Summary Findings of State of Security Operations 2015 Report


Your ability to detect and stop cyber attacks depends on the effectiveness of your security operations team. HP Security Intelligence and Operations Consulting has assessed the capabilities of 87 security operations centers worldwide. This updated 2015 report bring you the latest information. HP assessments of organizations worldwide continue to show the median maturity level of cyber defense teams remain well below optimal levels. Many of the findings and observations from the 2014 State of Security Operations report are still valid. Additionally, the following observations and findings have surfaced in 2015 report of capabilities and maturity of cyber defense organizations:

Security is a board-level conversation. Cyber defense teams must provide visibility and high-level business focused reporting to the C-suite and Board. This has driven cyber defense teams to shift their thinking towards the business.

The security analyst skills gap is real. The top issue facing security organizations is availability of skilled resources. This is exacerbated by high levels of attrition in many security organizations and low levels of employer loyalty.

Organizations are most concerned about detecting cyber espionage and the compromise of information or systems that can be exploited for financial gain. Intellectual property theft remains of great concern for organizations. Coordinated large scale attacks in the past year focused on credit card and protected health data that has direct monetary value.

Common architectural vulnerabilities have forced InfoSec and IT organizations to work together. Heartbleed and Shellshock required simultaneous IT-driven patching and security operations situational awareness to look for possible infiltrations based on these vulnerabilities. Vulnerability management and incident response became symbiotic for a short period of time in these instances.

The most capable and mature SOCs have a very specific and defined scope. These SOCs are able to focus their time, tools, and skills on security incident monitoring and response and are not diluted with IT and administrative tasks.

SOC alignment under Legal or Governance, Risk & Compliance organizations increases their authority. When aligned with IT, systems uptime and availability typically trumps addressing security issues.

SOCs are overwhelmed with the number of vendors and technologies they need to implement. A great focus is being put on investing in technologies and frameworks that can provide quick ROI but provide limited capabilities for future expansion. Some organizations are making the mistake of implementing “right now” technologies that seem to meet basic goals but find 12 months out that they have outgrown these technologies.

Cloud, SaaS, and IaaS security use cases are entering the SOC. As many organizations undergo IT transformation projects to alternate modern platforms, security considerations are top of mind. Organizations are requiring Cloud, SaaS, and IaaS vendors to both meet security standards, but also to provide visibility into network, system, application, and user activity for monitoring with enterprise SOCs.

Hunt teams are increasing in popularity. Many cyber defense teams operate in a reactive mode, responding to alerts from systems designed to detect known threats. Most compromises are still present for weeks to years before being detected, and are usually detected by a third party. To close this gap, many organizations are creating roles to “hunt” through existing security and system data to identify conditions of interest and previously undetected incidents.

“Advanced Security Analytics” and Big Data for security tools are gaining momentum. Big Data security analytics solutions are the shiny new technology that cyber defenders are drooling over. While these tools are providing value in some organizations, the space is still being defined and mileage varies greatly based on a variety of factors. Sustained value from these solutions are most apparent where findings are able to be operationally integrated with enterprise security operations capabilities.

SOC workflow and metrics programs can drive the wrong behavior. Ticket-based workflow and metrics around event counts and time-based SLAs encourage SOC to focus on the quantity of events closed rather than quality and risk reduction from effective security investigations. Analyst focus is on quick turnaround and closing alerts rather than addressing organizational security issues.

Internal MSS organizations are being created within companies to service different business units. Many large enterprises, especially those that have multiple business units or have grown by acquisition, will have a single business unit make the security investment of building a cyber defense capability, develop it, and offer services to other internal business units to share costs and keep security in-house.

Cyber defense capabilities are only as strong as their weakest link. Organizations that invest in monitoring teams but neglect to define and implement meaningful use cases that model security detection efforts around key business processes are not able to achieve ROI. Similarly, organizations that invest in technology and detective measures but fail to define roles and responsibilities for responding to detected incidents are not able to achieve ROI. Organizations that are able to focus their efforts, end-to-end, around securing and protecting high value business processes are the most successful.

Classroom training and certifications are not a substitute for multi-domain experience when it comes to staffing cyber defense roles. Environment-specific training programs are a necessity to refine the specific skills required of cyber defenders.

Management and team leadership has an enormous impact on the overall capability and effectiveness of a cyber defense team. Leaders must be able to cultivate and maintain a culture where individuals believe in the work that they are performing and feel supported by leadership in their daily activities as well as their professional development. Leaders must be able to work effectively across organizational barriers to accomplish complex tasks. They must also balance subject matter knowledge with an awareness of when external assistance is necessary.

Read it to learn:
– The latest trends in security defenses and operations
– The attributes of the most effective organizations
– The point at which enhanced process maturity actually degrades effectiveness
– How companies featured in case studies have improved–or degraded–their capabilities
Reference: State of security operations – 2015 report of capabilities and maturity of cyber defense organizations