Security operations centres (SOCs) south of the border are falling below target maturity levels, leaving 82% of reviewed organizations vulnerable to cyber security attacks, Hewlett Packard Enterprise (HPE) concludes in a new white paper issued Tuesday.
The finding is worrisome since an SOC serves as the foundation for how organizations protect their most sensitive assets, as well as how to detect and respond to threats, HPE notes in releasing State of Security Operations Report 2017.
The white paper provides analysis on the effectiveness of organizations’ security operating centres and best practices for mitigating risk in the evolving cyber security landscape.
Adding to the vulnerability is the fact that an increased pressure exists to rapidly innovate and align security initiatives with business goals, suggests the fourth annual paper, which is published by HPE Security Intelligence and Operations Consulting and assesses the capability and maturity of 137 discreet SOCs via 183 in-depth assessments since 2008.
“There has never been a stronger connection between security initiatives and business goals. The speed of organizations adoption of new innovations such as cloud, IoT (Internet of Things) and big data platforms is matched head-on by advancement of the attackers,” Matthew Shriner, HPE’s vice president of security professional services, writes in the forward of the white paper.
“The sophistication, agility and scale of attacks has made speed an imperative for any successful security operations centre, and has led to a renewed focus on automation, real-time detection and response at scale,” Shriner points out.
“This year’s report showcases that while organizations are investing heavily in security capabilities, they often chase new processes and technologies, rather than looking at the bigger picture, leaving them vulnerable to the sophistication and speed of today’s attackers,” he says in an HPE statement.
Successful security operation centres “are excelling by taking a balanced approach to cyber security that incorporates the right people, processes and technologies, as well as correctly leverages automation, analytics, real-time monitoring and hybrid staffing models to develop a mature and repeatable cyber defence program,” Shriner continues.
HPE reports that each SOC was measured on the HPE Security Operations Maturity Model scale, which evaluates the people, processes, technology and business capabilities that comprise an SOC. Using a five-point scale, a score of 0 is given for a complete lack of capability while 5 is given for a capability that is consistent, repeatable, documented, measured, tracked, and continually improved upon.
Following the assessments conducted this year, HPE found that over the last five years, 18% of “assessed organizations are meeting business goals and are working toward or have achieved recommended maturity levels.”
Although a well-defined, subjectively evaluated and flexible SOC is recommended to allow modern enterprises to effectively monitor existing and emerging threats, 82% of SOCs “are failing to meet this criteria and falling below the optimal maturity level,” the company statement notes.
True, this represents a 3% improvement year-over-year – and a 5% improvement in two years – but “the majority of organizations are still struggling with a lack of skilled resources, as well as implementing and documenting the most effective processes,” the statement adds.
The paper provides the following key observations:
SOC maturity decreases with hunt-only programs – while organizations that added hunt teams to their existing real-time monitoring capabilities increased their maturity levels, programs that focused solely on hunt teams had an adverse effect;
complete automation is an unrealistic goal – advanced threats still require human investigation and risk assessments need human reasoning, making it imperative that organizations strike a balance between automation and staffing;
focus and goals are more important than size of organization – organizations that use security as a competitive differentiator (for market leadership or to create alignment with their industry) are better predictors of mature SOCs; and
hybrid solutions and staffing models provide increased capabilities – organizations that keep risk management in-house, and scale with external resources, can boost their maturity and address the skills gap.
“This year has also seen a sharp decline in maturity for organizations that are opting out of real-time security monitoring in favor of post-event search technologies,” the paper points out.
“While this is a disturbing trend, organizations that have adopted hunt team capabilities as an add-on to their existing real-time monitoring programs have seen success in rapid detection of configuration issues, previously undetected malware infections, and SWIFT attack identification,” it adds.
The paper emphasizes a solid foundation based on the right combination of people, processes and technology is essential as organizations continue to build and advance security operations centres deployments. That being the case, HPE suggests this balance can be achieved by doing the following:
mastering the basics of risk identification, incident detection and response before leveraging new methodologies such as hunt teams;
automating tasks such as response automation, data collection and correlation where and understanding the processes that require human interaction and staffing accordingly;
having periodic assessment of organizations’ risk management, security and compliance objectives to help define security strategy and resource allocation; and
adopting a hybrid staffing or operational solution strategy that leverages both internal resources and outsourcing for organizations that need to augment their security capabilities, but are unable to add staff.
“The uneven distribution of maturity results across industries can be directly correlated with the experience of negative financial impact from malicious attacks,” HPE found.
“Organizations who have experienced direct financial loss due to malicious attacks do a better job of immediately maturing to a higher level. This group of organizations continues to grow significantly in number,” the white paper notes.
“No matter what stage organizations are at, it should be evident that there is no quick fix product or service that can provide the protection and operational awareness an organization needs,” it emphasizes.
“Successful security operations programs require an assessment of the risk management, security and compliance objectives of the organization and the constant tuning of the people, process and technology components of the solutions deployed,” it adds.
Looking forward to the upcoming year, HPE sees great challenges, including further adoption of the new style of IT and an increase in politically motivated attacks.
“I remain steadfast in the belief that organizations’ best defence will be to remain steady with their security operations foundations. Focus on the people,” Shriner emphasizes. “The people will drive the process, and the process will ensure the most effective use of the technologies.”