The global shift to remote work has made it increasingly difficult for companies to stay ahead of attackers. KuppingerCole, an international independent analyst firm that contributed to HP’s report, Blurred Lines & Blindspots, noted that there has been a 238% increase in global cyberattack volume this past year.
That’s where SecOps teams come into play to protect, respond, and mitigate the overwhelming number of threats. With the shift to remote work and the increasing number of cyberattacks, there are new trends that organizations should focus on, such as automation, alert prioritization, and workforce trends.
We’ve had the pleasure to discuss those trends with Jonathan Haas, who led security operations at Carta, an equity management platform. He has been in the security operations space for several years, working for various companies with various degrees of need for security operations. Before Carta, he led in similar roles at companies like DoorDash and Snapchat. Throughout his roles, Jonathan has relied on various tools, such as automation, to help him manage the abundance of alerts that come in.
Automation has been a hot topic in the cybersecurity industry, and many companies want to automate as much as possible. In a report published by Deep Instinct, it is noted that 90% of cybersecurity professionals agree that automation allows them to free up teams to focus on higher-value and more strategic tasks.
“When most people say they want automation, what they really want is leverage. They want what you get out of using a drill versus using a screwdriver- striving for the ability to do more with less.” – Jonathan
According to a recent report from Sumologic, 93% of security teams reported that they could not address all their security alerts each day. Hiring more analysts is not always possible, so the alternative is to leverage automation to keep pace and respond to all of the alerts. Some of the tools that allow companies to incorporate automation in their organizations are AI and Machine Learning (or Intelligence Augmentation) and SOAR (security, orchestration, automation, and response).
Alert fatigue is an increasing issue as current tools are surfacing all types of abnormalities detected to be investigated by security operations teams. Sumo logic revealed that over the past five years, 70% of companies stated that the number of security alerts they receive on a daily basis has doubled, if not more. This takes a toll on teams by making them overwhelmed and stressed, reducing their confidence to prioritize and respond. This increase can be due to a combination of many vulnerabilities in an organization and detection tools creating too many false positive alerts.
Teams should focus on mitigating the noise, seeking tools that can prioritize alerts, and surface the most severe ones for mitigation and triaging intelligently. One way to manage the mountains of alerts is to balance the skills sets of the team and automation. Security operation teams should shift from tier-based incident management to skill-based, where experienced team members with the most appropriate skill sets handle a specific incident. This allows everyone to play on their strengths, resolve incidents more quickly and reduce burnout.
We’ve touched on automation above, but there’s another point worth mentioning in relation to security operations team performance. The push toward automation is also due to organizations being primarily evaluated on metrics such as MTTR and MTTD alone, without much context around accuracy or due diligence around a particular incident.
“Tracking metrics such as MTTD and MTTR alone isn’t sufficient since they incentive security operations individuals to make sure they alert on everything and closing incidents as soon as possible without doing much diligence.” – Jonathan
Those metrics have been around for so long, and even though they don’t incentive teams in the best way, the industry can’t replace them. Instead, an accuracy measure can be added to understand the teams’ processes to resolve incidents to improve performance. Jonathan brought up an interesting point during our conversation, mentioning that teams should be more focused on whether they are actually reducing the tangible amount of risk that exists in an organization.
In conclusion, leaders should focus on people, process, and how they leverage technology within the SOC. Furthermore, speaking with their team members to see where support might be needed from an automation perspective, re-evaluate how security operations performance is being measured and how processes can be streamlined.