Security Experts:

Disjointed Tools Challenge Security Operations: Survey

Insufficient staffing levels and quality, together with poor orchestration between too many security point products mean that complete breach intolerance is an aspiration not currently achieved by today's security operations centers (SOCs).

This is the conclusion of a new study by Forrester Consulting, commissioned by Endgame, a provider of enterprise threat protection solutions. Forrester surveyed a small number (156) of senior security decision makers (directors, C-Suite and VPs) in US companies with more than 1000 employees (84% have more than 5000 employees). The survey was conducted in May 2017.

'Complete breach intolerance' is defined as stopping all attacks before there is damage to systems or data loss. Breach statistics, however, show how difficult this will be. Of the companies surveyed, 92% have suffered at least one successful breach in the last year. One-third have suffered more than 20 breaches; and one-in-eight have suffered more than 50 successful breaches.

Currently unable to prevent all breaches, 64% of the organizations fear that the next breach could be the big one; or at least, it could be 'somewhat to significantly severe'. The two biggest fears are that it could lead to a loss of revenue, and brand damage. "We have a large presence in our community," said the CISO of a US banking company; "if we had a major breach, it would really be detrimental to our brand. Our reputation would be ruined for the most part."

SOCs are considered an important route to preventing this and improving breach intolerance. Seventy-six percent of the organizations already operate a SOC, with another 17% planning to deploy one in the next 12 months. However, adequately staffing a SOC remains a challenge. Looking at current staffing, only one position (malware engineer) is filled in more than 50% of the organizations. Only 44% of organizations have a Tier 1 analyst; 35% have a SIEM engineer; and only 24% have a forensics specialist. Perceived staff proficiency levels are even worse: 26% for the analyst; and 29% for the SIEM engineer and the forensics specialist.

Given the staffing issues, greater reliance has to be placed on the technology itself. However, inadequate and disjointed tools are a problem. Seventy-one percent of the respondents are using five or more technologies in their SOC, and one-third are using eight or more technologies. "What I'd like to do is reduce the overall risk footprint," said the CISO of a global energy company, "thus being able to reduce the number of tools. There's a lot of work that we're doing to try to reduce overlap of tools."

The primary purpose in reducing the number of tools is to streamline detection and lower false positives. "Lowering our false positives lowers our head count because we don't need as many people watching. That saves us money," said one of the respondents.

"Alert fatigue is a challenge," said another. "If my staff had time to take a look at our architecture, we would be able to reduce the number of tools that we had, or number of providers we had, and really look at things from a holistic approach and not a point solution-type approach. We would reduce the number of vendors we're using, which then in turn would reduce the alerts or reduce that fatigue."

Organizations are looking to reduce their vulnerabilities as well as build more automation between endpoint prevention, detection, and response capabilities, and they are using continuous monitoring to stop advanced threats, says Forrester. Other ways they are improving their strategy is by integrating endpoint security with network security for reduced operational friction. 

Despite the challenges, Forrester believes that complete breach intolerance should still be sought. To achieve this, it says, "It is necessary to equip the SOC team with the right tools and skills." To achieve this, it offers four primary recommendations.

The first is the reverse of much current thinking. Since breaches will happen, recent advice has been to concentrate on detection (incident response) over prevention. However, SOCs are currently stretched by the detection alerts they need to triage. "The best way to efficiently achieve complete breach intolerance," suggests Forrester, "is to build a strong layer of prevention-focused controls to lower your organization's attack surface in the first place. This will lower the number of incidents that your SOC staff need to deal with and reduce the 'noise' seen by detection-focused tools."

The second is to reduce internal friction through integrated endpoint prevention, detection and remediation. "If you don't establish a solid foundation of automation and orchestration," it warns, "blind investments in prevention and detection likely won't have the intended effect and will leave you more vulnerable."

The third is to extend detection capabilities beyond static indicators of compromise, such as malware signatures. "Given the prevalence of fileless attacks and novel attack methods utilizing legitimate software, your detection capabilities must go beyond malicious file and process detection... Prioritize tools that include behavior-based detection from a process and user perspective."

The final recommendation is to advance staff skillsets. "While technology is not a substitute for people, you can only maximize it when you have staffed your team appropriately with skilled and trained resources. Remember," it says, "attackers learn new techniques and methodologies for compromising your environment; your defenders should be learning as well."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.