Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/26/2020
10:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

SOC Wins & Losses

While the security operations center is enjoying a higher profile these days, just one-fourth of security operations centers actually resolve incidents quickly enough.

Security operations centers (SOCs) have gained more prestige, profile, and, in some cases, budget in the organization. But even well-resourced SOCs suffer many of the same woes that struggling SOCs do: an incomplete view of all devices connecting to their networks and an overload of redundant and underutilized security tools spitting out more data and alerts than they can handle or grok.

More alarmingly, many still struggle to quickly resolve security incidents. In some 40% of SOCs, the mean time to resolution (MTTR) is months to years, according to a study by the Ponemon Institute and commissioned by Devo Technology that published this week. Around 37% resolve incidents within weeks and 24% within hours or days.

With the exception of the most mature SOCs, that slow resolution rate is typical, notes Julian Waits, general manager of cybersecurity at Devo. "Their program is still immature, they don't have playbooks in place, and so much is still happening manually," he says.

It takes about a week for Texas A&M University's SOC to resolve incident, according to Dominic Dertatevasion, associate director of IT at Texas A&M's SOC. That MTTR is based on what A&M SOC tools can actually see, he notes. "Within a week, they should be able to identify where the host or user is and clean it up or educate the host to reset passwords" and other controls, Dertatevasion says.

Texas A&M's SOC is actually watching not only the network on its massive flagship campus in College Station, Texas, but it also provides SOC services for 11 universities under the A&M system as well as a half-dozen government state agencies on its network. "We're only seeing what we can see and what you can give us access to. I'm 100% sure we're missing stuff," Dertatevasion says of the other campuses his team services.

Some 40% of security pros say their SOCs have too many tools. Devo's Waits says it's not surprising that SOCs end up with too many tools that often overlap or produce redundant data. "A new technology gets brought in and many of the older technologies [overlap] ... another thing gets added on the stack, and there's not thought on how to optimize them," he says.

The most common overlapping tools are endpoint detection and response products and network detection tools, he says. And the consolidation among security vendors also inadvertently results in redundancy in the SOC. He points to the example of next-generation firewall vendor Palo Alto Networks, which now also has endpoint technology.

Different tools can be generating alerts on the same IP address but are run by different SOC analysts, he notes.

Dertatevasion says Texas A&M adds a new tool every one to two years in a slow and deliberate strategy. The goal is to allow analysts to gain expertise in the tools and ensure they fit well into the SOC ecosystem and operations before adding anything new.

"We might be different than private industry in that we have SOC-managed tools we run and our constituents have tools they purchase and might bring along. We've always had to adapt to the tools other people bring along and try not to overpromise or overdeliver on that," he says. "We don't want to be in a jack-of-all-trades-but-master-of-none type of situation."

Given that the security landscape is constantly evolving, he says, the university can't afford to keep any insufficient tools, anyway.

Automation has been the battle cry for streamlining and eliminating the high volume of alerts tools generate in the SOC. More than 70% say they want more automation in the SOC, especially to help relieve the manual labor of alert management, incident evidence-gathering, and malware defense, the study found.

But, yes, there is such thing as too much automation, where the SOC analyst ends up being relegated to more of a help desk role that doesn't tap his or her skills. As Sean Curran, a partner with West Monroe Partners, describes it, too much automation can turn SOC analysts into robots that can't properly pivot when an incident pivots from script. He points to a case where SOC analysts disabled a legitimate alert because it didn't fit the runbot.

"They didn't know what to do with it," so they assumed it was a false positive and disabled it, he recalled during a recent Dark Reading panel discussion on SOCs and incident response.

"They're just shuffling tickets" in that scenario, Dertatevasion says. "I aim for my organization to automate the boring stuff. If we're seeing something three times a day, and every time we see this set of IOCs we know it's benign and we're not going to escalate it, then we automate it."  

COVID-19
Meanwhile, there's been a well-documented high burnout rate among SOC analysts, leading to turnover. The Ponemon-Devo report – based on a survey of IT and IT security professionals in organizations with SOCs and taken between March 11 and April 5, at the start of the pandemic – found that 78% of SOC analysts describe the SOC "very painful" to work in, an increase from 70% last year. Around 60% are looking to jump ship and change jobs.

A recent study from Exabeam found that 64% of SOC analysts on the front line were leaving their jobs because they saw no career path for them there.

"We did this research before we really knew the reality of COVID-19," Devo's Waits notes. The stress levels likely have escalated, with the teams sent to work from home who weren't accustomed to it, and the underfunded SOCs are even more challenged without the face-to-face work support, he notes.

It's often "more chaotic" working from home, especially with family and other personal distractions, he notes. "Now SOC analysts may have something slip through the cracks" more easily, he says.

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4533
PUBLISHED: 2020-08-10
IBM Jazz Reporting Service 6.0.6, 6.0.6.1, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: ...
CVE-2020-4539
PUBLISHED: 2020-08-10
IBM Jazz Reporting Service 6.0.2, 6.0.6, 6.0.6.1, 7.0, and 7.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2020-4541
PUBLISHED: 2020-08-10
IBM Jazz Reporting Service 7.0 and 7.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 183039.
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.