Partner Perspectives  Connecting marketers to our tech communities.
12/19/2016
02:07 PM
Barbara Kay
Barbara Kay
Partner Perspectives
50%
50%

Investments In Security Operations Centers Are Paying Off, Study Finds

SOCs help organizations reduce security incidents and improve operational maturity.

Did your last security project fall short of the hoped-for impact? Although many do, at least one investment appears to be working: Security operations centers (SOCs) are making a solid contribution to reducing security incidents and improving operational maturity.

While varying in maturity, SOCs are now a feature of 84% of commercial organizations and 91% of enterprises, according to a research report in the December 2016 McAfee Labs Threats Report. Intel Security interviewed almost 400 security practitioners from Canada, Germany, the United Kingdom, and the United States. Researchers found that although attacks are on the rise and the volume of alerts is overwhelming security capacity, most organizations are improving defensive processes and detection capabilities.

SOCs come in a variety of styles, from dedicated command facilities to purely virtual arrangements. But by far the most common is a multifunction SOC/NOC (network operations center) setup. Reflecting the challenges of staffing and the increasing interdependency of security and IT, this centralized model permits a dedicated staff to oversee and continuously monitor network events and availability as well as security events to increase coverage while minimizing operational costs.

SOCs are contributing to better visibility into attacks. Most of the 67% surveyed who experienced an increase in attacks felt that this was due to better detection capabilities or an actual increase in attack volume. Only 7% of those surveyed reported a decrease in attacks over the past year, with most attributing this to better prevention and security processes.

One key finding of the report is that meaningful attack data is available from tools and systems, but organizations aren’t able to act on it. On average, across all types, sizes, and locations of organizations, 25% of alerts are left unexamined. Only 22% of these firms were lucky enough to suffer no business impact as a result of this lack of capacity, while the remainder experienced minor to severe business impact. That calculates out to about 5% of alerts going uninvestigated and damaging the business.

This unaddressed volume of alerts, combined with the scarcity of experienced security personnel, has pushed 64% of organizations to look for operational assistance from managed security services providers (MSSPs), often working with a couple of these external groups. The MSSP contribution varies from basic to highly skilled. The top use case is security monitoring and monitoring coverage, which helps companies achieve Tier 1 monitoring 24/7 without bearing the staffing burden around the clock. Almost 1 in 5 companies also supplements in-house skills with third-party expertise such as advanced threat detection, incident response, and threat hunting. The choice of internal or external appears to be driven by the availability of personnel and the comparative skill level between internal and external options. The larger the company, the less they rely on external service providers.

Another finding shows active threat-hunting as an increasingly useful mechanism for finding and stopping cyberthreats before systems become severely compromised. More than 65% of organizations with SOCs operate formal threat-hunting teams.

Operational Pragmatism

Managing a SOC requires operational pragmatism. Perfect prevention is not achievable, so organizations are emphasizing visibility and response speed. Many are leveraging tools such as security information and event management (SIEM) systems with analytics to organize threat data, reputation feeds, and vulnerability status into a comprehensive real-time view of their environment. Improved context awareness and actionable intelligence help these organizations better prioritize and orchestrate their incident-response activities, resulting in faster containment and mitigation.

Alerts are going uninvestigated, so while detection had been the top investment of companies surveyed, over the next 12 to 18 months these organizations are more focused on interpreting (prioritizing, risk-evaluation, scoping) the data they are already getting than in detecting more data. Investing in security analytics will help them make sense of this data, often using correlation capabilities and machine learning to prioritize incident investigations and assess attack risks.  

These SOC deployments aren’t stagnating. Organizations are working to mature from monitoring and incident management to attack investigation strengths. Overall, the priorities for future investment in SOC capabilities are 1) improving the ability to respond to confirmed attacks; 2) enhancing the ability to detect signals of potential attacks; and 3) improving the ability to investigate potential attacks.

There’s more detail in the report that can inform your 2017 plans, as well as insights into ransomware and other evolving threats. Download the full report here.  

 

Barbara G. Kay, CISSP, is senior director of marketing at Intel Security. She leads security-operations marketing, which is responsible for threat intelligence and analytics solutions, as well as the security management platform that enables optimized security monitoring, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Mueller Probe Yields Hacking Indictments for 12 Russian Military Officers
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/13/2018
10 Ways to Protect Protocols That Aren't DNS
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/16/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Siri??  You're a guy?
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-10727
PUBLISHED: 2018-07-20
camel/providers/imapx/camel-imapx-server.c in the IMAPx component in GNOME evolution-data-server before 3.21.2 proceeds with cleartext data containing a password if the client wishes to use STARTTLS but the server will not use STARTTLS, which makes it easier for remote attackers to obtain sensitive ...
CVE-2018-8018
PUBLISHED: 2018-07-20
Apache Ignite 2.5 and earlier serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party vulnerable classes are present in Ignite classpath. The vulnerability can be exploited if the one sends a spe...
CVE-2018-14415
PUBLISHED: 2018-07-20
An issue was discovered in idreamsoft iCMS before 7.0.10. XSS exists via the fourth and fifth input elements on the admincp.php?app=prop&do=add screen.
CVE-2018-14418
PUBLISHED: 2018-07-20
In Msvod Cms v10, SQL Injection exists via an images/lists?cid= URI.
CVE-2018-14419
PUBLISHED: 2018-07-20
MetInfo 6.0.0 allows XSS via a modified name of the navigation bar on the home page.