Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/11/2019
10:00 AM
Jon Oltsik
Jon Oltsik
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Big Changes Are Coming to Security Analytics & Operations

New ESG research points to fundamental problems, a need for scalable security data pipelines, and a migration to the public cloud.

ESG research recently completed a new research project focused on security analytics and operations. As part of this project, ESG surveyed 406 IT and security professionals working at midmarket and enterprise organizations in North America across all industries. Based on the research results, we came to the following conclusions:

Security analytics and operations continue to grow more difficult. 
Nearly two-thirds (63%) of survey respondents claim that security analytics and operations are more difficult today than they were two years ago. This increasing difficulty is being driven by external changes and internal challenges. From an external perspective, 41% of security pros say that security analytics and operations are more difficult now due to rapid evolution in the threat landscape, and 30% claim that things are more difficult because of the growing attack surface. 

Security teams have no choice but to keep up with these dynamic external trends. On the internal side, 35% of respondents report that security analytics and operations are more difficult today because they collect more security data than they did two years ago, 34% say that the volume of security alerts has increased over the past two years, and 29% complain that it is difficult to keep up with the volume and complexity of security operations tasks. Security analytics/operations progress depends upon addressing all these external and internal issues.

The security data pipeline dilemma: More data, more problems
Just under one-third (32%) of organizations collect substantially more data to support cybersecurity analytics and operations today than they did two years ago, while 44% collect somewhat more security data. Furthermore, 52% of organizations retain this data online for longer periods of time than they did in the past. The volume of real-time and historical security data creates massive data repositories that are costly and difficult to manage. Security analysts commonly offer a complaint worthy of Yogi Berra: "We have so much security data that we can't find anything we're looking for."

Traditional on-premises SIEM is an incomplete solution. 
A full 70% of organizations continue to anchor their security analytics and operations with security information and event management (SIEM) systems. Despite this central role, security operations center (SOC) teams now surround the SIEM with additional tools for threat detection/response, investigations/query, threat intelligence analysis, and process automation/orchestration. This raises the question: If SIEM is essential to security analytics and operations, why do organizations need so many tools? 

The research reveals that while SIEM is good at discovering known threats and generating security and compliance reports, it's not well suited for detecting unknown threats or other security operations use cases. What's more, 23% of security pros say that SIEM platforms require lots of personnel training and experience, and 21% believe that SIEM requires constant tuning and operational overhead to be useful. SIEM isn't going away, but it needs help.

Staffing and skills shortages remain ubiquitous. 
Three-quarters of survey respondents agree that the cybersecurity skills shortage has affected security analytics and operations at their organizations. Can't CISOs simply hire their way out of this situation? It's not that easy: 70% of security pros say that it is extremely difficult or somewhat difficult to recruit and hire SOC personnel. Organizations are addressing the skills gap by turning to managed services. Seventy-four percent of organizations use managed security services (for security analytics and operations) today, and 90% plan on increasing their use of managed security services in the future. When it comes to the SOC, it seems that no one can go it alone anymore. 

Security analytics and operations technologies are migrating to the public cloud. 
In the past, CISOs preferred the hands-on control of on-premises security analytics and operations technology, but this is no longer true. The research indicates that 41% of organizations prefer cloud-based security analytics and operations technologies while another 17% are willing to look at cloud-based security analytics and operations technology options on a case-by-case basis. 

Why move to the cloud? The most obvious reason is to avoid the cost and complexity of an on-premises security analytics and operations infrastructure (i.e., deployment and ongoing operations of data collectors/processors, load balancers, servers, storage devices, etc.). Interestingly, some progressive organizations believe that scalable, burstable cloud-based processing and storage resources can provide analytics opportunities they simply can't achieve with homegrown on-premises efforts. This is particularly true with the application of machine learning algorithms on massive security data sets.

Based upon this research, ESG has four recommendations for CISOs and security professionals:

  1. CISOs must address SOC deficiencies with long-term and comprehensive strategies that can improve security efficacy, bolster operational efficiency, and support business objectives. Tactical tweaks won't do.
  2. Large organizations should understand that security analytics and operations is a big data application. This demands that security teams have appropriate data management skills so they can build and operate security data pipelines at scale.
  3. CISOs must plan for cloud migration so they can create a security operations and analytics platform architecture (SOAPA) that helps them prevent, detect, and respond to security incidents across hybrid IT infrastructure. "Lift-and-shift" should be viewed as a starting, not an ending, point. 
  4. To address the scale and scope of security operations along with the ongoing cybersecurity skills shortage, SOC managers must lean on artificial intelligence, security process automation, and managed services moving forward. Once again, CISOs need a detailed plan on how these elements will augment the SOC staff, supplement and improve SOC processes, and better safeguard critical business assets. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Criminals Hide Fraud Behind the Green Lock Icon."

Jon Oltsik is an ESG senior principal analyst, an ESG fellow, and the founder of the firm's cybersecurity service. With over 30 years of technology industry experience, Jon is widely recognized as an expert in all aspects of cybersecurity and is often called upon to help ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
JohnB843
50%
50%
JohnB843,
User Rank: Apprentice
12/11/2019 | 5:48:43 PM
Great summary of CISOs ever increasing challenges.
"SOC managers must lean on artificial intelligence, security process automation, and managed services moving forward." exactly Jon.
RuskinF
50%
50%
RuskinF,
User Rank: Apprentice
1/22/2020 | 11:20:52 AM
Is security analysis part of Dynamics
I went through the article. It seems security analysis has been on a downward slope in the last few years.

It's been reported a lot in the niche I work as well.

Only if Microsoft released MS Dynamics 365 with a proper purpose of analyzing the cybersecurity of clients and providing insights into the feedback loops to counter exploits on the system.
freecodezilla
50%
50%
freecodezilla,
User Rank: Apprentice
2/9/2020 | 8:09:08 AM
Very Well Explained
That's very helpful infromation.

freecodezilla
50%
50%
freecodezilla,
User Rank: Apprentice
2/9/2020 | 8:09:46 AM
Very Well Explained
That's very helpful infromation.

freecodezilla
50%
50%
freecodezilla,
User Rank: Apprentice
2/9/2020 | 8:11:11 AM
Very Well Explained
That's very helpful infromation. You explained very well
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.