This week’s McAfee Labs Threats Report: December 2016 revealed the results of a survey gauging the state of the security operations center (SOC). The following is an excerpt from this article.
A few years ago, dedicated SOCs seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams of analysts seemed ready to be replaced by distributed teams, outsourced, or disbanded entirely. If you were not in the Defense Department or on Wall Street, many thought, then you did not need a SOC. Then targeted attacks and insider threats moved from movie and government plots to an everyday reality for enterprises. According to an McAfee survey, 68% of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.
Today, almost all commercial (1,000–5,000 employees) and enterprise (more than 5,000 employees) organizations run some type of SOC, and half of them have had one for more than a year, according to the latest research study from McAfee. As the number of incidents continues to increase, security organizations appear to be maturing and using what they learn to educate and improve prevention in a virtuous cycle. For instance, survey respondents documented their expanding investments in SOCs and attributed an increase in investigations to an improved ability to detect attacks. Those who reported a decline in investigations of incidents attributed this improvement to better protection and processes, which mature organizations perform as the final stage of a security investigation.
These are some of the findings in a primary research study commissioned by McAfee on the current state of security management environments and threat detection capabilities, as well as priority areas for future growth.
Almost nine out of 10 organizations in this study reported that they have an internal or external SOC, although commercial organizations are slightly less likely to have one (84%) compared with enterprises (91%). Smaller organizations in general are implementing SOCs a bit later than enterprises, as only 44% of commercial groups have had one for more than 12 months, whereas 56% of enterprise SOCs have been around for that long. Most SOCs (60%) are currently run internally, with 23% operating a mix of internal and external support, and 17% fully external. For the few that have not established a SOC, only 2% of enterprises have no plans to do so, versus 7% of commercial companies.
Of the 88% of organizations operating a SOC, the majority (56%) reported that they use a multifunction model combining SOC and network operations center (NOC) functionality. Organizations in the United Kingdom (64%) and Germany (63%) are even more likely to operate in this model. Dedicated SOCs are in use by 15% of companies and are more prevalent in the United States (21%). Virtual SOCs are the third model, also used by about 15% of respondents, followed by a distributed or co-managed SOC, at 11%. Only 2% reported operating a command SOC.
This distribution of SOC implementations has several implications. The majority operate at or past the midpoint of SOC maturity, progressing toward the goal of a proactive and optimized security operation. However, more than a quarter (26%) still operate in reactive mode, with ad-hoc approaches to security operations, threat hunting, and incident response. This can significantly extend detection and response times, leaving the business at greater risk of significant damage, as well as facing a higher cleanup cost.
Whether from an increase in attacks or better monitoring capabilities, most companies (67%) reported an increase in security incidents, with 51% saying they have increased a little, and 16% that they have increased a lot. This is analogous to findings from the key topic “Information theft: the who, how, and prevention of data leakage” in the McAfee Labs Threats Report: September 2016. That primary research study found that organizations which watched data more closely for leakage reported more data-loss incidents.
Only 7% overall indicate that incidents have decreased, and the remaining 25% say that they have remained stable over the past year. There was little variance reported by country, but incidents increased as organizations get smaller, possibly indicating that criminals have broadened their attack targets. Only 45% of the largest organizations (more than 20,000 employees) reported an increase, compared with 73% of the smallest (fewer than 5,000 employees).
The small group that reported a decrease in incidents overwhelmingly (96%) believe that this was due to better prevention and processes. Of those who said that incidents increased, the majority feel that it was due to a combination of improved detection capabilities (73%) and more attacks (57%).
Most organizations are overwhelmed by alerts, and 93% are unable to triage all relevant threats. On average, organizations are unable to sufficiently investigate 25% of their alerts, with no significant variation by country or company size. Almost one-quarter (22%) feel that they were lucky to escape with no business impact as a result of not investigating these alerts. The majority (53%) reported only minor impact, but 25% say they have suﬀered moderate or severe business impact as a result of uninvestigated alerts. The largest organizations, perhaps because of their better monitoring capabilities and stable incident levels, are more likely to report no business impact (33%).