By Roberto Sandoval, Manager, WW SIOC Strategic Solutions & Enablement, HPE Security

The security industry is going through a volatile period. Threat actors are becoming bolder and evolving quickly, and security organizations are deploying new solutions and developing advanced detection and response capabilities in attempts to rapidly combat these attackers. This constant ebb and flow lead organizations into an accelerated response to protect core assets that is filled with the uncertainty of trial and error.

The departure from traditional security operations models, the adoption of new roles, processes, and emerging tools, as well as the relentless pursuit of automation are among the topics that stand out in the fourth annual State of Security Operations report released this month by Hewlett Packard Enterprise (HPE).

The report provides insights from more than 180 security operations maturity assessments within the enterprise and public sector space in 31 different countries. These in-depth assessments take 3+ days of on-site observation of a security operations center (SOC) by security experts and include interviews with service owners, service stakeholders, and operational practitioners within each organization.

The results and the trends identified through the assessments performed across operational models and industry verticals are consolidated to produce the findings revealed in the annual report. The ideal SOC should have defined processes and goals, as well as the flexibility to adapt to new technologies or changing environments and threats; however, many organizations are not meeting these criteria.

Security Operations are Aligning with Business Objectives like Never Before
For the first time in the 4-year history of the State of Security Operations Report, there has been a major shift in the most mature area of security operations. The report found that the Business category outperformed the historically leading Technology category once all the data was consolidated for the previous year.

Based on this data, security organizations are more aligned to business needs and goals than ever before, and the report shows a 3% improvement year-over-year with 18% of organizations achieving their security operations goals. While the improvement is encouraging, a majority of SOCs are still not meeting business objectives.

The alignment between the SOC and the business is essential in determining the organizations’ goals and metrics.

In fact, a clear mission that focuses on protecting critical assets and data, rather than just assure system up-time, was found to be a better predictor of maturity and capability than the size of the organization or total security investment.

All or Nothing Approach Does Not Drive Effectiveness
While Business maturity is increasing, organizations are trying out new technologies, organizational alignments, and analytical strategies to only varying degrees of success. The proliferation of threat hunt programs is a continuing trend that is delivering extraordinary results within some organizations, and at the same time introducing a great deal of cost, complexity, and risk within others. Organizations that are adopting hunt teams as an enhancement to their existing mature real-time monitoring capabilities are seeing success.

These hunt teams are able to pinpoint unknown threats and patterns and feed valuable intelligence that can be used to enhance near real-time detection and incident response programs. However, many organizations are forgoing these real-time detection capabilities and going all-in with hunt-only programs, which is leading to a sharp decline in security operations maturity and effectiveness.

Automation is another area that is showing promise and helping to relieve some pressure on existing staff. Reducing the clicks or steps an analyst has to perform during an incident investigation can have a major impact on the longevity and burnout rates of staff. Finding opportunities for automation is key to keeping security experts engaged and focused on real threats instead of getting caught up in event noise.

However, full automation is unrealistic since most organizations struggle with a lack of knowledge and accuracy around configuration management and still need human decision making for risk assessment and advanced investigation. The level of automation most organizations envision, eliminating front line analysts in the response process, is seldom realized when organizations do not fully understand interdependencies and potential impact on critical applications, users, or data.

Finding the Perfect Mix
The decisions to utilize managed services, technology outsourcing, or hybrid operational staffing are other areas impacting a number of organizations. Many security leaders have gone through significant trial and error, risk, and expense to find the sweet spot in leveraging MSSPs, and there has been much debate in the industry as to whether keeping resources in-house or outsourcing provides better results. However, the State of Security Operations Report finds that a mix of both has actually been the most effective.

This hybrid model of staffing is an effective strategy to combat the continued struggle to find and retain security staff, which was found to once again be the number one concern of security operations. Organizations can leverage a Managed Security Services Provider (MSSP) to help scale their operations while keeping their risk management in-house ensuring increased capabilities from outsourcing and maintaining proper documentation and transfer of knowledge.

Technology management, eyes-on-screen monitoring, and shared-insourced operations are areas where organizations and service providers can work closely together to increase the effectiveness of security solutions.

Building the Intelligence-driven SOC for Today and the Future
While 82 percent of organizations’ SOCs are still struggling to meet target maturity levels, the security programs that incorporate the right people, processes, and technologies are succeeding in building sustainable defenses.

The State of Security Operations Report highlights that there is no single magic bullet for solving the security challenge, as is evident by the decrease in maturity from hunt-only programs and too much automation.

As adversaries evolve and attacks grow in sophistication, organizations must also continue to invest in their security operations and adapt to the changing environment to protect the business’s most critical assets.
Read the full report at hpe.com/software/StateOfSecOps.

About The Author
Roberto Sandoval is Manager, WW SIOC Strategic Solutions & Enablement, HPE Security at Hewlett Packard Enterprise. Roberto leads a team that coordinates strategic activities and initiatives in the design, development, operation, and maturation of world-class security intelligence, operations, and cyber defense for HPE’s global customers around HPE Security & Information Governance Software solutions.
Over the last 5+ years with HPE, Roberto has driven the design, delivery, and quality of over a dozen Security Operations Centers through security use cases, operational workflow, metrics, and continuous improvement in intelligence, analysis, and operations.