Have SOCs made enterprise IT more secure? Over the past months, multiple surveys, research reports and white papers on the success of Security Operations Centers (SOCs) and threat hunting were published that attempt to answer this question.
From various angles, researchers have gauged the impact SOCs and threat intelligence gathering (manually and automated) have on improving the IT security posture of companies in the U.S. and worldwide.
Businesses made significant investments in AI/machine learning-based automated threat detection and prevention tools over the past year. So what do they have to show for it?
If you’re planning a SOC or devising the budget plan for an existing one, check out the reports reviewed below for useful facts and actionable insights.
1) Security Operations Centers: Not a Success Story (Yet)
Security operations centers (SOCs) are facing critical staffing and retention issues that prevent them from realizing their full potential. This is one key takeaway from the new report The Definition of SOC-cess? by security researchers Christopher Crowley and John Pescatore, who examine the results of the SANS 2018 Security Operations Center Survey.
Another result of the survey, which was sponsored by Authentic8: “[M]ost respondents were, at best, somewhat satisfied or not satisfied with the various tools used to prevent, detect and respond.” AI-based/machine learning tools, in particular, scored spectacularly low satisfaction results.
The happy hype for this category has turned sour. Good luck with convincing your company’s bean counter-in-chief to pay for more “next generation” advanced threat prediction and prevention potions. For most SOC leaders and their teams, a “back to the basics” approach seems more promising.
The SANS researchers conclude that the SOC’s performance shortfall is directly tied to problems with metrics and automation. 66 percent of the surveyed SOC teams count less than 25 members. Limited staff is struggling to adequately identify issues and to keep up with vulnerabilities and threats. “[T]he low level of satisfaction from asset discovery and inventory tools,” the report points out, “indicates that large blind spots still remain.”
Threat intelligence researchers rely on the browser as their primary tool. Given the inherent security issues associated with the use of local browsers, even if “hardened” or supplemented with sandboxing solutions, the cloud browser becomes a point of leverage to conduct research more securely and efficiently and free up staff for more critical tasks.
SANS Institute (Christopher Crowley and John Pescatore): The Definition of SOC-cess? SANS 2018 Security Operations Center Survey. [PDF]
2) 2018 Threat Hunting Report
Based on a comprehensive survey of cybersecurity professionals in the 400,000-member Information Security Community on LinkedIn, the 2018 Threat Hunting Report published by Crowd Research Partners provides a timely 360° snapshot of the state and practice of cyber threat hunting.
One key trend revealed in the study, which was sponsored by Alert Logic, DomainTools, IBM, Infocyte, Raytheon, Sqrrl, and STEALTHbits Technologies, is the lack of security expertise on staff in SOCs.
This talent gap prevents timely threat detection and prevention, as 43 percent of respondents reported. 76 percent feel that not enough time is spent searching for emerging and advanced threats in their SOC. The authors expect the number of advanced and emerging threats to further outpace the capabilities and staffing of organizations to handle those threats.
Source: Crowd Research Partners
60 percent of the organizations surveyed were planning to build out threat hunting programs over the next three years. A majority of 52 percent say threats have at least doubled in the past year. Not surprisingly, the most critical threat hunting capability identified by cybersecurity professionals in this survey is threat intelligence (69 percent).
The findings also underscore the increased exposure of researchers and analysts to unknown threats that their training and resources leave them ill-equipped to handle. You cannot defend against threats you don’t know.
That’s why Silo, the cloud browser delivered as a service by Authentic8, provides maximum operational security for threat hunters when conducting a research mission. Silo isolates all web code offsite in the cloud. Its advanced features make the complexities of integrating separate tools a thing of the past and include all managed attribution and data capture tools necessary for web research.
Cybersecurity Insiders / Crowd Research Partners / various sponsors: 2018 Threat Hunting Report
3) IBM X-Force: Beware Ransomware, Cloud Misconfiguration
Threat intelligence researchers with IBM’s X-Force unit warn that human error was responsible for two-thirds of compromised records in 2017. This includes what they call a “historic” 424 percent jump in cloud infrastructure misconfigurations.
According to the 2018 IBM X-Force Threat Intelligence Index, the number of records reported breached dropped by nearly 25 percent, to 2.9 billion from 4 billion. For the second year in a row, the Financial Services sector suffered the most cyber attacks, accounting for 27 percent of attacks across all industries.
At the same time, ransomware campaigns and destructive attacks like WannaCry, NotPetya and Bad Rabbit caused chaos across industries, without contributing to the total number of compromised records reported.
