News Stay informed about the latest enterprise technology news and product updates.

Report: Most enterprise security operations centers ineffective

A new report by HP shows most enterprise security operations centers fail to meet recommended maturity levels needed to detect and manage cybersecurity threats.

According to new research, the vast majority of security operations centers (SOCs) do not meet benchmarks defining...

recommended maturity levels, and as a result, struggle to detect and manage cybersecurity threats.

Those are the key findings in a new report from Hewlett-Packard Co.'s Security Intelligence and Operations Consulting (SIOC) group examining cyberdefense operations in the enterprise.

In the study, HP assessed the capability and maturity of 87 unique SOCs across 18 countries and 6 continents in the course of 118 assessments since 2008. The assessments were based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model for Integration (SEI-CMMI), and focused on organizations' capability to reliably detect malicious activity and implement a systematic approach to appropriately manage threats in four categories: people, process, technology, and supporting business functions.

The security operations maturity model (SOMM) rates SOCs on a five-point scale where zero is "incomplete;" level one meets the minimum requirements to provide security monitoring; level three is the recommended level on which operations are "well-defined, subjectively evaluated and flexible;" and the highest level is five, where operations are being optimized for improvements.

In total, 87% of SOCs studied did not meet the recommended maturity level, and 20% failed to meet the minimum level one requirements. HP found that organizations in nearly all industries received five-year median SOMM scores between one and two. The telecom industry ranked last with a median score of 1.12, and the technology industry ranked first with a median score of 1.86.

Learning and improving

HP noted that while SOCs have been maturing in the six years that assessments have been performed, it often takes a major breach to spur improvements. HP said that industry-wide vulnerabilities like Heartbleed and Shellshock and coordinated point-of-sale (POS) attacks in the retail industry have caused an increase in willingness to share threat intelligence between organizations.

According to HP, the tools and methods used by IT security teams have also been changing. One major issue that SOCs still have to overcome, said HP, is that organizations often invest in products that prioritize short-term benefits over long-term expansion capabilities, such as purchasing a log-management product to meet compliance requirements yet not implementing a SIEM or other analytics engine to analyze and correlate log data.

At the same time, companies are expecting more from cloud and managed service providers, and asking that vendors provide visibility into network, system, application, and user activity for monitoring with enterprise SOCs.

Additionally, HP said, organizations are also working to become more proactive about finding compromises in systems. Many are forming so-called "hunt teams," tasked with finding previously undetected incidents and compromises that would normally be found by third parties, and could have existed for weeks or even years.

HP noted that security analyst skills are a common weakness among many organiations, and the issue is made worse because of difficulty in acquiring and retaining talented security professionals. For some companies, workflow is an issue, according to HP, because security teams are incentivized to focus on quantity of events closed rather than quality risk reduction. HP suggests a wholistic approach that takes into account technology, process, people, and business support in order to improve security operations maturity.

Next Steps

Learn how to chart a path toward information security program maturity.

Dig Deeper on Security industry market trends, predictions and forecasts

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your company have a strategy for maturing your security operations?
We do have a SOC1 improvement plan. The major concern on this is how to deal with the Education of the Agents. 
That is, how to convince the agents to perform bad called Additional tasks to their daily basis job. 
Since the knowledge is there, agents are ready to perform the activities, the Education in the importance of the realization of the tasks is the main point of the new Plan. 

Indeed, SOCs are meant to provide "just enough" security. But I'm in charge of providing further security through integrating different security applications on my network.
Three fundamental issues exist within most organizations cybersecurity teams and tools:
  1. You cannot secure what you do not know exists. More specifically, exactly what exists (devices, software, networks, Iot, configurations, patching, etc). A failure to be able to continuously audit the network leads to blind spots.
  2. If you cannot connect the dots, develop an understanding of the normal patterns, you cannot identify emerging threats.
  3. an inability to automate responses to understood threat patterns means mandatory funnel points delaying risk / incident response.
While SIEM, IPS, Compliance, GRC, Configuration monitoring are all good....if they are not integrated and looked at as a part of the whole body, organs if you will, you will always be reactive. Being able to react rapidly is a core objective. Being able to prevent is critical.