A dramatic increase in remote work, expanded use of the cloud, and a continuing shortage of security professionals continue to challenge companies as the world begins to emerge from the coronavirus pandemic.
Monitoring security across a growing attack surface is the most significant challenge, with 40% of respondents to the CyberRes 2021 State of Security Operations report considering it to be their No. 1 concern. It was also the top concern flagged for security operations by business and technology consultancy Deloitte in its Future of the SOC report.
Rob Boshonek, managing director for Deloitte’s Cyber Risk Advisory team, said with the explosion of cloud, that problem has been compounded. "Large companies today have to manage hybrid environments, where they are still using some on-prem technologies while leveraging multiple clouds."
"Cybersecurity is all about visibility—visibility of your attack surface and informing your decisions based on the data you are gathering."
—Rob Boshonek
The surveyed companies recognize that their security operations challenge requires additional investments, with more than 84% increasing their spending on security operations and training.
And few in the business world expect the workplace to go back to normal. Companies have increased monitoring of remote access, adopted more cloud-based security solutions, and increased their investments in threat intelligence, according to the latest State of SecOps report.
The changes will likely continue as the business world remains in a wait-and-see mode, said David O'Berry, senior managing consultant for the cyber center of excellence at technology-services provider Capgemini.
"We are in a world that is evolving rapidly. Previously, businesses focused on ubiquity—working anywhere, anytime. Now, it has to be about securing that ubiquity going forward. So the security has to follow the device and the user."
—David O'Berry
Adapting to the new normal is critical. Here are five ways that SecOps will change.
1. Remote becomes the rule for endpoints and security teams
In the past, even after most companies recognized that the perimeter had disappeared, most organizations retained a castle-siege mentality. However, the pandemic forced the "villagers" of that metaphor out into the countryside, where it is much harder to keep them secure, O'Berry said.
"Coronavirus forced the situation, and I don't know if it will go back to being more centralized. They had to figure out how to take these very centralized functions in many cases, and figure out how to decentralize them, and most are not going to go back."
—David O'Berry
Will business go back to "normal"? While there's no certainty that another business-disrupting event will happen in the next few years or the next few decades, the lesson of coronavirus is that companies should be ready to continue to operate if one does.
2. Expanding attack surface
Companies face a plethora of attackers and attack types. Old attack strategies using new technologies and new attack strategies exploiting older systems are both threats, and Deloitte states in its Future of the SOC report that most companies face security issues posed by their past, present, and future technologies. Mainframes and legacy systems carry old security debt, while present threats include bring-your-own-device (BYOD) issues and remote users. Finally, as more companies move their infrastructure into the cloud, containers and serverless functions need to be secured.
The SOC is where all these trends meet, forcing security operations to make plans that consider the past, present, and future.
"As enterprises gain more business insights into their data, cyber adversaries are presented with a multitude of new opportunities to exploit the expanding attack surface. Their tactics, techniques, and procedures (TTPs) are shifting to keep pace with these major technology shifts."
—Deloitte's Future of the SOC report
The concerns were confirmed in the CyberRes 2021 State of SecOps report, where 40% of respondents considered monitoring security across a growing attack surface to be a top challenge.
3. Hybrid SOCs are the rule
Few security operations teams do everything in-house, and very few operations teams are entirely outsourced. In fact, fewer than 10% of companies take either extreme. Instead, the vast majority of companies have a combination of on-premises and in-the-cloud operations, with 92% of companies finding they need to outsource some of their security functions.
The future of remote work will make companies more likely to adopt cloud security services to allow distributed security teams to operate efficiently and to minimize costs, said Deloitte's Boshonek.
Many cloud providers charge when data leaves the environment, so a lot of companies are hesitant to let instrumentation data do that, he said.
"This is another reason they are getting driven to a hybrid environment where you have visibility into each cloud environment. Then they find that you have to aggregate that in some way."
—Rob Boshonek
4. Alerts continue to overwhelm SOC teams
Some experts have argued that the focus on alerts has distracted companies from where their focus should be—on threats. However, alerts continue to pose a significant noise problem for most security operations centers. Nearly 30% of companies considered improving the ability to detect and analyze attacks to be the top reason for boosting the levels of skilled staffing, according to the CyberRes report.
Is technology that could significantly mitigate the problem ready? Not yet, said Boshonek. Security operations teams will still need to do much of the analytical work.
"There have been promises of solving the alert problem, but we are still dealing with too many. I wouldn't say we will never solve it, but there is no technology out there today that we can drop in and reduce the problem significantly."
—Rob Boshonek
5. More integration of knowledge centers
Finally, companies should not focus on security, IT, compliance, and legal as separate silos, but instead create interdisciplinary teams to optimally support the business. The security operations center, the network operations center, the help desk, and the compliance team should be closely integrated.
Breaking down silos between operational groups is critical to provide the proper context for events, said Capgemini's O'Berry.
"Although, security people don't often consider the help desk as part of their environment, it oftentimes is the aggregator of some of the best information for security event information."
—David O'Berry
SecOps teams must adapt
Companies need to overcome the challenges of having many remote workers, confronting a scarcity of security professionals, and adjusting their security to the demands of the cloud. Adopting a threat modeling framework, implementing processes for managing the attack surface, and aggressively pushing automation throughout security operations areas will help increase a company's security maturity, the 2021 State of SecOps report explains.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.