State of Security Operations 2018: SecOps teams matter most

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Robert Lemos, Technology Journalist, Independent

Companies that have focused on establishing and improving their security operations centers (SOCs) have made headway against the variety of digital threats faced every day, but continue to struggle to adequately respond to and recover from security incidents, a recently released study of SOCs stated.

In its 2018 State of Security Operations report, Micro Focus found that companies with SOCs have become more mature in their approach to security, adopting co-managed operations with third-party providers, integrating automated response, and creating interdisciplinary teams—fusion centers—that marry a variety of expertise and sources of data.

"Security is not a new thing anymore," said Jesse Emerson, global director of cyber defense consulting for Micro Focus. "Board members and executives have conversations about security every day and have a better understanding of what it takes to implement and maintain the kinds of security programs that today's organizations need."

Yet the median maturity level—the metric tracked in the report—across all industries reached only 1.42 on a scale of 0 to 5. While the aggregate measurement increased for the third year in a row, it continues to fall short of the acceptable rating of 3, the level that indicates that companies are managing their security problems effectively. 

Whether your company has a security operations center or is looking to develop one, here are four lessons this report holds for your team.

State of Security Operations 2018: Go Inside World SOCs

1. Tech is easy; personnel and processes are hard

Companies did best in the business and technology categories, and worst in the process and people categories. All the scores floated between a maturity rating of 1, indicating that they were doing the minimum in security monitoring, and a maturity rating of 2, indicating that business goals were being met and operational tasks documented.

The lesson for most companies is that operationalizing security knowledge and training workers is much harder and slower than buying new technology and handling the business issues surrounding information technology.

"Typically, we see weaknesses in people and processes. Although, this year, technology did not advance at the rates that it has advanced in the past, a lot of the security teams have made investments in buying tools."
Jesse Emerson

Companies should focus on improving their people and processes as part of their overall security plan, Emerson said. A major problem for most companies is the lack of workers with strong cybersecurity skills, so companies should plan ahead.

2. Find a partner when necessary

The struggle to staff the SOC with strong cybersecurity workers means that a large portion of companies are turning to third-party services and outsourcing to fill the gap. 

The balance between third-party services, outsourced security functions, and internal capabilities varies between companies, said Gary McGraw, vice president of security technologies for security company Synopsys.

In Synopsys' 2017 CISO Report, based on interviews with more than two dozen security professionals, it found that almost every company had a SOC, but each organized the responsibilities between internal workers and outside vendors differently. "So everyone has a SOC and they staffed it with externals to some degree, and all were unsatisfied to some degree, but they did not get unsatisfied in any predictable way."

McGraw expects innovation to continue to drive the security-operations services industry, as new players continue to spin up new services.

"There is enough gnashing of teeth in the SOC space that there are a lot of startups entering the market. The industry needs new approaches, because many companies are not satisfied with the status quo."
Gary McGraw

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

3. Automation and orchestration are crucial

Another approach to minimizing the impact of not having enough of those hard-to-find security workers is to adopt increasing integration between detection and response—so-called orchestration—and to increase the automation of common tasks. The approach—security orchestration, automation, and response, or SOAR—makes security operations more consistent and more effective, Emerson said.

Companies that invest in automating responses to security incidents with specific goals in mind have already started seeing good results, according to the company's report. "Investing in the process side of things is a good way to go," he said.

Daniel Kennedy, research director of information security for business intelligence firm the 451 Group, agrees that products and services that help companies automate their security processes will be a major way that companies improve their security operations capabilities in the future.

"Productized automation is going to be a big piece of the improvement. If you can define a process after an incident happens multiple times, your managed detection and response as a discipline will only get better."
Daniel Kennedy

4. Make attackers less efficient

As companies strive to improve security operations, they should also aim to make attackers' operations less efficient. Deceptive network and grid technologies can help reduce the traditional asymmetry in digital attacks.

The report notes:

"By deploying systems that spread misinformation about the target system and leveraging a layer of automated deception, organizations can alter the findings of scripted reconnaissance and cause attackers to deploy resources that are ineffective on the target system and reveal information about themselves."

Reality check on success

The report includes data from 200 assessments performed at 144 different SOCs since 2008 by Micro Focus's Security Intelligence and Operations Consulting (SIOC) group. The group found that most security operations tend to be over-invested in detection and monitoring technologies, but are struggling to respond and recover from security incidents.

Less than a third of companies have a defined SOC to centralize the monitoring of their infrastructure for, and response to, security incidents, according to the 451 Group.

It's optimistic to say that attaining a 1.4 rating on a 5-point scale is a success, Kennedy said. Also, the report looks only at the most security-conscious companies. "You are interviewing and assessing SOCs where they exist, but a lot of organizations don't have SOCs."

Regardless, the report's findings are relevant to any organization looking to bolster its security position. With these four takeaways, your team can move forward more confidently.

Take a deeper dive into the "State of Security Operations." Download the full report