Partner Perspectives  Connecting marketers to our tech communities.
12/19/2016
02:07 PM
Barbara Kay
Barbara Kay
Partner Perspectives
50%
50%

Investments In Security Operations Centers Are Paying Off, Study Finds

SOCs help organizations reduce security incidents and improve operational maturity.

Did your last security project fall short of the hoped-for impact? Although many do, at least one investment appears to be working: Security operations centers (SOCs) are making a solid contribution to reducing security incidents and improving operational maturity.

While varying in maturity, SOCs are now a feature of 84% of commercial organizations and 91% of enterprises, according to a research report in the December 2016 McAfee Labs Threats Report. Intel Security interviewed almost 400 security practitioners from Canada, Germany, the United Kingdom, and the United States. Researchers found that although attacks are on the rise and the volume of alerts is overwhelming security capacity, most organizations are improving defensive processes and detection capabilities.

SOCs come in a variety of styles, from dedicated command facilities to purely virtual arrangements. But by far the most common is a multifunction SOC/NOC (network operations center) setup. Reflecting the challenges of staffing and the increasing interdependency of security and IT, this centralized model permits a dedicated staff to oversee and continuously monitor network events and availability as well as security events to increase coverage while minimizing operational costs.

SOCs are contributing to better visibility into attacks. Most of the 67% surveyed who experienced an increase in attacks felt that this was due to better detection capabilities or an actual increase in attack volume. Only 7% of those surveyed reported a decrease in attacks over the past year, with most attributing this to better prevention and security processes.

One key finding of the report is that meaningful attack data is available from tools and systems, but organizations aren’t able to act on it. On average, across all types, sizes, and locations of organizations, 25% of alerts are left unexamined. Only 22% of these firms were lucky enough to suffer no business impact as a result of this lack of capacity, while the remainder experienced minor to severe business impact. That calculates out to about 5% of alerts going uninvestigated and damaging the business.

This unaddressed volume of alerts, combined with the scarcity of experienced security personnel, has pushed 64% of organizations to look for operational assistance from managed security services providers (MSSPs), often working with a couple of these external groups. The MSSP contribution varies from basic to highly skilled. The top use case is security monitoring and monitoring coverage, which helps companies achieve Tier 1 monitoring 24/7 without bearing the staffing burden around the clock. Almost 1 in 5 companies also supplements in-house skills with third-party expertise such as advanced threat detection, incident response, and threat hunting. The choice of internal or external appears to be driven by the availability of personnel and the comparative skill level between internal and external options. The larger the company, the less they rely on external service providers.

Another finding shows active threat-hunting as an increasingly useful mechanism for finding and stopping cyberthreats before systems become severely compromised. More than 65% of organizations with SOCs operate formal threat-hunting teams.

Operational Pragmatism

Managing a SOC requires operational pragmatism. Perfect prevention is not achievable, so organizations are emphasizing visibility and response speed. Many are leveraging tools such as security information and event management (SIEM) systems with analytics to organize threat data, reputation feeds, and vulnerability status into a comprehensive real-time view of their environment. Improved context awareness and actionable intelligence help these organizations better prioritize and orchestrate their incident-response activities, resulting in faster containment and mitigation.

Alerts are going uninvestigated, so while detection had been the top investment of companies surveyed, over the next 12 to 18 months these organizations are more focused on interpreting (prioritizing, risk-evaluation, scoping) the data they are already getting than in detecting more data. Investing in security analytics will help them make sense of this data, often using correlation capabilities and machine learning to prioritize incident investigations and assess attack risks.  

These SOC deployments aren’t stagnating. Organizations are working to mature from monitoring and incident management to attack investigation strengths. Overall, the priorities for future investment in SOC capabilities are 1) improving the ability to respond to confirmed attacks; 2) enhancing the ability to detect signals of potential attacks; and 3) improving the ability to investigate potential attacks.

There’s more detail in the report that can inform your 2017 plans, as well as insights into ransomware and other evolving threats. Download the full report here.  

 

Barbara G. Kay, CISSP, is senior director of marketing at Intel Security. She leads security-operations marketing, which is responsible for threat intelligence and analytics solutions, as well as the security management platform that enables optimized security monitoring, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.