Accelerated remote working policies. Shifts in cloud adoption. A global shortage of security professionals. The rules of engagement for cybersecurity are changing fast and challenging almost every organization in the world. Monitoring security across this growing attack surface is a significant issue, with 40% of respondents in the recent CyberRes 2021 State of Security Operations report considering it their number one concern.
Fortunately, businesses are taking action. Businesses recognize the need for additional investment, with 84% increasing their security operations center (SOC) and training spend. We’re now seeing more remote access monitoring, more cloud-based security adoption, and more threat intelligence investment. Overall, the last year saw a 6.4% growth in security-related spending, with a further 12.4% growth forecasted this year.
So what were the key lessons learned? Where are the focus areas? Here are our top picks for how SecOps is evolving.
-
Remote is the Door, Automation the Lock
For years, even while most companies had recognised that the perimeter has disappeared, a monolithic mentality stubbornly persevered. 2020’s sudden shift to a distributed workforce, however, forced a re-think. SOCs now had to focus on granular access controls for devices and user identities, and behavioural anomaly detection — preventing cyber threats for an infrastructure grown far beyond the confines of traditional security boundaries.
Many turned to machine learning and automation in order to detect bad actors and quickly neutralize threats regardless of location. So far, the priority for automation has been risk assessment, followed by automation of threat hunting, intelligence analysis and attack-surface management. About 30% considered automating remediation tasks a top use case for automation, while almost a quarter (23%) considered automating the process of reporting risks to executives a priority.
-
Managing the Attack Surface
Attack surface management (ASM) is the ability to discover, track, classify, and monitor assets in your network or used by your employees — from laptops to routers, from software to cloud services. With many companies considering the growing attack surface to be a major problem, finding technology and processes to reduce the footprint of your information technology and infrastructure is critical.
ASM tools attempt to find the weakest link under the assumption that “if you do not find it, the attacker will.” And while ASM solutions are a relatively new technology, more than half of respondents currently have such efforts in place within their organizations, and about 40% intend to implement them in the next 12 months.
-
Embracing a Remote SOC
Dedicated, in-house SOC facilities are designed for maximum productivity and comfort for both analysts and engineers. And depending on how many bells and whistles these command hubs contain, they often present a ‘wow factor’ for touring prospects and customers. However, the impact of COVID-19 forced many SecOps teams to do their threat detection and response in completely remote settings. As the months have passed, SecOps leaders have learned that virtually everything they do can be accomplished remotely and are finding it easier to retain skilled resources now that remote work is acceptable. As a result, we’ve seen 85% of organizations increase their adoption of cloud security services and technologies.
-
Red on the Rise
Arguably, the most critical security operations process is the regular evaluation of defenses. Forward-thinking security operations teams are increasingly using red-team exercises (i.e., simulating an adversary’s actions) as part of this process to ensure a strong cybersecurity posture. More than 93% of those surveyed consider red-teaming an essential activity for security operations. Almost half report their red-teaming results to the board for due diligence, while a third share the results with the CISO as part of risk-and-readiness reporting.
The regular evaluation of threat models is essential because threat models, like technologies, age quickly and can lose relevance. Fortunately, most organizations (85%) report that they evaluate their threat models at least once every six months.
-
Outsource vs. In-House
While outsourcing allows companies to gain access to needed experts and free up staff, many organizations continue to view outsourcing with distrust, especially for their security operations. Yet, for many organizations, growing SecOps complexities have made the cost efficiency of outsourced SOC functions not only appealing but necessary. Many start by trying to streamline and ease the internal operation, but once you consider the difficulty of sourcing top talent, it’s easy to see why outsourcing often presents the path of least resistance.
As a result, almost all companies (92%) find that they need to outsource at least some of their SecOps functions. Yet, outsourcing hesitancy is still the rule: Only 24% have fully outsourced 1 to 3 security functions, and only 4% rely on more than three fully outsourced functions.
SecOps Teams Must Adapt
Companies need to overcome the challenges of having many remote workers, confront a scarcity of security professionals, and adjust their security to the demands of the cloud. Adopting a threat modeling framework, implementing processes for managing the attack surface, and aggressively pushing automation throughout security operations areas will help increase a company’s security maturity.
