Partner Perspectives  Connecting marketers to our tech communities.
12/19/2016
02:07 PM
Barbara Kay
Barbara Kay
Partner Perspectives
50%
50%

Investments In Security Operations Centers Are Paying Off, Study Finds

SOCs help organizations reduce security incidents and improve operational maturity.

Did your last security project fall short of the hoped-for impact? Although many do, at least one investment appears to be working: Security operations centers (SOCs) are making a solid contribution to reducing security incidents and improving operational maturity.

While varying in maturity, SOCs are now a feature of 84% of commercial organizations and 91% of enterprises, according to a research report in the December 2016 McAfee Labs Threats Report. Intel Security interviewed almost 400 security practitioners from Canada, Germany, the United Kingdom, and the United States. Researchers found that although attacks are on the rise and the volume of alerts is overwhelming security capacity, most organizations are improving defensive processes and detection capabilities.

SOCs come in a variety of styles, from dedicated command facilities to purely virtual arrangements. But by far the most common is a multifunction SOC/NOC (network operations center) setup. Reflecting the challenges of staffing and the increasing interdependency of security and IT, this centralized model permits a dedicated staff to oversee and continuously monitor network events and availability as well as security events to increase coverage while minimizing operational costs.

SOCs are contributing to better visibility into attacks. Most of the 67% surveyed who experienced an increase in attacks felt that this was due to better detection capabilities or an actual increase in attack volume. Only 7% of those surveyed reported a decrease in attacks over the past year, with most attributing this to better prevention and security processes.

One key finding of the report is that meaningful attack data is available from tools and systems, but organizations aren’t able to act on it. On average, across all types, sizes, and locations of organizations, 25% of alerts are left unexamined. Only 22% of these firms were lucky enough to suffer no business impact as a result of this lack of capacity, while the remainder experienced minor to severe business impact. That calculates out to about 5% of alerts going uninvestigated and damaging the business.

This unaddressed volume of alerts, combined with the scarcity of experienced security personnel, has pushed 64% of organizations to look for operational assistance from managed security services providers (MSSPs), often working with a couple of these external groups. The MSSP contribution varies from basic to highly skilled. The top use case is security monitoring and monitoring coverage, which helps companies achieve Tier 1 monitoring 24/7 without bearing the staffing burden around the clock. Almost 1 in 5 companies also supplements in-house skills with third-party expertise such as advanced threat detection, incident response, and threat hunting. The choice of internal or external appears to be driven by the availability of personnel and the comparative skill level between internal and external options. The larger the company, the less they rely on external service providers.

Another finding shows active threat-hunting as an increasingly useful mechanism for finding and stopping cyberthreats before systems become severely compromised. More than 65% of organizations with SOCs operate formal threat-hunting teams.

Operational Pragmatism

Managing a SOC requires operational pragmatism. Perfect prevention is not achievable, so organizations are emphasizing visibility and response speed. Many are leveraging tools such as security information and event management (SIEM) systems with analytics to organize threat data, reputation feeds, and vulnerability status into a comprehensive real-time view of their environment. Improved context awareness and actionable intelligence help these organizations better prioritize and orchestrate their incident-response activities, resulting in faster containment and mitigation.

Alerts are going uninvestigated, so while detection had been the top investment of companies surveyed, over the next 12 to 18 months these organizations are more focused on interpreting (prioritizing, risk-evaluation, scoping) the data they are already getting than in detecting more data. Investing in security analytics will help them make sense of this data, often using correlation capabilities and machine learning to prioritize incident investigations and assess attack risks.  

These SOC deployments aren’t stagnating. Organizations are working to mature from monitoring and incident management to attack investigation strengths. Overall, the priorities for future investment in SOC capabilities are 1) improving the ability to respond to confirmed attacks; 2) enhancing the ability to detect signals of potential attacks; and 3) improving the ability to investigate potential attacks.

There’s more detail in the report that can inform your 2017 plans, as well as insights into ransomware and other evolving threats. Download the full report here.  

 

Barbara G. Kay, CISSP, is senior director of marketing at Intel Security. She leads security-operations marketing, which is responsible for threat intelligence and analytics solutions, as well as the security management platform that enables optimized security monitoring, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7164
PUBLISHED: 2019-02-20
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter.
CVE-2018-20025
PUBLISHED: 2019-02-19
Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0.
CVE-2018-20026
PUBLISHED: 2019-02-19
Improper Communication Address Filtering exists in CODESYS V3 products versions prior V3.5.14.0.
CVE-2018-9867
PUBLISHED: 2019-02-19
In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificates. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier.
CVE-2019-5780
PUBLISHED: 2019-02-19
Insufficient restrictions on what can be done with Apple Events in Google Chrome on macOS prior to 72.0.3626.81 allowed a local attacker to execute JavaScript via Apple Events.