This guest blog was contributed by Karthik Kannan, Founder/CEO, Anvilogic
One look at the current economic conditions is enough to tell you that many companies are looking at where they can cut costs right now. One of the last places companies will cut spending is security. Why? Hackers work 24/7 to try to penetrate networks with new threats. At a time when environments and requirements are constantly changing to support cloud-driven hybrid workforces and Security Operations Center (SOC) teams are stretched thin, organizations are taking a hard look at their security operations.
What are they finding?
According to a recent survey of security decision-makers responsible for threat detection at their organizations, here are some key takeaways that spotlight the status of security operations:
Security teams are making compromises to get the job done. Security decision-makers are making decisions they should not need to make to keep up with the pace of business risk mitigation. 96% of security professionals are making tradeoffs between efficacy and efficiency to keep up. Moreover, 89% said their SOC would need a moderate or transformational change to continue mitigating business threats in the next year or two.
There are disconnects between CISOs and the rest of the C-Suite. We’ve all been there when we don’t fully understand what someone on the team does. This can be problematic when it comes to security implications. What’s concerning in the SOC is that CISOs and executives aren’t speaking the same language, leaving executives unclear on the complexity of security and detections being built. 60% of survey respondents believe their C-suite and LOB executives do not fully recognize or dramatically underestimate the importance of SOCs to mitigate business risk or drive future business success. It is on both groups to come together for the organization's good. CISOs both need to teach and translate security into others' vernacular. While the C-Suite and LOB executives need to start leaning into the conversation to understand and find ways to leverage security beyond being a cost center.
Don’t “Mind the Gap” - Closing Threat Detection Gaps
When it comes to threat detection specifically, given how reducing threats sooner can minimize damage, it is concerning that the detection, investigation, hunting, and triage were cited by respondents as where the biggest gaps in their capabilities and core security function lie.
Two concerns were noted, and organizations should start to quickly address:
More than half of security professionals are challenged or overwhelmed by alert triage
More than three quarters (77%) desire new ways to engineer detection rules
Apply Automation to Respond to the Right Security Signals
SOC teams are using automation, but not as much as they should be, to get the benefits they could be getting. Using automation isn’t the challenge—83% of respondents do that at some level, mainly downstream around orchestration and response. The challenge is when automation isn’t used exclusively. This created 2.3 times more likelihood of challenges prioritizing alerts.
Analyzing and responding to the right security signals is critical to the success of the SOC in securing diverse operating architecture. SOC teams are looking at improved detection engineering.
Detection Engineering’s Downfall & A Skills Gap in the SOC
Three-quarters of security professionals agree that investments in detecting threats sooner would result in a moderate to a drastic reduction in dwell time. The issue? Money alone cannot solve this problem. There is a skills gap in SOC teams, specifically regarding alert tuning and investigation. Key issues are:
The new detection lifecycle takes too long. A week or more, as cited by 86% of respondents, is too long on the life cycle length (i.e., identifying the need, researching, creating the detection, testing, and deploying the detection).
There aren’t enough people focused on the problem. 64% of survey respondents have only one individual dedicated to threat engineering or none.
The answer?
Democratize and automate threat detection, hunting, and triage across the SOC to make threat detection easier across hybrid, multi-cloud, and data lakes. This will ensure investments in detection engineering can be optimized.
###