implementation of more sensitive email security solutions like data loss prevention (DLP) technologies but also more focused awareness campaigns and training programs that keep email security at the forefront of the organizations’ efforts. User awareness is key to the prevention of threats and breaches and is particularly effective in all those instances where the target of the malicious activity are users themselves.



Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.