Having a dedicated hunt team scour months of historical log and other data is a strategy increasingly being adopted by CISOs as they fight to keep up with a growing number attacks, says a new report.
The finding is one of several in the latest State of Security Operations report released today from Hewlett-Packard Enterprise, which annually goes back to a number of customers it has helped build security operations centres (SOCs) – usually a paid consultation – to find out if their cyber security maturing is improving. This year’s report included 28 assessments.
However, a company executive warns that no matter how skilled a hunt team is it can’t replace real-time analysis of network data.
“A year and a half ago hunt was a concept.” Matthew Shriner, vice-president of security professional services at HPE, said in an interview. “Now just about every organization we work with and talk to has either an active hunt team program or active budget.”
In fact it is so popular that some organizations have decided analysts should hunt all day long, he said, instead of having staff look at data streaming hourly from security information event management (SIEM) suites.
“That turns out to be a mistake,” said Shriner. “You have to be able to do both. To be really effective at hunt you would need to write a lot of rules, schedule those rules to run, have someone who knows to go through and what to look for … We’ve seen organizations try to do full time hunt without the real-time correlation and they’ve started to regress in their [security] maturity. We’re seen the highest levels of maturity with organizations that are doing both.”
One reason, he said, is the jobs require different skills: Those with so-called ‘eyes-on-glass’ know how to recognize signs of malicious email or distributed denial of service (DdoS) attacks that don’t show up in the gigabytes of data in a data lake.
Shriner also noted that hunt teams need to have a combination of data analytic and cyber security skills.
One other related finding cited in the report: Significant time and effort had to be spent on on data hygiene, contextualization and preparation before hunt teams are able to distinguish true threats from misconfigured systems and process deficiencies in the management of IT assets.
Other major findings include:
–Security operations centers continue to struggle with development of metrics that communicate an effective business contribution.
Most SOCs create metrics packages that report technology attributes like system health, policy level, and functional performance. But these numbers don’t show what the business side cares about: a reduction of risk, an increase in security and satisfaction of compliance objectives.
“Leading SOCs go beyond reporting basic functional performance data and deploy metrics programs that focus on measuring operational activities linked directly to business priorities and communicated in business terms,” says the report. These metrics communicate security at lower total direct, indirect, and opportunity costs over time. Everyday activities like policy tuning, performance optimization, contextual customization, and response automation are reported along with their immediate and trended impact to the organization;
–the creation of so-called security fusion or internal information sharing centers in large organizations with multiple lines of business or operations in several regions, each of which has its own security operations centre. A fusion centre provides process governance, threat information sharing, and security expertise that allow either each of the subscriber SOCs to collaborate better, or to fold down and become functional customers to one of the SOCs at a more mature service stage.
“Large organizations using this approach usually see an overall benefit from economies of scale and improved coordination from a reduced set of common processes, the use of common technology solutions, and the use of common metrics,” says the report;
–offloading routine work to managed security service providers – creating the so-called hybrid SOC – can be worth it, particularly if the infosec team then focuses on more important work. It can help retain security staff Shriner, notes. But the relationship has to be managed.
“Successful services relationships go beyond superficial vendor management to standard industry SLAs,” says the report. They require service transparency and interactions that allow security leaders to assess service performance quickly through established key performance indicators which ensure the financial and risk considerations that led to outsourcing in the first place are still being satisfied.
“Organizations are doing both [running internal SOCs and outsourcing some functions], that have the right mix, tend to be the most effective (and) have less turnover,” said Shriner.
–public sector SOCs are struggling to grow beyond what HPE calls a Managed maturity level (level 2 on a five point scale). That’s not bad, the report adds – such SOCs have a high degree of repeatability in functions and relevant stakeholders are involved in operations. But they also suffer from misaligned expectations, lack of continuity of personnel and rigid organizational roles and responsibilities.
“Effective public sector SOCs benefit a great deal from internally sourced operational leadership that provides oversight and measures success in terms of reduced risk, improved security, or satisfactory compliance,” says the report.
— SOCs are spending a large portion of their time identifying misconfiguration issues. Ideally these issues would be handled by an IT team freeing up the security operations organization to focus on identifying and investigating attacks.
A shiny new SOC is a thing of beauty — at least to its creators. “But if you don’t continue to focus, if you don’t measure the people, process, technology and business organizations tend to decline in their [security] maturity over time,” said Shriner. “If you’re not continually improving — developing new use cases to respond to new threats, new processes, training and retaining staff — you will regress.”