Security Operations Centers (SOCs) are failing to meet the maturity level necessary to provide optimum security and efficiency. The 2017 State of Security Operations report finds that 82% of SOCs worldwide fail to achieve optimum maturity (a score of 3 on the Security Operations Maturity Model).
Worldwide, there has been a 3% improvement over last year; but no geographical region yet meets an average score of 2. To put this in context, North America scores 1.52 while different parts of Europe range between 1.26 and 1.47 (Benelux stands out at 1.79). Clearly there is considerable room for improvement in many SOCs; and without that improvement enterprises will remain vulnerable in the event of an attack.
The State of Security Operations report is an annual study compiled by Hewlett Packard Enterprise (HPE). It comes from the study of 137 discreet SOCs and 183 in-depth assessments. It analyzes why organizations’ SOCs fall below optimum maturity, and what can be done to improve matters. Sometimes cause and remedy seem counter-intuitive — but one difficulty keeps emerging: the difficulty in recruiting and retaining adequate security talent. Lack of qualified staff frequently leads to less than optimum solutions.
One example is in the use of a managed service provider. The immediate effect could be improved security, a reduction in costs, and reduced strain on staff recruitment. But this will decline over time without continuous management of the MSP. The use of an MSP — which is no bad thing — should be an active choice to improve security rather than a defensive response to reduce costs.
HPE suggests that where companies need to augment security but cannot afford the additional staff to do so, they should consider a hybrid MSP/internal integrated solution. Internal operational capability can more appropriately manage risk; will be better able to coordinate incident response; and can better align security with the organization’s business objectives. In all cases the organization needs to go beyond the MSP’s standard SLA to ensure that security can be or remain integrated with business objectives.
The staffing issue resurfaces with automation. The difficulty in finding and keeping quality analysts persuades some organizations to consider replacing front line analysts with automation — but while this is good in theory, it is not always good in practice. Effective automation requires a high degree of confidence in configuration management, and organizations often have a lack of maturity in information about the applications, users, systems, and data residing in disparate repositories.
The risk of breaking something that has not been well documented then persuades some organizations to turn to an alternative but equally ineffective method: automated ticket generation. This isn’t always bad, suggests HPE, but “when dealing with the behavior of an advanced threat actor and coordinated campaigns that span time, this approach usually turns the analyst into a myopic responder.” In short, SOCs should think hard before eliminating front-line analysts in favor of automation.
A variant of the staffing issue returns in the growing tendency for SOCs to rely on open source tools. As with MSPs, this can provide an immediate increase in security and a reduction in costs — but once again it usually doesn’t last. OSS rarely comes with the support, documentation or metrics that can ensure compliance and security objectives remain sustainable.
Furthermore, OSS solutions frequently require customization and ongoing maintenance. Staff, however, tend not to stay as long as the software. HPE claims that security leadership usually turns over every 18 months — and key staff can move on even sooner. Staff churn has a negative effect on the OSS maintenance, and this in turn can reduce the effectiveness and maturity of the SOC. This doesn’t mean that OSS should be abandoned, but that organizations need to be aware of the ongoing commitment.
Overall SOC maturity remains well below optimal levels. HPE can find no direct correlation between high maturity and enterprise size: while some large enterprises have good maturity, other multinationals remain poor. Here the difference seems to be in management attitude and willingness to spend (which itself is linked to risk perception).
In terms of verticals, service organizations have replaced technology organizations as the more mature. The telecom industry continues to have poor maturity, partly because its primary concern is service availability. HPE expects this to improve over the next few years with the emergence of a new breed of telecommunication company. Government, however, continues to struggle — and again it is partly the staffing issue. Rigid structures slow down implementations, while rapid staff turnover stops them even being started. As a result, for example, Government metrics tend to be based on staffing rather than maturity and effectiveness.
The whole problem is, of course, exacerbated by the rapidly changing threat landscape. The emergence of destructive malware and ransomware has demanded closer ties between SOCs and DRBC teams. New General Data Protection Regulation (GDPR) will also present new issues. Although organizations are aware of the implications, the necessary changes have not yet been implemented. The requirement to detect and inform EU citizens of personal data compromises within 72 hours will drive new SOC detection and response use cases and investment for compliance around the globe.
Given these problems, the 3% overall improvement in SOC maturity over last year is an achievement.