They're overworked, they're stressed, and they may be looking to pivot into other areas of work: They're today's Security Operations (SecOps) teams. Today's companies put a lot of pressure and faith in SecOps to do the critical work of keeping advanced attackers, including ransomware, out of their networks. The results of a new SANS Survey, Modernizing Security Operations show why, in the face of high stakes and higher job demands, SecOps team's satisfaction may be affecting your organization's security.
The survey's stated purpose is "to better understand how customers think about modernizing security operations—not just getting better at defending" amid an ongoing shift toward cloud infrastructures and the increasing threat of ransomware. To do so, SANS gathered and analyzed data from 142 respondents globally across a range of industries and organizational sizes.
Eclipsing any findings on security technology or frameworks, the results signal a SecOps cry for help. Issues such as a lack of available talent and a mismatch between stakeholder expectations of response times and the actual impact of a breach hint that IT leaders should pay careful attention to cybersecurity stress to address the challenges and needs of today's security analysts.
Top Challenges Facing SecOps
Modern SOC teams are keenly aware of the rising risk of a data breach. With several high-profile attacks in 2021 by advanced cyber gangs setting off alarm bells, SecOps members cited ransomware as their biggest threat in 2021. Even more telling is the fact that common steps in the ransomware playbook—phishing, social engineering, and data exfiltration—rounded out the top four concerns. It's also worth noting that security teams are grappling with more than one worry: Supply chain attacks are a top concern for almost half of the respondents.
If SecOps is to succeed at defending their organization from today's threats, security teams and leaders need to be in alignment on resources and expectations. Unfortunately, a disconnect emerges when respondents declared that 77% of stakeholders expect that the average acceptable mean downtime for a severe incident is under a day. Meanwhile, SecOps teams report that the strategy behind that expectation falls short. The SANS report goes on to clarify that with "multiple respondents listing resourcing/budgetary concerns as factors influencing SecOps maturity roadmaps. The findings highlight that stakeholder expectations of downtime don't align with understanding the threat of budgetary/resourcing commitments."
If budgets and resources don't match leadership expectations, it follows that many SecOps teams find themselves working long hours with the success of the entire organization they work for potentially on the line. With stakes this high, most organizations would want to retain skilled analysts to effectively defend against the threats they are concerned about, but the survey reveals that 64% of SecOps professionals have five years or less experience.
Evidence tells us that many of them will move on to other disciplines, including engineering and system architecture, creating a high cybersecurity turnover rate. The systemic burnout results in a scarcity of team members to keep an eye on threats, and 61% of respondents reported staffing and manpower as their biggest concern.
Granted, worker shortages have affected many industry sectors since the start of the pandemic, the skills gap among security analysts has been a longstanding issue (we've discussed the skills gap and analyst fatigue here, here, and here). The findings in the SANS security survey paint a picture of why it has no signs of abating.
Inadequate and inexperienced staff can undoubtedly lead to security gaps. The SANS survey reports that, when asked what was involved in an attack, a wide majority of respondents (61%) cited staffing and manpower, over things like visibility into sensitive data and phishing and malware. This leads to the conclusion that low SecOps job satisfaction translates to real-world security weaknesses.
Tools for Saving SecOps
Layered Security with Post-Compromise Detection
According to the SANS survey, endpoint detection and response (EDR), security information and event management (SIEM), and vulnerability management (VM) are currently the tools most central to today's SecOps strategy. Meanwhile, phishing and social engineering are top-of-mind attacks that bypass perimeter controls.
Even if a security team had the resources to put toward end-user education to prevent social engineering, the old adage that the bad guys only have to be right once still holds true. This makes it inevitable that credential abuse will maintain a foothold on today's organizations, giving attackers a means of bypassing perimeter security.
Adding network visibility with a network detection and response (NDR) solution gives security teams a leg up against advanced threats, allowing them to expand their defensive range into the network itself where they can detect and eradicate threats after the initial compromise, but before a breach occurs. The good news is, teams are already adding that advantage: The trend towards post-compromise detection is rising steadily, with 57% of security teams reporting that NDR is central to their security strategy. Another 29% are making it a priority over the next 12 months.
SecOps Automation
Automating responses can make a security professional's day-to-day job a bit more manageable and accessible. That said, automation isn't exactly a savior that will relieve the pressure on overworked teams. The SANS survey notes that automation is second only to incident response when asked about organizational strengths, but is also the top reported weakness. The report concludes that "SOAR, while complementary to SecOps functions, isn't effective in augmenting cyber staffing shortages."
It's important to note that automation, like much of cybersecurity technology, has advanced in recent years. Solutions that are part of the SOC visibility triad (SIEM, EDR, and NDR) have leaned into out-of-the-box integrations, and open XDR platforms have emerged as a way for teams to more effectively automate and streamline detection, response, and forensics.
Modernization Starts with People
It's important to remember that people, not tools, are responsible for an organization's security. While the right tools can help build smoother workflows and faster investigations, there is no one solution that can replace the staff needed to monitor for alerts.
Today's security operations center challenges are deeply interconnected: Security tools and new technology can introduce complex workflows; complex workflows contribute to slow response times and require more experienced staff; experienced staff is hard to hire. As these challenges persist, expectations for SecOps success are sky-high, but sufficient budget and investment don't match. The SANS survey reminds us that there is no magic formula for effective SecOps modernization.
In this confluence of challenges, there also lies opportunity. A staff-centric approach to purchasing tools and establishing processes allows security leaders to simultaneously reduce complexity and ease staffing challenges. Selecting tools that prioritize usability by less-experienced analysts opens up a wider hiring pool and reduces the risk of staff burnout. By focusing on security investments and processes that address multiple key SecOps challenges at once, leaders can empower their staff to actually achieve ambitious improvements in breach impact assessment, response times, and other key metrics of SecOps success.
For a deeper understanding of today's challenges, watch the Modernizing Security Operations Survey webinar to hear experts from SANS, ExtraHop, and CrowdStrike chat about the factors behind the recent trends and discuss solutions.