This article originally appeared on Spiceworks. To access the original article click here.
Why threat detection tech and strategies need to be democratized.
We’re reaching a breaking point– environments are becoming more chaotic while requirements constantly change, leaving SOC teams overwhelmed. Organizations are taking a hard look at security operations strategies, processes, and technologies supporting cloud-driven, hybrid work usage models, explains Karthik Kannan, founder and CEO of Anvilogic.
We’re in the red. No, we’re not talking about a bank account. We’re talking about your SOC (security operations center) team. They are reaching a breaking point. The perfect storm has hit: teams are facing an uphill battle to transform their security operations infrastructure while fending off attacks, all the while dealing with alert fatigue and shorthanded teams stretched to capacity.
Whether attributed to the stress of the job, or a broader absence of skilled candidates, SecOps staffing levels are proving insufficient and filling them is proving to be a challenge. In fact, vacant cybersecurity jobs are expected to trend upward to 3.5 million in the U.S. by 2025. While some industries are experiencing layoffs as recession predictions loom, the increasingly chaotic SecOps space (cited by 57% of respondents in the survey as being more chaotic than it was two years ago) can’t seem to find nearly enough qualified talent to fill the openings and keep teams afloat.
With all the mandatory responsibilities they have on their plates, fending off attack groups with a mission of penetrating organizations’ infrastructure (something they are focused on 24/7) is like bringing a knife to a gunfight. Attackers are kicking SOC teams while they are down, exploiting the massive amount of infrastructure changes in the organization in order to leverage weak links and introduce new threats.
But security isn’t just for the CISO and security team. Can you confidently say you know what your SOC is doing? For example, are you making sure security is part of your business decisions? Can you confidently say you understand how Security teams (SOC) are reducing risk to help drive business success? Part of the issue in solving this problem is a misunderstanding of the role teams in SOCs play in mitigating business risk in the first place.
According to a recent survey (which data will be cited from throughout this article) of security decision-makers responsible for threat detection at their organizations, 60% of all security professionals surveyed believe their C-suite and LOB executives do not fully recognize, or dramatically underestimate, the importance of SOCs to mitigate business risk or drive future business success.
How Can SecOps Teams Win When Stretched So Thin?
Security professionals are screaming for change: 96% of security professionals are juggling the ability to get the job done and get it done efficiently, and 89% of surveyed security decision-makers feel their organization needs a transformational or moderate amount of change in its SOC to mitigate business threats over the next 12- 24 months.
Security operations depend on effective mechanisms to detect potential threats, especially as the entire infrastructure and attack surface comes under greater attack from more advanced threats targeting. As security teams re-architect operational infrastructure and work to plug SecOps gaps, daily SecOps activities must continue to mitigate risk. SecOps teams spend the most time managing controls, significantly more than they do on detection engineering or incident remediation. This means more time is being spent on low-level tasks rather than on areas that could provide value and reduce overall great risk to the business. As attack surface growth continues, especially with more cloud workload and infrastructure adoption, many SOC teams have had to supplement existing tools with manual processes to close gaps and admit blindspots into cloud workloads.
Similar to how many people spend so much time in meetings versus getting their deliverables done, security teams spend all their time chasing cracks in the infrastructure versus fixing the actual problem at the foundation: detection engineering. Security professionals see the biggest gaps in their SOC capabilities around core security functions: threat detection, and investigation and triage.
Over half of the security professionals surveyed report that alert triage is challenging or overwhelming, and more than three-quarters (77%) of security professionals surveyed desire new ways to engineer detection rules. Automation can help significantly. In fact, being exclusive with automation makes the most impact. While 83% were using automation “in some capacity,” respondents not using it exclusively were 2.3 times more likely to have trouble with alert prioritization.
The complexity of threat detection is causing SOC teams to take a hard look at how improved detection engineering can help with assimilating and analyzing security signals from this diverse set of operating infrastructure.