Sole focus on hunt-teams can be damaging for security posture
A far-reaching new study has analysed the effectiveness of enterprise security operations centres and how businesses globally are mitigating risk in the evolving cyber security landscape.
Hewlett Packard Enterprise’s State of Security Operations Report 2017 looks at the increased pressure organisations are under in the face of rapid innovation in the cyber threat and how they can align security initiatives with business goals. A Security Operation Centre, or SOC, provides the foundation for how organisations protect their most sensitive assets and respond to threats.
Findings from this year’s report show that the majority of SOCs are falling below target maturity levels, leaving organisations vulnerable in the event of an attack. The methodology for assessments were based on HPE’s Security Operations Maturity Model (SOMM), which focuses on multiple aspects of a successful and mature security intelligence and monitoring capability including people, process, technology, and business functions. The SOMM uses a five-point scale – a score of “0” is given for a complete lack of capability while a “5” is given for a capability that is consistent, repeatable, documented, measured, tracked, and continually improved upon.
Published this week by HPE’s Security Intelligence and Operations Consulting division, the report examines nearly 140 SOCs in more than 180 assessments around the globe. Each SOC is measured on the HPE Security Operations Maturity Model scale that evaluates the people, processes, technology and business capabilities that comprise a security operations centre.
A SOC that is well-defined, subjectively evaluated and flexible is recommended for the modern enterprise to effectively monitor existing and emerging threats; however, 82 percent of SOCs are failing to meet this criteria and falling below the optimal maturity level. While this is a 3 percent improvement year-over-year, the majority of organisations are still struggling with a lack of skilled resources, as well as implementing and documenting the most effective processes.
While this is a 3 percent improvement year-over-year, the majority of organisations are still struggling with a lack of skilled resources, as well as implementing and documenting the most effective processes.
“This year’s report showcases that while organisations are investing heavily in security capabilities, they often chase new processes and technologies, rather than looking at the bigger picture leaving them vulnerable to the sophistication and speed of today’s attackers,” said Matthew Shriner, Vice President, Security Professional Services, Hewlett Packard Enterprise. “Successful security operations centres are excelling by taking a balanced approach to cybersecurity that incorporates the right people, processes and technologies, as well as correctly
“Successful security operations centres are excelling by taking a balanced approach to cybersecurity that incorporates the right people, processes and technologies, as well as correctly leverages automation, analytics, real-time monitoring, and hybrid staffing models to develop a mature and repeatable cyber defence program.”
Key Findings
- SOC maturity decreases with hunt-only programs. The implementation of hunt teams to search for unknown threats has become a major trend in the security industry. While organisations that added hunt teams to their existing real-time monitoring capabilities increased their maturity levels, programs that focused solely on hunt teams had an adverse effect.
- Complete automation is an unrealistic goal. A shortage of security talent remains the number one concern for security operations, making automation a critical component for any successful SOC. However, advanced threats still require human investigation and risk assessments need human reasoning, making it imperative that organisations strike a balance between automation and staffing.
- Focus and goals are more important than size of organisation. There is no link between the size of a business and maturity of its cyber defence centre. Instead, organisations that use security as a competitive differentiator, for market leadership, or to create alignment with their industry are better predictors of mature SOCs.
- Hybrid solutions and staffing models provide increased capabilities. Organisations that keep risk management in-house, and scale with external resources, such as leveraging managed security services providers (MSSPs) for co-staffing or in-sourcing, can boost their maturity and address the skills gap.
Report Recommendations
As organisations continue to build and advance SOC deployments alongside the evolving adversary landscape, a solid foundation based on the right combination of people, processes and technology is essential. To help organisations achieve this balance, the report recommends:
- Mastering the basics of risk identification, incident detection, and response, which are the foundation to any effective security operations program, before leveraging new methodologies such as hunt teams.
- Automating tasks where possible, such as response automation, data collection, and correlation to help mitigate the skills gap, but also understanding the processes that require human interaction and staffing accordingly.
- Periodic assessment of organisations’ risk management, security and compliance objectives to help define security strategy and resource allocation.
- Organisations that need to augment their security capabilities, but are unable to add staff should consider adopting a hybrid staffing or operational solution strategy that leverages both internal resources and outsourcing to a MSSP.
The full methodology is detailed in the report.
