Critical shift in security responsibilities

As C-level executives engage more frequently in incident response and threat hunting, more IT professionals are missing security events and alerts due to poor legacy app integrations.

  • 5 years ago Posted in

Exabeam has released its annual ‘State of the SOC’ report, identifying shifting roles and responsibilities as one of the most pressing challenges for security operations centre (SOC) managers. As an example of this shift, C-suite executives are doing more in incident response and threat hunting, while frontline employees are completing fewer operational tasks. Similar to last year, the report also found that SOC staffing remains an issue, as do processes like reporting and documentation, along with alert fatigue and false positives.


The survey sought the opinions of IT professionals in the U.S. and U.K., with management responsibilities in operations and security. Common roles targeted were CIO/CISO, SOC manager or frontline employee, such as threat researchers, security architects, engineers, analysts and risk officers.

Interestingly, only 5 per cent of respondents reported seeing 100 per cent of events in the security incident and event management (SIEM) system. In fact, keeping up with security alerts presented the largest pain point experienced by SOC personnel (39 per cent). The top reason cited for this pain was the inability of legacy applications to log events. Without full visibility into events happening throughout the enterprise, SOC managers are more likely to miss security alerts, resulting in greater vulnerability to cyberattacks.

“There’s an idiom, ‘what you don’t know can’t hurt you.’ But in the information security business, that couldn’t be further from the truth. In fact, it’s what you don’t know – or worse, can’t see – that will significantly harm your business,” said Steve Moore, chief security strategist at Exabeam. “From our survey, an example of how this can manifest is general lack of environmental visibility in the form of too few logs – you can’t protect what you can’t see. Visibility, event context and automation play a key role in building relevant defence, so you can have a fighting chance against even the most sophisticated adversaries.”

Key findings:

  • A third of respondents feel their SOC is understaffed by as many as 6-10 employees
  • The importance of soft skills, like communication, is growing, with 65 per cent of respondents saying personal and social skills play a critical role in the success of a SOC, but employees’ actual abilities in these areas are also improving
  • Hard skills have increased in importance; threat hunting is up 7 points to 69 per cent, while data loss prevention jumped 8 points to 75 per cent

 

For perception of effectiveness, the struggle is real

SOC effectiveness remained unchanged YoY, with U.S. SOCs having significantly more ability to monitor and review events (71 per cent) than their U.K. counterparts (54 per cent). And smaller SOCs with fewer than 24 members reported an increase in effectiveness at ‘responding to incidents’ (79 per cent). However, a gap has emerged (54 per cent) in the perception of the SOC’s ability to perform auto-remediation. This is a 14 per cent decrease from 2018, and likely due to SOC personnel’s lack of understanding of the full security picture. Other pain points for them include:

  • Reporting/documentation (33 per cent), false positives (27 per cent) and alert fatigue (24 per cent)
  • Disparity with half the CISOs regarding importance of incident response (52 per cent) and incidents escalated (46 per cent) versus SOC analysts for their view on importance of incident response (24 per cent) and incidents escalated (33 per cent)

Budget constraints on newer technology

Nearly 50 per cent of understaffed SOCs indicated they don’t have sufficient funding for technology, while respondents of larger SOCs said that despite recent or increased funding for technology, they recommend continued investment in newer, more modern technologies (39 per cent).

 

The survey also revealed that nearly half of SOC respondents continue to outsource business activities; malware analysis, threat analysis and threat intelligence are the most frequently outsourced functions. Conversely, SOCs are choosing to tackle event and data monitoring internally.

 

When technology investments are made, big data analytics (39 per cent) and user and entity behaviour analytics (UEBA) (22 per cent) remained strong, while artificial intelligence (23 per cent) and machine learning (21 per cent) made gains in usage rates. In medium and smaller SOCs, usage of technologies like artificial intelligence and biometric authentication and access management also jumped.

Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...