State of Security Operations 2017 report: SOCs mature, thanks to business focus
Security operations centers (SOCs) have had a mixed year, according the newly released State of Security Operations 2017 report from Hewlett Packard Enterprise. Organizations embarking on the process of establishing a SOC are finding that their groups are falling short of even the most basic SOC functions, such as monitoring security controls and processes. As a result, the number of groups that failed to score at least level 1 on the security operations maturity model over the past five years rose to 26.1 percent, up from 25 percent in last year's survey.
However, businesses are moving in the right direction. Following a security assessment, 18 percent of organizations have defined business goals toward which they are working, up 3 percentage points from the previous year's survey.
"Even though we have seen a dip in the aggregate score, we did see an increase in the number of organizations headed in the right direction," said Roberto Sandoval, manager of worldwide strategic solutions for HPE. "We saw more maturity by having a clear mission, having a strong set of metrics that would let companies validate that their controls were being effective, and having budgets that include training individuals and moving beyond the technology implication."
Here are top takeaways from the HPE report.
Data breaches drive centralized security approaches
With data breaches a continuing concern, more companies and organizations are establishing central hubs of information security activity. Since 2008, HPE has assessed the state of more than 137 SOCs during 183 engagements. In the past year alone, the company conducted 29 assessments, including 23 of new clients.
The data shows that, while first-time participants in an assessment increasingly fall short of a good maturity score, those that continue to focus on improving their SOC are increasingly performing better. In most cases, organizations are eschewing the WarGames-era command-and-control vision for a more virtual SOC that brings together security functions into a small number of dashboards, said Joseph Blankenship, a senior analyst with Forrester.
"I don't think the SOC has to be a physical place—you can have a dispersed team, but it has to be a dedicated team, especially for a company of any size that has higher risk profiles than average," Blankenship said.
The report found that companies faced many challenges.
Finding skilled and qualified security staff, for example, is a major issue. Security-team leaders tended to turn over every 18 months on average, leaving the team dealing with frequent transitions, which could be exacerbated by tools that required deep knowledge, such as those built from open-source software.
"Everyone has the pain of not being able to hire enough people. They have alerts that they cannot respond to."
—Joseph Blankenship, Forrester
To solve the issues, businesses continued to try different options for SOCs, including managed-service providers, partners, and other solutions that often create as many problems as they solve.
Sandoval said everyone was short on qualified intrusion analysts:
"There are more things that need to be protected than people who have the skill set at this time."
—Roberto Sandoval, HPE
Keep focused on business objectives
Companies that stayed focused on business objectives and a security plan, however, tended to increase their maturity level over time. The study found that companies with security teams that have a multiyear plan and focused on enabling the business tended to be more mature and have greater success and lower turnover.
Companies should take steps to first build situational awareness, then focus on increasing their ability to search through and analyze historical data, and finally, improve their ability to handle security incidents.
"You can start with the one to two cubes, the 'little broom closet in the corner' approach," HPE's Sandoval said. "But it is more about understanding what it is that you are protecting, what your resources are to do that, and having a very narrow focus on doing whatever you are doing well and managing those key assets to the organization."
The increase in ransomware has highlighted the issues of security teams who have not aligned themselves with businesses, HPE said. Ransomware has forced security operations to have a closer relationship with the business's disaster recovery teams.
Hunt down threats, but don't replace SIEM
In the past, companies with more mature SOCs would implement hunt teams—groups of analysts that would proactively search for problems on the network and resolve them before they became an issue. Yet HPE found that a number of organizations had moved to a hunt-only model, often as a result of frustration over getting security information and event management (SIEM) systems to work.
HPE also found that those companies' maturity declined, because they less consistently found threats. "The maturity of these organizations actually regressed and risks increased as response to known-bad threats slowed and decreased in consistency," the report stated.
"Organizations are saying, 'Let's cut some of those steps out and let long-term searches tell us about our data,'" HPE's Sandoval said. "Yet, by moving to a human being searching and responding, you are adding more time to your response because you are losing some of the necessary context."
Automation delivers economies of scale
Organizations are increasingly looking to automation to solve a variety of problems, from filtering out low-priority security events to automating response to incidents to speed reaction time. Done right, automation can help alleviate many of the issues caused by the lack of staffing that most companies face.
"If companies can find a way to automate the pieces so they can do more with less, I think a lot of organizations go that way. There are some real economies of scale that can be gained to bring in security automation and orchestration."
—Joseph Blankenship, Forrester
However, automation can also lead to problems, especially if the automation is not implemented with knowledge of an organization's business processes, HPE's survey found. In many cases, companies found that automation broke some critical functions, and that that experience, or just the fear that automation would break functionality, kept firms from utilizing automation to any significant extent.
In addition, some automated processes can create more noise if not tuned correctly. Automated ticket generation, for example, can create more work for analysts and cause them to focus on fixing small problems rather than seeing the larger attack picture, Blankenship said. "And in most cases, not having it go all the way to taking a control action, like quarantining a device or stopping a process automatically."
"Even when people are using the tools, they have an analyst somewhere in the workflow to look at it and make sure that is what they want to do, before they move forward. It is really early days. I think it is the right approach, but it is really early days."
Outsourcing security operations: Work in progress
Companies that outsource their security operations are often unsatisfied with the end result while not achieving a high level of maturity, according to the report. Even providers that meet service-level agreements often are not providing the context needed to evaluate threats.
In addition, while many companies believe they are transferring risk to the service provider, rarely are companies freed from their obligations, the report stated.
"Service providers ensure that individual organizations remain responsible for managing their own overarching business risk by defining services with strict parameters and taking on limited liability based on service scope," the report stated.
Hybrid solutions provide a better security path
Companies that adopt hybrid solutions—using a service provider's platform but staffing with their own security team—are often the most successful at reaching security maturity, the study found.
Companies that take a hybrid approach should retain the ability to analyze certain controls, however. Their internal teams need to be able to evaluate the risk of any business services or technology. In addition, a single internal employee needs to be skilled enough to coordinate incident response activities with any third party used by the company. Finally, even if a third party is augmenting the internal security team's skills, the organization needs to focus on developing the homegrown talent to keep security knowledge in-house, the report stated.
"Organizations need to remember that size does not equal maturity—it is the intelligent application of your tools and services that makes you more mature. You can have a million-dollar toolset, but it doesn't matter if the mechanic does not know what they are doing."
—Roberto Sandoval, HPE
Image credit: Flickr