The State of SecOps
The research findings reveal that most organisations use and manage automation technologies like SIEM (84%) or SOAR (73%) platforms in-house. These tools are designed to aggregate and analyse threat activity from across the IT environment (SIEM) and automate investigative workflows (SOAR) to make security operations teams more effective.
However, only 16% of respondents said they are confident about having full visibility into alerts. On average respondents said they miss almost a fifth of alerts.
“SIEM and SOAR tools are not a silver bullet for SecOps and often require more work than IT security buyers realise. If they’re not kept continually fine-tuned and manned by experts, analysts are likely to be overwhelmed by alert volumes, meaning some threats slip through under the radar,” said SOC.OS CEO Dave Mareels. “There’s a tremendous business cost to this, in terms of potential breaches, lost productivity and staff burnout.”
The SOC.OS research found that IT security decision makers are forced to dedicate over eight hours managing alerts each week. Nearly three-quarters (72%) agreed that this amount of time, and the vicious cycle of firefighting that SecOps teams are forced into, means that analysts aren’t able to use security technology to its full potential.
“Organisations have so many tools, which all produce data that needs to be winnowed down into meaningful bites for investigation. This is a challenge.” Rupert Ogilvie, Senior Consultant at Intergence Systems adds. “A lot of smaller companies acquire more and more security tools as they grow, and then new regulations kick in, and before they realise it, they have no way to manage all of this security data. There is a real need for organisations to take the complexity out of data analysis so that they can focus on the more important things.”
Over two-thirds of respondents (68%) also agreed that increased workload and stress, combined with insufficient resources, lead to frequent staff burnout in SecOps. That said, if they had the opportunity to start again from scratch, nearly half (46%) of security leaders would still build their SecOps function starting with the technology, rather than focussing on people, process and culture.
“I always preach the four pillars of security; tech, people, process and culture. If I was to rank these in order, I'd say culture and people are a joint first priority and only then should you consider technology and process as secondaries.” said Mareels.
“It’s sad that so many infosec leaders focus primarily on technology. Have we succumbed so badly to ‘silver bullet’ vendor marketing that we actually believe the hype? Give me a high functioning and motivated team with an average tech stack versus the best tech stack in the world with a burnt out, sub-par functioning team any day of the week.”
The study also revealed that the vast majority (79%) of respondents are covered by cyber-insurance. However, nearly two-fifths (37%) admitted that they don’t fully understand the scope of coverage, which could lead to a false sense of security.