According to new research, the vast majority of security operations centers (SOCs) do not meet benchmarks defining...
recommended maturity levels, and as a result, struggle to detect and manage cybersecurity threats.
Those are the key findings in a new report from Hewlett-Packard Co.'s Security Intelligence and Operations Consulting (SIOC) group examining cyberdefense operations in the enterprise.
In the study, HP assessed the capability and maturity of 87 unique SOCs across 18 countries and 6 continents in the course of 118 assessments since 2008. The assessments were based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI), and focused on organizations' capability to reliably detect malicious activity and implement a systematic approach to appropriately manage threats in four categories: people, process, technology, and supporting business functions.
The security operations maturity model (SOMM) rates SOCs on a five-point scale where zero is "incomplete;" level one meets the minimum requirements to provide security monitoring; level three is the recommended level on which operations are "well-defined, subjectively evaluated and flexible;" and the highest level is five, where operations are being optimized for improvements.
In total, 87% of SOCs studied did not meet the recommended maturity level, and 20% failed to meet the minimum level one requirements. HP found that organizations in nearly all industries received five-year median SOMM scores between one and two. The telecom industry ranked last with a median score of 1.12, and the technology industry ranked first with a median score of 1.86.
Learning and improving
HP noted that while SOCs have been maturing in the six years that assessments have been performed, it often takes a major breach to spur improvements. HP said that industry-wide vulnerabilities like Heartbleed and Shellshock and coordinated point-of-sale (POS) attacks in the retail industry have caused an increase in willingness to share threat intelligence between organizations.
According to HP, the tools and methods used by IT security teams have also been changing. One major issue that SOCs still have to overcome, said HP, is that organizations often invest in products that prioritize short-term benefits over long-term expansion capabilities, such as purchasing a log-management product to meet compliance requirements yet not implementing a SIEM or other analytics engine to analyze and correlate log data.
At the same time, companies are expecting more from cloud and managed service providers, and asking that vendors provide visibility into network, system, application, and user activity for monitoring with enterprise SOCs.
Additionally, HP said, organizations are also working to become more proactive about finding compromises in systems. Many are forming so-called "hunt teams," tasked with finding previously undetected incidents and compromises that would normally be found by third parties, and could have existed for weeks or even years.
HP noted that security analyst skills are a common weakness among many organiations, and the issue is made worse because of difficulty in acquiring and retaining talented security professionals. For some companies, workflow is an issue, according to HP, because security teams are incentivized to focus on quantity of events closed rather than quality risk reduction. HP suggests a wholistic approach that takes into account technology, process, people, and business support in order to improve security operations maturity.
Learn how to chart a path toward information security program maturity.