State of security operations

IRCRE201404164
Date: 2014/04/22

Introduction
Organizations around the globe are investing heavily in information technology (IT) cyber defense capabilities to protect their critical assets. Whether protecting brand, intellectual capital, and customer information, or providing controls for critical infrastructure, the means for incident detection and response to protect organizational interests have common elements: people, processes, and technology. The maturity of these elements varies greatly across individual enterprises and industries. In this first-of-its-kind report, HP summarizes the capabilities, lessons learned, and performance levels of security operations based upon maturity assessments performed on worldwide organizations.
HP Security Intelligence and Operations Consulting (SIOC) has assessed the capability and maturity of 69 discreet SOCs in 93 assessments since 2008. The maturity assessments include organizations in the public and private sectors, enterprises across all industry verticals, and managed security service providers. Geographically, these assessments include SOCs located in 13 countries.
HP’s methodology for assessments is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI) and has been updated at regular intervals to remain relevant with current trends and threat capabilities. The focus of the assessments is inclusive of the business alignment, people, process, and technology aspects of the subject operations. The reliable detection of malicious activity and threats to the organization, and a systematic approach to manage those threats are the most important success criteria for a mature security operations capability.
The cost of data breaches has increased by 78 percent over the last four years.1 The time it takes to resolve a cyber attack has increased 130 percent over this same period. There is a clear need for improvement in the effectiveness of security operations to limit the impacts and speed the resolution of such events.
HP has found that 24% of assessed security operations organizations do not meet minimum requirements to provide consistent security monitoring. Only 30% of assessed organizations are meeting business goals and compliance requirements. Despite these sub-standard findings the data shows there are several areas where improvements are happening:

• Companies are recognizing the strategic nature of IT to their business and are building SOCs to protect their investment.
• Executives are increasingly fluent in IT security. The stewards of IT security within organizations are gaining sophistication in their understanding of the threat and the requirements for capable defense.
• Security vendors are being held accountable for providing transparent and effective solutions that are easy to integrate and manage.
• SOCs are building informal and formal communities and beginning to share information more openly.

Summaryoffindings

While the presence of SOCs is increasing and their capability level is showing improvement, HP assessments of organizations worldwide show the average maturity level of SOCs remains well below ideal levels.
Findings and observations from SOC assessments include:

• The term “operations” results in confusion over a SOC’s mission and misaligns expectations for a SOC—Effective SOCs use intelligence disciplines that include collection, analysis, and dissemination, and are analytical in nature. This differentiates a SOC from other operations organizations focused on availability, problem determination, ticket remediation, and recovery disciplines. This is one reason SOCs are being rebranded as cyber defense centers.
• The basics of IT security are extremely important and commonly overlooked—Asset management, user ID administration, information classification, and vulnerability management are all foundational elements required for a SOC to achieve higher order goals.
• An inability to prioritize efforts in a SOC results in an overall low capability and maturity—It is difficult and costly to protect everything. Successful SOCs utilize a risk-based approach that results in clear priorities and targeted focus.
• Follow-the-sun models (This model is a type of global workflow in which tasks are passed around daily between work sites that are many time zones apart.) and geographically distributed teams are significantly less effective than single-location teams—Geographic shift-change and team boundaries are a significant barrier to establishing positive culture and effective collaboration. Collocated operations are more effective at developing mature capabilities.
• Performance, capacity, and availability-based frameworks, such as ITIL®, are insufficient for developing mature security operations—Security operations require more process tools than ITIL and must leverage an analytical approach. CMMI, Agile methods, and success-criteria driven metrics for management are more effective in security operations.
• There is an over-reliance on technology—While many organizations invest heavily in technology, the staffing and skills required to achieve the goals of the solution are often missing. In SOCs, this results in minimal investment in the most expensive CPU in the room: the analyst. Unlike analysts, systems cannot apply non-linear thinking to an incomplete picture in order to develop reasonable hypotheses—human analytical capability is required to detect and respond to modern threats.
• Augmentation of security operations capability through managed security services (MSS) requires mature client-side operations—Very few MSS models can completely offload the risk or responsibility for threat detection and response from the client. Organizations partnering with an MSS provider still require event analysis and incident response capabilities to manage the provider and participate in the service.
• The fastest path to a capable SOC is a public breach—Companies that have experienced tangible loss as a result of a breach have a clear business case for investing in a highly capable SOC.
• Advanced use cases are not effectively operationalized—Inadequate content management processes result in development of advanced use cases that lack controls to ensure the full benefit of the use case is achieved. This is commonly driven by breakdowns in communication between engineering teams that create the system content and analysis teams who are expected to use the content. Effective SOCs utilize iterative content development processes that account for the entire lifecycle of the use case.
• Administrative tasks levied on top of analytical tasks in a SOC degrade overall results— Organizations often gauge that there are not enough events detected in the SOC and assign other non-detective tasks to ensure full utilization of SOC analysts. A more mature response is to discover why there is a lack of detection and implement a plan to improve the SOC’s detection capability.

Reference:
hp.com/go/sirm