While most individual security analysts today are still overworked and battling burnout, the good news is that the process and organizational support they need is improving across the industry. A new report out last week shows that security programs are growing more mature and performing better as the number of organizations with formal security operations centers (SOC) experiences a huge spike.
According to the Cybersecurity Report Card, enterprises have cranked up their efforts to build out their in-house SOC capabilities over the last two years. Conducted by DomainTools for the last several years, the survey for this annual report questioned more than 500 security pros across a range of organizations. It found that the number of organizations that carry out security operations within an in-house SOC has shot up from 10% in 2017 to 53% today.
In that same timeframe, the rate of breach incidents for all organizations surveyed has gone down by nearly 11 percentage points, from just shy of 26% reporting a breach in the last year back in 2017 to just over 15% saying the same in 2019. Additionally, the self-rating that security pros are giving their program maturity is markedly increasing:
Cybersecurity report card grades showed a sharp increase in improvement in 2019, with 30 percent giving their programs an “A,” up nearly 10 percent from 2018. Almost half of all respondents stand solidly as a “B,” with an overall decline in grades “C” through “F,” showing improvement across the board.
These grade improvements have a close correlation with the uptick in SOC prevalence. Among "A" rated organizations, an overwhelming 78% report having an in-house SOC to support their security program. These "A" level programs tend to have a much smaller rate of breach incidence—just over 6%--and just over half of these elite performers report that they can detect active or suspected cyber attacks several times throughout the day.
Also closely entwined in this improving maturity curve is the increased use of security automation and orchestration tools, and the growing reliance on advanced practices like threat hunting and in-depth forensic analysis. Overall, approximately 84% of organizations today report at least some automation of security functions and 94% of organizations report at least some level of threat hunting activity, with about 20% of organizations spending more than 60 hours per week on threat hunting. Some 22% of all organizations report a high level of security automation, but "A" rated organizations double that performance, with 45% reporting a high level of automation. Similarly, 50% of these "A" rated security organizations use orchestration tools, and 75% use threat intelligence platforms.
Industry analysts believe that making improvements in security automation and orchestration (SAO) like this is the most sane path for SOC teams seeking to keep up with the crush of cyber attacks today. According to experts with 451 Research:
SAO helps SOC teams manage their responsibilities: automation reduces the labor effort by executing scripts to collect and organize evidence gathering from disparate sources. Enterprises report increased SOC workflow performance as staff can spend more time fixing problems. Orchestration defines the workflows necessary to investigate a threat and implement corrective responses.
Nevertheless, even with a high degree of automation and better processes wrought by formalized SOC formation, security teams are still undergunned and overworked. Often, the effective use of automation requires a high degree of expert human interaction for tuning and filtering. As things stand, the industry still wastes an incredible amount of time on false positives. This most recent report card study found that number one impediment named by lower-performing organizations as keeping them from achieving an "A" grade was staffing shortfalls. That's in line with other studies this year that show the security skills shortage as a major factor impacting SOC operations today.
According to one report from TechBeacon this month, analysts with Enterprise Strategy Group (ESG) say that many organizations are supplementing in-house SOC capabilities with managed security services to take some of the strain off of overworked analysts.
"Smart CISOs will include SOC technologies and managed services as part of a cohesive and comprehensive SOC strategy," wrote ESG analyst Jon Oltsik in The Rise of Cloud-Based Security Analytics and Operations Technologies report.
That survey reported 75% of organizations say their security operations capabilities are "undermined by a lack of available personnel." But it's not a matter of just hiring more staff in the SOC—about seven in 10 organizations say that it's extremely or somewhat difficult to recruit and hire SOC personnel. As a result, some nine in 10 organizations today are going to start stepping up their use of managed security analytics services to help fill in the gap.