Did your last security project fall short of the hoped-for impact? Although many do, at least one investment appears to be working: Security operations centers (SOCs) are making a solid contribution to reducing security incidents and improving operational maturity.
While varying in maturity, SOCs are now a feature of 84% of commercial organizations and 91% of enterprises, according to a research report in the December 2016 McAfee Labs Threats Report. Intel Security interviewed almost 400 security practitioners from Canada, Germany, the United Kingdom, and the United States. Researchers found that although attacks are on the rise and the volume of alerts is overwhelming security capacity, most organizations are improving defensive processes and detection capabilities.
SOCs come in a variety of styles, from dedicated command facilities to purely virtual arrangements. But by far the most common is a multifunction SOC/NOC (network operations center) setup. Reflecting the challenges of staffing and the increasing interdependency of security and IT, this centralized model permits a dedicated staff to oversee and continuously monitor network events and availability as well as security events to increase coverage while minimizing operational costs.
SOCs are contributing to better visibility into attacks. Most of the 67% surveyed who experienced an increase in attacks felt that this was due to better detection capabilities or an actual increase in attack volume. Only 7% of those surveyed reported a decrease in attacks over the past year, with most attributing this to better prevention and security processes.
One key finding of the report is that meaningful attack data is available from tools and systems, but organizations aren’t able to act on it. On average, across all types, sizes, and locations of organizations, 25% of alerts are left unexamined. Only 22% of these firms were lucky enough to suffer no business impact as a result of this lack of capacity, while the remainder experienced minor to severe business impact. That calculates out to about 5% of alerts going uninvestigated and damaging the business.
This unaddressed volume of alerts, combined with the scarcity of experienced security personnel, has pushed 64% of organizations to look for operational assistance from managed security services providers (MSSPs), often working with a couple of these external groups. The MSSP contribution varies from basic to highly skilled. The top use case is security monitoring and monitoring coverage, which helps companies achieve Tier 1 monitoring 24/7 without bearing the staffing burden around the clock. Almost 1 in 5 companies also supplements in-house skills with third-party expertise such as advanced threat detection, incident response, and threat hunting. The choice of internal or external appears to be driven by the availability of personnel and the comparative skill level between internal and external options. The larger the company, the less they rely on external service providers.
Another finding shows active threat-hunting as an increasingly useful mechanism for finding and stopping cyberthreats before systems become severely compromised. More than 65% of organizations with SOCs operate formal threat-hunting teams.
Managing a SOC requires operational pragmatism. Perfect prevention is not achievable, so organizations are emphasizing visibility and response speed. Many are leveraging tools such as security information and event management (SIEM) systems with analytics to organize threat data, reputation feeds, and vulnerability status into a comprehensive real-time view of their environment. Improved context awareness and actionable intelligence help these organizations better prioritize and orchestrate their incident-response activities, resulting in faster containment and mitigation.
Alerts are going uninvestigated, so while detection had been the top investment of companies surveyed, over the next 12 to 18 months these organizations are more focused on interpreting (prioritizing, risk-evaluation, scoping) the data they are already getting than in detecting more data. Investing in security analytics will help them make sense of this data, often using correlation capabilities and machine learning to prioritize incident investigations and assess attack risks.
These SOC deployments aren’t stagnating. Organizations are working to mature from monitoring and incident management to attack investigation strengths. Overall, the priorities for future investment in SOC capabilities are 1) improving the ability to respond to confirmed attacks; 2) enhancing the ability to detect signals of potential attacks; and 3) improving the ability to investigate potential attacks.
There’s more detail in the report that can inform your 2017 plans, as well as insights into ransomware and other evolving threats. Download the full report here.