Partner Perspectives  Connecting marketers to our tech communities.
12/19/2016
02:07 PM
Barbara Kay
Barbara Kay
Partner Perspectives
50%
50%

Investments In Security Operations Centers Are Paying Off, Study Finds

SOCs help organizations reduce security incidents and improve operational maturity.

Did your last security project fall short of the hoped-for impact? Although many do, at least one investment appears to be working: Security operations centers (SOCs) are making a solid contribution to reducing security incidents and improving operational maturity.

While varying in maturity, SOCs are now a feature of 84% of commercial organizations and 91% of enterprises, according to a research report in the December 2016 McAfee Labs Threats Report. Intel Security interviewed almost 400 security practitioners from Canada, Germany, the United Kingdom, and the United States. Researchers found that although attacks are on the rise and the volume of alerts is overwhelming security capacity, most organizations are improving defensive processes and detection capabilities.

SOCs come in a variety of styles, from dedicated command facilities to purely virtual arrangements. But by far the most common is a multifunction SOC/NOC (network operations center) setup. Reflecting the challenges of staffing and the increasing interdependency of security and IT, this centralized model permits a dedicated staff to oversee and continuously monitor network events and availability as well as security events to increase coverage while minimizing operational costs.

SOCs are contributing to better visibility into attacks. Most of the 67% surveyed who experienced an increase in attacks felt that this was due to better detection capabilities or an actual increase in attack volume. Only 7% of those surveyed reported a decrease in attacks over the past year, with most attributing this to better prevention and security processes.

One key finding of the report is that meaningful attack data is available from tools and systems, but organizations aren’t able to act on it. On average, across all types, sizes, and locations of organizations, 25% of alerts are left unexamined. Only 22% of these firms were lucky enough to suffer no business impact as a result of this lack of capacity, while the remainder experienced minor to severe business impact. That calculates out to about 5% of alerts going uninvestigated and damaging the business.

This unaddressed volume of alerts, combined with the scarcity of experienced security personnel, has pushed 64% of organizations to look for operational assistance from managed security services providers (MSSPs), often working with a couple of these external groups. The MSSP contribution varies from basic to highly skilled. The top use case is security monitoring and monitoring coverage, which helps companies achieve Tier 1 monitoring 24/7 without bearing the staffing burden around the clock. Almost 1 in 5 companies also supplements in-house skills with third-party expertise such as advanced threat detection, incident response, and threat hunting. The choice of internal or external appears to be driven by the availability of personnel and the comparative skill level between internal and external options. The larger the company, the less they rely on external service providers.

Another finding shows active threat-hunting as an increasingly useful mechanism for finding and stopping cyberthreats before systems become severely compromised. More than 65% of organizations with SOCs operate formal threat-hunting teams.

Operational Pragmatism

Managing a SOC requires operational pragmatism. Perfect prevention is not achievable, so organizations are emphasizing visibility and response speed. Many are leveraging tools such as security information and event management (SIEM) systems with analytics to organize threat data, reputation feeds, and vulnerability status into a comprehensive real-time view of their environment. Improved context awareness and actionable intelligence help these organizations better prioritize and orchestrate their incident-response activities, resulting in faster containment and mitigation.

Alerts are going uninvestigated, so while detection had been the top investment of companies surveyed, over the next 12 to 18 months these organizations are more focused on interpreting (prioritizing, risk-evaluation, scoping) the data they are already getting than in detecting more data. Investing in security analytics will help them make sense of this data, often using correlation capabilities and machine learning to prioritize incident investigations and assess attack risks.  

These SOC deployments aren’t stagnating. Organizations are working to mature from monitoring and incident management to attack investigation strengths. Overall, the priorities for future investment in SOC capabilities are 1) improving the ability to respond to confirmed attacks; 2) enhancing the ability to detect signals of potential attacks; and 3) improving the ability to investigate potential attacks.

There’s more detail in the report that can inform your 2017 plans, as well as insights into ransomware and other evolving threats. Download the full report here.  

 

Barbara G. Kay, CISSP, is senior director of marketing at Intel Security. She leads security-operations marketing, which is responsible for threat intelligence and analytics solutions, as well as the security management platform that enables optimized security monitoring, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.