Why SecOps is Needed Now More Than Ever
It seems everything around us is getting smarter: Smartphones, smart cars, smart thermostats, smart refrigerators, smart TVs, smart lights, smart homes, etc.—everywhere we go we find ourselves interacting with technology. In fact, according to Digital 2021: Global Overview Report from Datareportal.com, adults now spend almost seven hours a day interacting with all of their connected devices.
Just as technology is becoming a larger part of our daily lives, businesses also increasingly rely on technology to improve communication, enhance decision making, manage customer relationships, drive go-to-market solutions and more. Just look at how business leaders are investing: Worldwide IT spending is expected to exceed $4 trillion in 2022, according to Gartner.
Technology has had a massive, transformative impact on business, but the introduction of modern capabilities and new technologies expands the threat surface significantly. According to the FBI’s 2020 Internet Crime Report, the Internet Crime Complaint Center received a record 791,790 cybercrime complaints in 2020. Security breaches are not only common, but they are also costly—with the average data breach in 2020 costing businesses $3.86 million according to a new report from IBM and the Ponemon Institute.
Business leaders are taking note. Spending on information security and risk management technology and services is expected to grow 12.4%, reaching $150.4 billion in 2021, according to Gartner. The increased focus on security is good news, but the approach needs to mature as well if we want to get the most out of our investments. Traditionally, new threat vectors (from introducing new technologies) are addressed by purchasing and implementing new point solutions which can lead to significant security technology sprawl.
In no time at all, the security toolchain is a large stack of firewalls, endpoint detection and response solutions (EDR), data loss prevention solutions (DLP), network access control (NAC) and more. And that stack becomes more bloated as the security landscape becomes increasingly complex. It is common for midsize and large organizations to have 15 to 40 different point solutions in their core security stack and up to 80 when you evaluate their complete technology portfolio.
There’s a certain logic to this approach: Identify a security gap; deploy a technology solution to mitigate it. Repeat. However, this “tool first” approach to security often comes at the expense of the two other pillars of a mature security program: Processes and people. This approach can cause significant problems over time, creating technology silos between teams, adding exponential complexity to response teams, and reducing program transparency due to a lack of central reporting.
Security analysts, often from the security operations center (SOC), are commonly assigned to triage the various alerts and other information these tools generate. Tool sprawl forces them to take a “swivel chair” approach to processing new issues as they come into the SOC. The SOC analyst might have to log into as many as 10 different systems just to determine whether an event is real (and requires further action to mitigate) or is a false positive.
This slows down analysis and exacerbates actual security threats by delaying remediation. The SOC team often lacks the 360-degree visibility it needs to evaluate, contextualize and respond to security data in a centralized location—a problem that worsens as the complexity of your technology stack and the corresponding threat landscape continues to grow.
These organizations must modernize their approach so that they can achieve the benefits of emerging technologies without introducing unnecessary risks.
Following are three steps to help IT leaders modernize their security operations program:
Invest as much in processes as you do technology.
The more technology we have, the more dependency we have on ways to aggregate the data and make it intelligent and actionable. A security incident event management (SIEM) solution is critical to aggregate all the data from disparate sources to a common system of record where we can leverage workflows to remediate the threat.
Build a security operations control tower.
Aggregation alone is not enough; build a security operations program that can filter through the thousands of alerts and find the threats that matter. It is critical to build a security “control tower” that gives equal consideration to the processes and the technology, consolidating events from your SIEM into a single system of action, that enables your people to identify, triage and address security threats quickly and efficiently.
Empower people by staying focused on the end goal.
The ultimate objective of a security program is to prevent as many threats as possible while also enabling your security teams to take quick and correct action when threats arise. This means that enabling and empowering people with efficient technology that aggregates and enriches data supported by well-defined processes that provide guidance and remove confusion should be the goal.
