Hewlett Packard Enterprise (HPE) released its State of Security Operations Report 2017 on Jan. 17, providing insights into what Security Operation Centers (SOCs) are doing right and what they're doing wrong. Among the highlighted findings in the report is that 82 percent of SOCs are not at their optimal maturity level, to help limit risk and protect business operations.
The 2017 report is the fourth annual State of Security Operations study from HPE and is based on an analysis of 183 Security Operations Centers (SOCs) assessments. A core part of HPE's approach to understanding the status of a SOC is the Security Operations Maturity Model (SOMM).
The SOMM provides an overall five-point scale to rank SOC maturity.
"A score of less than one is a SOC that still hasn't properly documented its' processes and procedures," Matt Shriner, worldwide VP of Professional Services for Enterprise Security Products at HPE, told eWEEK. "A level five in contrast, is extremely well-documented but also extremely rigid and inflexible."
Shriner noted that while a level five is the highest SOMM score, it's actually not the right score for the majority of organizations that need flexibility in their SOCs. Shriner said that if an organization is securing a satellite network or a military defense system, a level five might be appropriate, as precision is a critical attribute. He added that HPE generally recommends that organizations aim for a SOMM score of between three and four, to have the right mix of processes and flexibility.
According to the report, 27 percent of SOCs failed to achieve a SOMM level 1 score. Shriner said there are environments that organizations believe to be a SOC, but are often just a pair of individuals and not a team of trained professional with documented procedures.
"The bigger issue is that 82 percent of SOCs are not meeting business goals," Shriner said.
In Shriner's view, an effective SOC is not something that security people are doing because they like researching the latest security threats. Rather, the most effective SOCs should be looking to protect certain aspects of the business.
Shriner noted that many SOCs got started with a perimeter security monitoring mission, managing firewall and intrusion detection systems in a consolidated approach.
"That's not enough as attackers today are far more sophisticated than just perimeter attacks," Shriner said.
Simply hunting for bugs and potential vulnerabilities is not the right approach for a mature SOC either. The HPE report found that some organizations have large volumes of data that they will sift through, hunting for Indicators of Compromise (IOCs).
"Hunting is valuable and important, but it's not enough," Shriner said. "You have to also be doing real-time monitoring."
Shriner emphasized that real-time monitoring will not detect all threats either, which is why HPE recommends that mature SOCs use both hunting and monitoring techniques to detect potential threats.
HPE also is recommending that organizations transition from IT metrics for SOCs to more business related metrics. For example, IT metrics could typically include the number of object blocked by firewalls and the amount of virus detections.
"Those metrics look nice on a chart, but they are effectively meaningless when it comes to managing business risk," Shriner said. "We're working to implement business metrics that capture the number of actual detections for specific attacks against parts of the business."
For example, a business metric that can be useful is tracking the number of potentially unauthorized actions from employees.
There is also a growing intersection between the DevOps model and security, though it's not yet something that is fully reflected in the SOMM score. Shriner said that HPE has a separate security DevOps consulting team, which he leads.
"SOC today is all about the people, processes and technology components related to a cyber-defence initiative," Shriner said. "Security DevOps fits into application security, which is typically a whole other area today."
If, for example, an application scanning technology finds a vulnerability, Shriner would like to see some form of co-ordination through a SOC. That said, Shriner said security analysts working in a SOC often have a network security background and don't tend to be application specialists. He added that HPE has seen some anecdotal evidence that organizations are working to tie their SOC and application security groups together to help limit risks.
"Many breaches happen at the application layer, yet security spending has not been at the application layer, but that's starting to change," Shriner said. "We see business leaders asking how they can tie security together in a co-ordinated effort."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.