Security Operations Challenges – SANS 2018 Survey

It’s no secret that cybersecurity is becoming increasingly important and that currently, a small security operation center (SOC) is often all that stands between an organization and a potentially financially devastating data breach.

In the Security Operations Survey for 2018 released by SANS, three issues affecting effective performance head the list – a lack of skilled talent, unclear security operation center (SOC) metrics and a lack of orchestration/automation.

Many organizations cannot quantify the value their SOCs deliver. Therefore, they don’t have the data to make a case for the budget needed for improvements. Here are some of the takeaways from the SANS survey.

A lack of seasoned security analysts

The top self-identified SOC shortcoming was a lack of skilled personnel (62%). The role of a skilled analyst requires much background knowledge and adjacent expertise to gain actionable insights from the data collected by security tools. They need to be able to rapidly sort through information and make quick, data-driven decisions.

Security personnel have many tools but these tools are not integrated, and this was cited by many respondents as a common challenge. Organizations rely on small security teams to correlate data manually. Some of this grunt work could be eliminated by using the right technology.

The question arises: Could the skills shortage be improved by enabling current personnel to be more effective? With fully seasoned security analysts in short supply, using advanced automation and orchestration would help to scale an SOC and make it more effective.

A new generation of security solutions is helping to filter out statistical noise, categorize alerts by severity, improve efficiency with intelligent automated controls and enabling even less seasoned personnel to make informed decisions and initiate incidence response speedily.

The Catch 22 of Security Operations Metrics

Security teams keep requesting larger budgets to improve daily operations and yet in the survey only about half (54%) of SOCs claim to provide metrics to track the effectiveness of their performance.

The big question is why SOCs aren’t making tracking performance a priority. The way to secure more funding for top talent and new technologies comes from providing data that prove effectiveness. Not collecting metrics and connecting those metrics to how much potential damage to a business was averted means there is no case for more funding.

Security operations teams give the main reason for the lack of reporting as a lack of time. Most security teams have standard operating procedures they follow in response to a threat, and they are normally executed manually. They gather, analyze and react to enormous amounts of information on a daily basis.

Analysts say they already have too many tools to manage and too many alerts to investigate. They just don’t see the possibility of finding time for reporting.

Another problem is that metrics such as the mean time to detect (MTTD) and the mean time to respond (MTTR) require a complex, holistic understanding of security incidents.

These metrics would offer real insight into the health of the SOC but they are difficult to determine, and many teams don’t have the thorough understanding they need of security incidents to measure and demonstrate these metrics.

More integration means more insight

Analysts are so inundated with alerts every day that they aren’t able to build deep insight about every alert. All SOCs are different, using a variety of security tools to prevent and detect threats. It’s a real challenge to create cohesion with all these disparate tools.

It takes a great deal of time and energy to make sense of the data coming from all the different tools. Gathering this data from different tools for each security alert keeps analysts so busy that they don’t have time to develop a more comprehensive view of each threat.

This is why automation/orchestration is one of the greatest SOC needs. Most event correlation is still manual, despite the use of more big data products. More than half of the respondents (53%) cited inadequate automation/orchestration as one of their biggest challenges.

There’s a tremendous need for disparate tools to be integrated for management of threats to become more streamlined. With automation, data could be correlated, giving deeper insight into security alerts and events. The whole process of investigating alerts and responding to them would speed up.

With security orchestration and automation platforms, people, processes, and technologies are brought together. Important functions that historically have taken manual effort and time are streamlined.

The productivity of analysts increases and they can provide time-sensitive information back to the community much faster than with manual processes. The value of orchestration and automation is being recognized as essential to tracking key metrics and driving improvements.

The way to empower analysts and to strike a balance between a machine-driven and analyst-driven response is orchestration. With orchestration, there’s a delicate balance between automation and human intervention.

Other insights from SANS

Outsourcing of security services is common, but the survey did not show much adoption of external incident response services. In most cases, incident response is fully integrated within the function of the SOC.

What is outsourced most frequently is penetration testing and threat research. Some level of this is done internally, but these activities are more likely to be at least partially outsourced.

It appears from the survey that the vast majority of SOCs still rely on manual. SIEMS are still cited by most SOCs as the primary tool used for correlation.

One of the key tenets of orchestration is to apply context by aggregating relevant data from various systems within the overall system to enrich individual alerts. An alert on its own does not mean much.

Context is very important to give more clues – What IP did a suspected phishing email come from? Did other users receive an email from the same IP? The list of questions is endless and vital to determine whether the threat is genuine.

Another key tenet of orchestration is to enable analysts. They are given the visibility and tools to work more effectively. With orchestration, there’s a fine balance between automation and human intervention.