HPE Software is now Micro Focus
HPE Software is now Micro Focus
Protect Your Assets
cancel

3 major disruptors impacting the effectiveness of SecOps today

3 major disruptors impacting the effectiveness of SecOps today

Security_Guest

HPE20161102027_1600_0_72_sRGB.jpg

Guest post by Stan Wisseman
HPE Security Strategist

HPE Security has identified three major disruptors impacting the effectiveness of security operations today:

  1. Data velocity, volume and variety
  2. Advanced attacks
  3. Lack of security expertise 

In May, the SANS Institute released the Future SOC: SANS 2017 Security Operations Center Survey that includes some results that support the disruptors we are highlighting.

Data velocity, volume and variety
Data is essential for security operations centers (SOCs) to gain visibility into today’s potential threats. SOCs must gather and respond to an exponentially increasing volume of data from IT infrastructure, physical systems in the environment, as well as the Internet of Things.

SANS reported:

  • 25% of companies are moving towards a centralized SOC over the next 24 months.  This will mean even greater volume of data processed by a single SOC organization for these companies.  Challenges with data velocity and ability to respond will be top of mind.
  • Integration of SOC’s with NOC’s – only 12% of NOCs and SOCs are technically integrated. As the report points out, the interaction between the two organizations presents an opportunity for improved detection and response capabilities. These two functions have similar objectives but speak a different language. 
  • 82% of respondents said their SOCs deploy Windows event log monitoring. “Windows event log monitoring involves potentially overwhelming amounts of data to monitor the health and status of a system.”
  • Logs facilitate the root-cause inspection of compromises that started well before the initial detection. According to respondents, only 9% are centralizing 100% of their logs, while the largest group (26%) centralize 51% to 75% of logs.
  • 77% of respondents said their SOCs are using SIEM tools to stitch together the disparate sources and look for patterns. However, SIEM tools tend to have a challenge with massive amounts of data because they attempt to process everything as it is ingested.

Advanced attacks
We see the next major disruptor to effective security operations as being advanced attacks. Enterprises are under constant cyberattack, and these attacks are continually evolving. Once attackers get a foothold, they’ll beacon home to enable further discovery and exploitation of sensitive assets. Today’s threats aren’t only persistent, but they consist of many parts and multiple stages, which often avoid detection. The modern SOC must be able to detect today’s advanced, multi-stage attacks quickly to minimize dwell time. They must use all of the tools at their disposal to connect the dots from many events and many data sources and bring them together to see otherwise undetected multi-stage threats.

SANS reported:

  • 84% use SIEM reporting and analytics.
  • 86% cited log management and network intrusion detection and prevention as their top detection tools.
  • Only 45% were satisfied with their ability to detect previously unknown threats. A clear area where more automation could assist.

Lack of security expertise
The last major disruptor to security operations that we’re highlighting is a human resource challenge. The most advanced threats demand the attention of the most experienced security experts. But today, experienced experts are in short supply. Lack of security expertise is placing a huge burden on the SOC; fewer analysts must do more but often with less training. Speed counts, but current search tools on the market aren’t designed to process high volumes of data, leverage analytics, and give an SOC analysts a seamless user experience. Given the talent shortage, every SOC analyst must focus on higher order decision making and be capable of managing more investigations per day. Analysts need the right tools to manage high priority threats to gain insights faster and to conduct more investigations per day.

SANS reported:

  • The survey reports on whichSOC activities were being handled in-house or outsourced. While it doesn’t directly address the lack of expertise disruptor we’ve identified, a motivation for outsourcing is many times based on the inability to adequately staff the SOC with effective resources (costs are also a factor). Security monitoring and detection is being outsources by 35% of respondents.

 There’s more insightful data in the SANS report that should help you better understand some of the attributes of today’s SOCs as we prepare for tomorrow’s threats.

0 Kudos
About the Author

Security_Guest