External challenges and internal inefficiencies are driving the need for a more integrated approach to security analytics and operations at many organizations.
Analyst firm Enterprise Strategy Group (ESG) recently surveyed 372 IT and security professionals in the US and Canada on their approaches to detecting and responding to cyber threats and vulnerabilities. The resulting report, "The Rise of Cloud-Based Security Analytics and Operations Technologies," showed that enterprises have deployed an assortment of technologies to collect data from the network, email, endpoint devices, the web and threat intelligence feeds.
Seven in 10 organizations surveyed had implemented security information and event management (SIEM) platforms, 64% used threat intelligence, and the same proportion used endpoint detection and response (EDR) tools. More than half also had network analysis tools, security data lakes, and security orchestration, automation and response (SOAR) platforms.
While individually the point tools are providing valuable security telemetry, a high percentage of enterprises said they are struggling to build a holistic picture with the data because of the disconnected nature of their tools.
Jon Oltsik, an analyst at ESG and author of the report, said organizations are collecting analytics data at multiple tiers—some of it redundant—and are trying to glue together some kind of understanding of their security posture. But what's lacking is an integrated way to collect, process, analyze, and act upon the data.
"Cybersecurity analytics and operations are in a state of flux."
—Jon Oltsik
Here are four challenges to the next-gen security operations center (SOC).
1. Internal inefficiencies are undermining security analytics and operations
Nearly two-thirds (63%) of ESG survey respondents described the security operations landscape as more complex than it was just two years ago. A variety of factors have contributed to this situation.
Monitoring security across the enterprise has become harder because of a constantly growing attack surface. Digital transformation, cloud migration, and enterprise mobility initiatives have eviscerated enterprise perimeters and scattered data across on-premises systems, cloud infrastructure, and mobile devices.
Some 27% of the respondents described security monitoring as becoming increasingly complex because of the growing attack surface that needs protection. And at more than one-in-five organizations (22%), the cybersecurity team was so bogged down putting out fires and dealing with security issues that they had no time for strategy or process improvements.
2. Security analytics has become a big data problem
Growing data volumes are requiring organizations to take a more strategic approach to security data management. More than three-quarters (76%) of the organizations in the ESG survey said they were collecting more security data than they were two years ago. And more than half (52%) are retaining the data for longer.
"The pipeline for security data has gotten to the point where it requires a pretty sophisticated operation itself," Oltsik said. Security organizations now have so much data on hand that it is not unusual for many to spend as much as half of their efforts on collecting, normalizing, logging, loading, and indexing the data for analysis.
Going forward, enterprise organizations need to be more strategic in how and why they are collecting data. To avoid redundancy they need to be clear about what's needed for threat detection and which data is required for forensic analysis and investigations.
Decisions need to be made about how much data needs to be online or available via fast storage, how much real-time processing is required, and how, where, and for how long to store the historical data required for threat investigations. "We have to start thinking about security analytics with a big data kind of mentality," Oltsik said.
3. Cloud migrations impose new requirements on the SOC
The continuing migration of enterprise workloads and data to the cloud has increased the attack surface and introduced new oversight and skills requirements for SOCs at many businesses.
About one-third of the organizations in the ESG survey are already using on-premises SIEM systems to monitor and analyze workloads running in the public cloud. This helps detect known cyber threats and produces reports for regulatory compliance purposes.
But many others say that's no longer enough and are also looking to move analytics and operations to the cloud. Oltsik said that in the past, organizations that wanted to keep security analytics and operations on premises outnumbered those wanting to migrate it to the cloud, by a factor of 2 to 1.
In the latest ESG survey, the respondents seemed more open to both possibilities. For instance, 41% said they preferred cloud-based security analytics and operations, and another 17% expressed willingness to consider it on a case-by-case basis.
Some organizations will simply move on-premises tools to the cloud, others will look for cloud-native alternatives, and some will look to augment on-premises SOC tools with cloud-based ones, according to the ESG report.
Thirty-eight percent already use cloud-based security analytics and operations technology, primarily for real-time threat detection and response, cyber risk management monitoring, and threat-intelligence analysis.
Many companies seem to realize that cloud-based technologies offer the processing and storage scale needed for big data security analytics and operations, he said.
"I was surprised by the willingness to move security analytics and operations technology to the cloud."
—Jon Oltsik
4. Next-gen SOCs need an open, integrated security platform
For a SIEM to serve as a centralized security operations platform for the SOC, it must be capable of integrating data from multiple sources. Many organizations have invested considerable sweat equity and money in on-premises SIEM systems and are currently looking to use SIEM as a common security analytics and operations platform for integrating analytics tools.
Twenty-three percent of the respondents to the ESG survey view SIEMs as having the scalability to provide visibility into event data enterprise-wide, and 22% are using them to integrate other security applications.
For SIEMs to continue to add value, they need to support integration and horizontal scaling, Oltsik said. Several SIEM vendors have already begun moving in this direction. They are working with other security vendors to make sure their SIEM platforms play nicely with third-party apps. And some SIEM vendors have online app stores from where enterprises can get third-party security apps that are already integrated with the SIEM platform.
For SIEM vendors, Oltsik said, the takeaway is simple: Don't offer products in this space "without a well-baked management service attached to it."
Plot your course to a smarter SOC
Many organizations are struggling to get a holistic picture of their security posture because of a lack of integration among their security tools.
Enterprises are collecting more analytics data and storing it for longer periods, compared to two years ago. But to derive full value from the data they need a common security analytics and operations platform for collecting, processing, analyzing, and acting upon the data.
"Doing things the same way is no longer an option. Enterprises need to look at the outcomes they want from data analytics and start piloting a strategic course to that."
—Jon Oltsik
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.