Halt the Alerts: It’s Time to Democratize Threat Detection
Why threat detection tech and strategies need to be democratized.
We’re reaching a breaking point– environments are becoming more chaotic while requirements constantly change, leaving SOC teams overwhelmed. Organizations are taking a hard look at security operations strategies, processes, and technologies supporting cloud-driven, hybrid work usage models, explains Karthik Kannan, founder and CEO of Anvilogic.
We’re in the red. No, we’re not talking about a bank account. We’re talking about your SOC (security operations center) team. They are reaching a breaking point. The perfect storm has hit: teams are facing an uphill battle to transform their security operations infrastructure while fending off attacks, all the while dealing with alert fatigue and shorthanded teams stretched to capacity.
Whether attributed to the stress of the job, or a broader absence of skilled candidates, SecOps staffing levels are proving insufficient and filling them is proving to be a challenge. In fact, vacant cybersecurity jobs are expected to trend upward to 3.5 million in the U.S. by 2025. While some industries are experiencing layoffs as recession predictions loom, the increasingly chaotic SecOps space (cited by 57% of respondents in the survey as being more chaotic than it was two years ago) can’t seem to find nearly enough qualified talent to fill the openings and keep teams afloat.
With all the mandatory responsibilities they have on their plates, fending off attack groups with a mission of penetrating organizations’ infrastructure (something they are focused on 24/7) is like bringing a knife to a gunfight. Attackers are kicking SOC teams while they are down, exploiting the massive amount of infrastructure changes in the organization in order to leverage weak links and introduce new threats.
But security isn’t just for the CISO and security team. Can you confidently say you know what your SOC is doing? For example, are you making sure security is part of your business decisions? Can you confidently say you understand how Security teams (SOC) are reducing risk to help drive business success? Part of the issue in solving this problem is a misunderstanding of the role teams in SOCs play in mitigating business risk in the first place.
According to a recent survey (which data will be cited from throughout this article) of security decision-makers responsible for threat detection at their organizations, 60% of all security professionals surveyed believe their C-suite and LOB executives do not fully recognize, or dramatically underestimate, the importance of SOCs to mitigate business risk or drive future business success.
How Can SecOps Teams Win When Stretched So Thin?
Security professionals are screaming for change: 96% of security professionals are juggling the ability to get the job done and get it done efficiently, and 89% of surveyed security decision-makers feel their organization needs a transformational or moderate amount of change in its SOC to mitigate business threats over the next 12- 24 months.
Security operations depend on effective mechanisms to detect potential threats, especially as the entire infrastructure and attack surface comes under greater attack from more advanced threats targeting. As security teams re-architect operational infrastructure and work to plug SecOps gaps, daily SecOps activities must continue to mitigate risk. SecOps teams spend the most time managing controls, significantly more than they do on detection engineering or incident remediation. This means more time is being spent on low-level tasks rather than on areas that could provide value and reduce overall great risk to the business. As attack surface growth continues, especially with more cloud workload and infrastructure adoption, many SOC teams have had to supplement existing tools with manual processes to close gaps and admit blindspots into cloud workloads.
Similar to how many people spend so much time in meetings versus getting their deliverables done, security teams spend all their time chasing cracks in the infrastructure versus fixing the actual problem at the foundation: detection engineering. Security professionals see the biggest gaps in their SOC capabilities around core security functions: threat detection, and investigation and triage.
Over half of the security professionals surveyed report that alert triage is challenging or overwhelming, and more than three-quarters (77%) of security professionals surveyed desire new ways to engineer detection rules. Automation can help significantly. In fact, being exclusive with automation makes the most impact. While 83% were using automation “in some capacity,” respondents not using it exclusively were 2.3 times more likely to have trouble with alert prioritization.
The complexity of threat detection is causing SOC teams to take a hard look at how improved detection engineering can help with assimilating and analyzing security signals from this diverse set of operating infrastructure.
See More: Three Ways to Tackle the CyberSecurity Skills Shortage
Detection Engineering Skills Need to Be Prioritized
The challenges that SOC teams face are intertwined. Detecting threats sooner reduces the potential and scope of damage and thwarts many attacks that would otherwise be successful with longer dwell times. And, security decision-makers are ready to take out their checkbooks to solve this: 98% of all surveyed security decision-makers are confident that their organization will fund the transformations needed in their SOC. This is an investment that three-quarters of all security professionals surveyed expected to result in a moderate or drastic reduction in dwell time. All sounds like a perfect plan, right?
Despite this potential outcome of further investment in detection engineering, few seem to be able to allocate sufficient resources due to challenges in staffing and the long cycle time for detection engineering, an initiative that is almost evenly split between in-house and outsourced staff:
- 86% of survey respondents said the new detection lifecycle (i.e., identifying the need, creating the detection, testing and deploying the detection) takes a week or more and
- 57% of all respondents say the amount of work required to design, code, implement and manage their threat detection rules is either overwhelming or challenging.
While security leaders put a premium on detection engineering, limited skills exist here among security operations teams—especially when it comes to tuning controls and investigating alerts. What’s more, is that the resources most organizations dedicated to detection engineering are single-threaded: 64% of survey respondents either have only one individual dedicated to threat engineering or none at all. While budgetary support will help organizations keep pace with the ever-developing threat landscape, the effectiveness of decision-making abilities are what will differentiate the organizations that make gains in this area. It is critical not just to increase support levels, but also efficiency and intelligent insights.
As security architecture evolves, organizations need to ensure that the investments they’ve made in detection rules can be applied across multiple detection mechanisms, optimizing detection engineering investments. The smaller the team, the more imperative the need to augment with intelligent/automated detection engineering solutions.
Threat detection should be democratized across the SOC and have the ability to easily be done across hybrid, multi-clouds and data lakes without the SOC team being weighed down by the data by needing to learn new languages or platforms.
Modernize Security Operations by Democratizing Threat Detection
Unifying and automating the security operations detection engineering process across people, processes, and technology reduces the time, manual effort, and complexity of building detections and managing the SOC overall. But most importantly, it will help organizations get the most out of the investments they have made and are currently making in their security architecture.
With AI-driven recommendations and frameworks in place that continuously assess, prioritize, detect, hunt, and triage to quickly mitigate risk, data ownership costs can be minimized, and security teams can be empowered to automatically detect and respond to the incidents that matter most across unique attack surfaces.
Adapting to an ever-evolving threat landscape with underutilized automation and short-staffed teams might feel a bit like running up a stairmaster while alarms are ringing in every direction. But, with the right tools in place, it can feel more like walking on a treadmill with a single bell ringing.
How are you upgrading your threat detection strategies? Share with us on Facebook, Twitter, and LinkedIn. We’d love to know!
MORE ON THREAT DETECTION
- Top 3 Reasons Why Organizations Fail at Threat Detection
- What Is Network Behavior Anomaly Detection? Definition, Importance, and Best Practices for 2022
- What Is Rootkit? Definition, Detection, Removal, and Prevention Best Practices for 2022
- What Is Intrusion Detection and Prevention System? Definition, Examples, Techniques, and Best Practices
- Intrusion Detection System vs. Intrusion Prevention System: Key Differences and Similarities
