The large-scale switch to remote work triggered by the COVID-19 pandemic has added to the multiple challenges that security operations teams are facing to protect the enterprise against modern cyber threats, finds a new survey conducted by the CyberEdge Group.
The survey of 410 IT security leaders and practitioners from organizations in five countries, conducted on behalf of Micro Focus, showed that many security operations centers (SOCs) are struggling to manage a sudden increase in the volume of cyber threats and security incidents because of the pandemic. The surge in threat activity has exacerbated existing challenges that SOCs face around incident detection, response, security tools management, and skills shortages.
The 2020/21 State of Security Operations Report finds that pandemic-related setbacks and other challenges have done little to dampen security spending. Organizations are continuing to invest in security operations, including on tools for automating critical processes. A vast majority of SOCs have adopted the MITRE ATT&CK framework, and most use the cloud for their security operations services and software.
"To us, the main takeaway is the need for greater operational efficiency, especially since it seems the shortage of skilled security operations personnel won't be getting better any time soon."
—State of SecOps Report
Here are five key takeaways from the State of SecOps Report for enterprise SOCs.
1. The MITRE ATT&CK framework has become almost ubiquitous
More SOCs rely on MITRE's popular knowledge base of attacker tactics and techniques for their operations than any other framework. The Micro Focus survey showed that nearly nine in 10 organizations currently use MITRE to detect advanced threats, to identify gaps in security controls, and to improve remediation of compromised hosts. More organizations view MITRE ATT&CK as most useful for threat detection and response.
"ATT&CK is very threat-centric," said John Pescatore, director of emerging security trends at the SANS Institute. SOCs typically use it to map defenses and skills against real-world threats and to identify strategies to deal with those threats, he said.
The framework is very different from the NIST Cyber Security Framework (CSF), which is also widely used, but for a different reason, Pescatore said. "The CSF is a broad, process-centric, overall risk management framework" that is focused on compliance, he said.
"SANS surveys show rapid adoption of ATT&CK for tactical use in dealing with emerging threats and CSF mainly used because it is required for compliance purposes."
—John Pescatore
2. Skills availability remains a big concern
A continuing skills shortage is hampering the ability of more than nine in 10 security operations groups to effectively carry out their mission. The shortage is especially acute for certain security functions, the Micro Focus survey showed. More than 46% of respondents have a shortage of IT security architects and engineers, another 46% don't have enough IT security analysts and incident respondents, and 44% are struggling to find enough security administrators.
More than 93% of respondents in the Micro Focus survey said their operations teams could benefit from having additional staff. The security function that would benefit the most is attack detection and analysis, followed by incident response.
Daniel Kennedy, an analyst at 451 Research, said overly high expectations and inadequate compensation are adding to the staffing problem. When recruiting security staff, many organizations have a tendency to look for more experience and qualifications from an individual than a particular role might actually require. And often the compensation being offered fails to match the required skills. This is especially true for entry-level SOC roles, Kennedy said.
"Organizations need to right-size job requirements and be aware of market salaries. Stop making laundry lists of requirements or asking for five years of experience for two-year-old technology."
—Daniel Kennedy
3. SOCs use a lot of security tools
Security operations teams use a wide variety of tools to carry out their mission. Security configuration management (SCM) and security information and event management (SIEM) platforms are the two most widely used technologies. But more than half of all SOCs also use network traffic analysis tools, threat intelligence platforms, patch management and log management tools, threat-hunting products, and user and entity behavior analytics (UEBA) suites.
Unsurprisingly, many of the tools that SOCs are currently using feature AI and machine-learning capabilities.
Many security operations teams are planning on adding to their already crowded technology portfolios. Some 34%, for instance, plan to onboard a security orchestration, automation, and response (SOAR) platform, and 31% will implement a threat-hunting capability in the next 12 months.
"Most SOCs use several tools because there is no one vendor that is good at everything and there are many open-source tools that are really good and free or cheap. What is really needed is better integration between tools, versus fewer tools."
—John Pescatore
4. Threat identification is the biggest challenge
When asked to describe which one of the five functions in NIST's CSF—identify, protect, detect, respond, and recover—posed the biggest challenge, a majority of organizations pointed to the protect function. NIST defines this as covering the safeguards needed to ensure delivery of critical services. The protect function "supports the ability to limit or contain the impact of a potential cybersecurity event," according to NIST.
Nearly three in 10 respondents said NIST's identify function was challenging to implement, and 19% had problems with detecting threats.
451 Research's Kennedy said that staffing levels have a big effect on the kinds of issues that security operations teams are going to find most difficult. For example, incident response and recovery are both resource-intensive functions and are therefore likely to be bigger challenges for organizations that are short-staffed.
Similarly, an SOC's ability to detect and chase down a threat depends to large extent on the tools it has implemented for that particular function.
Referring to the NIST framework, Pescatore said, gaps in "identify" make it harder to protect, gaps in "protect" make it harder to detect, and gaps in "respond" make it harder to recover.
"First fix gaps in 'identify,' which are at the root of failures in all the following phases."
—Daniel Kennedy
5. Security operations software and services are migrating to the cloud
Just as they have done with other applications and services, many organizations have moved big components of their security operations to the cloud. The Micro Focus survey showed that, on average, organizations across the five countries in the survey have deployed almost 65% of security operations software and services in the cloud.
Security groups in the technology, healthcare, and government sectors are leading the charge to the cloud. Security operations teams at technology companies have moved 70% of their SOC components to the cloud, while those in healthcare and government and deployed 69% and 67% in the cloud, respectively, the report said:
"One benefit we see for migrating from data centers to the cloud is that it makes it easier for security operations teams to access security operations functions from anywhere."
—2020/21 State of Security Operations Report
The challenges continue
Multiple challenges are affecting the ability of security operations groups to execute their mission effectively at many organizations. However, most are making investments in tools and capabilities designed to address these challenges even as they migrate most SOC software and services to the cloud.