We have written about the causes underlying the recent wave of data breaches caused by cloud misconfiguration on this blog. Of the ransomware and destructive malware attacks highlighted in the X-Force report, many were exploiting IT vulnerabilities in vendor or 3rd-party ecosystems.
What do both developments have in common? The apparent inability of security teams to keep up with the growing complexities of their organizations’ and suppliers’ IT comes to mind. The SANS Institute’s new SOC report highlights how the industry’s talent crunch is exacerbating this problem.
While crippling malware attacks leveraging or specifically targeting supply chains are on the rise, deploying a cloud browser (and requiring the same from “at-risk” contractors/vendors) has been found to reduce complexity and help security teams make the most of thin resources.
IBM: 2018 IBM X-Force Threat Index [PDF]
4) Minimum Requirements for the Do-It-Yourself SOC
Companies set up Security Operations Centers (SOCs) to identify, investigate, prioritize, and resolve issues that could affect the security of an organization’s critical infrastructure and data. For SMBs in particular, building an in-house SOC can be a daunting task.
The Practitioner's Guide to Building a Security Operations Center (SOC) is a Frost & Sullivan white paper published on behalf of AlienVault. By examining the tools, personnel and processes required to build and operate an effective SOC, it makes a case for Accelerating Threat Detection with Cloud-based Security Monitoring.
Spoiler alert: The purpose of the guide is to establish how companies can leverage AlienVault’s Unified Security Management (USM) platform as the foundation for a SOC. Still, this built-in bias factor doesn’t diminish the paper’s value for CISOs.
The Practitioner's Guide to Building a Security Operations Center provides useful numbers and insights for weighing the minimum requirements and costs of building an on-premises SOC, versus outsourcing this function to a cloud-based service.
The paper breaks down the low and high-end acquisition costs for the cybersecurity technology needed to build and maintain a premises-based SOC for organizations. In addition, it details the first-year and annual costs of building and maintaining an in-house SOC with roughly 3,000 endpoints.
Among the data points presented in this SOC guide for beginners, one stands out: the annual compensation costs for analysts who can deliver rapid security intelligence to stakeholders and senior management.
The authors estimate $110,000-$135,000 for a dedicated SOC analyst with Tier 2 threat hunting abilities at a minimum, while stressing how difficult it is to recruit and retain skilled cybersecurity personnel.
To protect your SOC investments, these IT security professionals should be equipped with adequate tools that allow them to focus on critical tasks, protect their mission, and empower them to succeed.
66 percent of teams have less than 25 persons, according to the 2018 SANS survey mentioned earlier. Such SOCs in particular will benefit from the “air cover” dedicated IT security services delivered in the cloud by specialized professionals can provide. The 2018 Global Cloud Browser New Product Innovation Award recently presented by Frost & Sullivan recognizes this advantage.
Frost & Sullivan: Practitioner’s Guide to Building a Security Operations
Center (SOC). Accelerating Threat Detection with Cloud-based Security Monitoring via AlienVault [PDF]
5) Investigation or Exasperation?
Routine ops and incident investigation are by far the biggest drag on efficiency in IT security operations. This is one key takeaway from the IDC Info Brief Investigation or Exasperation? The State of Security Operations.
The overview was sponsored by security information and event management (SIEM) platform provider Splunk. Based on a 2017 IDC survey of 600 global organizations with more than 500 employees, it details where organizations are focusing their IT security efforts.
While 45 percent of the responding firms are experiencing a rise in the number of incidents, only 21 percent are gathering information that enables decisive action, according to the brief. “Most firms are overwhelmed with security issues,” report the authors, “yet are consumed by routine tasks that divert attention away from efficient incident investigation.”
At the same time, IT teams are bogged down by often web-related routine tasks, such as updating local browsers, applying patches, configuring firewalls, implementing and enforcing policies and managing exceptions for blocked or uncategorized URLs.
The survey results indicate that more bells and whistles have increased the noise, instead of cutting through it. 23 percent of respondents report that the time spent by their teams on maintaining and managing security tools, rather than performing security investigations, is limiting their ability to improve their organization’s actual IT security capabilities.
Perhaps less would do more to move past this paradoxical situation? Researchers agree that roughly 80 percent of data breaches are web-borne or browser related. Facing the highest risk are those who rely on the browser as their primary tool when gathering threat intelligence in a hostile environment and investigating incidents.
For team members conducting threat research, extra diligence is required to maintain a secure browsing environment flexible and robust enough to ensure a successful mission. A cloud browser not only helps protect the security team. Deployed across the whole organization, it also puts IT back in control by reducing web-borne exploits to zero.
IDC Info Brief (sponsored by Splunk): Investigation or Exasperation? The State of Security Operations [PDF]