Many large organizations have set up security operations centres staffed with analyst teams to help fight the increasing number of cyberthreats challenging network security.
But a vendor that sells security solutions and has intimately studied a number of organizations says the maturity of the people, process and technology used varies too much.
In a report issued Monday, Hewlett-Packard Co.’s security intelligence and operations consulting arm found that 24 per cent security operations centres (SOCs) it assessed don’t meet minimum requirements it set to provide consistent security monitoring.
Only 30 per cent of organizations studied are meeting business goals and compliance requirements.
The “average maturity level of SOCs remains well below ideal levels,” the report said.
“The reliable detection of malicious activity and threats to the organization, and a systematic approach to manage those threats are the most important success criteria for a mature security operations capability,” the report said.
One thing it did find: Organizations that recognize that protecting enterprises is business critical, or what have suffered a direct financial loss from an attack, did a better job of maturing their security.
“Economic incentive matters,” the report concluded.
HP defines a security operations centre as one that collects and analyzes security-related data, which is separate from those responsible for day-to-day network availability.
“The belief that SOCs and network operations centers (NOCs) can completely merge is proving incorrect,” says the report. “SOCs that treat their analyst resources as a help desk or up/down monitoring team will miss the attacks that trained and experienced security analysts can find.”
HP was hired to perform 93 assessments (some more than once at the same organization) over the last five years in large organizations using a security operations maturity model it created.
It uses a five-point scale with 5 given for a capability that is consistent, repeatable, documented and continually improved on. An organization whose security staff meet minimum requirements for security monitoring with nothing documented rates of score of 1. The most advanced security operations centres in the world will typically have a score between 3 and 4.
The assessment measures people, process, technology and business alignment in a number of ways (people, for example, are measured on their training, certifications, skills, leadership and career path. Technology is measured by architecture, data collection, monitoring and correlation).
In each of the areas measured, the industry average score fell between a 1 and 2. Technology was the strongest average at 1.81. People and process average scores are lower, closer to 1.5.
“Most organizations focus heavily on technology solutions without putting the proper effort into managing the people and process aspects of a cyber defense program,” HP concludes.
Interestingly, HP believes “overly mature operations” result in stagnation and rigidity that results in a low level of effectiveness. “SOCs (or providers offering SOC services) that aspire to achieve maturity levels of 5 lack an understanding or appreciation of the nature of such capabilities and the threats they are defending against,” the report said.
It wasn’t all bad news. HP [NYSE: HPQ] found that companies are recognizing the strategic nature to IT and building security operations centres to protect their investment; that executives are increasingly fluent in IT security; that security vendors are being held accountable for providing effective solutions; and that security operation centres are building formal and informal information sharing communities.
Among the lessons learned from the assessments:
–“An inability to prioritize efforts in a SOC results in an overall low capability and maturity—It is difficult and costly to protect everything. Successful SOCs utilize a risk-based approach that results in clear priorities and targeted focus”;
–“Focus on compliance objectives sets a dangerously low bar for the mission of a SOC Compliance is a side effect of a highly capable threat detection function; however, effective threat detection rarely results from compliance mandates”;
— “There is an over-reliance on technology. While many organizations invest heavily in technology, the staffing and skills required to achieve the goals of the solution are often missing. In SOCs, this results in minimal investment in the most expensive CPU in the room – the analyst”;
–Managed security service suppliers aren’t a total solution. Organizations still need event analysis and incident response capabilities to manage the provider.
To give an idea of how the assessment works, the report includes short summaries of three companies studied. The best was a Fortune 100 organization assessed four times between 2009 and 2013. It’s most recent score was just under 4. It took the company two years to break level 3.
A Fortune 100 multinational with two SOCs initially grew well but after the first year declined because the security team or fractured with two distinct management chains. One problem was that the two teams didn’t effectively share information.
“Having the right people can often have the most profound impact on the overall capability of a SOC,” says the report.
“A good set of processes and procedures enable a SOC to operate in a sustainable and measurable manner, and enable the SOC to easily support compliance efforts when necessary. Without solid processes and procedures, SOCs become reliant on “tribal knowledge” of individuals,” it added.