Skip to main content

3 Key SecOps Trends to Focus On

The global shift to remote work has made it increasingly difficult for companies to stay ahead of attackers. KuppingerCole, an international independent analyst firm that contributed to HP’s report, Blurred Lines & Blindspots, noted that there has been a 238% increase in global cyberattack volume this past year.

That’s where SecOps teams come into play to protect, respond, and mitigate the overwhelming number of threats. With the shift to remote work and the increasing number of cyberattacks, there are new trends that organizations should focus on, such as automation, alert prioritization, and workforce trends.

We’ve had the pleasure to discuss those trends with Jonathan Haas, who led security operations at Carta, an equity management platform. He has been in the security operations space for several years, working for various companies with various degrees of need for security operations. Before Carta, he led in similar roles at companies like DoorDash and Snapchat. Throughout his roles, Jonathan has relied on various tools, such as automation, to help him manage the abundance of alerts that come in.

Automation

Automation has been a hot topic in the cybersecurity industry, and many companies want to automate as much as possible. In a report published by Deep Instinct, it is noted that 90% of cybersecurity professionals agree that automation allows them to free up teams to focus on higher-value and more strategic tasks.

“When most people say they want automation, what they really want is leverage. They want what you get out of using a drill versus using a screwdriver- striving for the ability to do more with less.” – Jonathan

According to a recent report from Sumologic, 93% of security teams reported that they could not address all their security alerts each day. Hiring more analysts is not always possible, so the alternative is to leverage automation to keep pace and respond to all of the alerts. Some of the tools that allow companies to incorporate automation in their organizations are AI and Machine Learning (or Intelligence Augmentation) and SOAR (security, orchestration, automation, and response).

Alert Prioritization/Management

Alert fatigue is an increasing issue as current tools are surfacing all types of abnormalities detected to be investigated by security operations teams. Sumo logic revealed that over the past five years, 70% of companies stated that the number of security alerts they receive on a daily basis has doubled, if not more. This takes a toll on teams by making them overwhelmed and stressed, reducing their confidence to prioritize and respond. This increase can be due to a combination of many vulnerabilities in an organization and detection tools creating too many false positive alerts.

Teams should focus on mitigating the noise, seeking tools that can prioritize alerts, and surface the most severe ones for mitigation and triaging intelligently. One way to manage the mountains of alerts is to balance the skills sets of the team and automation. Security operation teams should shift from tier-based incident management to skill-based, where experienced team members with the most appropriate skill sets handle a specific incident. This allows everyone to play on their strengths, resolve incidents more quickly and reduce burnout.

Workforce Trends

We’ve touched on automation above, but there’s another point worth mentioning in relation to security operations team performance. The push toward automation is also due to organizations being primarily evaluated on metrics such as MTTR and MTTD alone, without much context around accuracy or due diligence around a particular incident.

“Tracking metrics such as MTTD and MTTR alone isn’t sufficient since they incentive security operations individuals to make sure they alert on everything and closing incidents as soon as possible without doing much diligence.” – Jonathan

Those metrics have been around for so long, and even though they don’t incentive teams in the best way, the industry can’t replace them. Instead, an accuracy measure can be added to understand the teams’ processes to resolve incidents to improve performance. Jonathan brought up an interesting point during our conversation, mentioning that teams should be more focused on whether they are actually reducing the tangible amount of risk that exists in an organization.

In conclusion, leaders should focus on people, process, and how they leverage technology within the SOC. Furthermore, speaking with their team members to see where support might be needed from an automation perspective, re-evaluate how security operations performance is being measured and how processes can be streamlined.

You Have Invested in the Technology to Support Your SOC, But Have You Invested in Your People?

By: Erin Pullyblank

More often than not, emphasis is placed on the technology and how it can be used to prevent the next breach, detect malware, identify a phishing attack etc. But what about the human that works with that technology? In a recent Forrester article written by Allie Mellen, Stop Trying to Take Humans Out of Security Operations, she mentions        “We have yet to build an effective security tool that can operate without human intervention. The bottom line is this: Security tools cannot do what humans can do.

In any SOC, no matter how big or small, the Analyst plays an integral role. So why are we not looking to invest in them? In a recent Ponemon Institute Report, it was stated that most analysts leave an organization after 2 years. For every 4 analysts that were hired in 2020, 3 had parted ways with the company. Organizations should be looking to reduce this attrition rate by providing value at the individual level.

Consider a solution where AI is utilized to turbocharge these key individuals who are working in such a high-pressure environment. Where AI and an Analyst can work hand in hand, rather than independently. Consider the implications of AI understanding an Analyst’s unique skillsets and contextual awareness, as well as optimizing their workflow automatically to enhance their performance.

Allie goes on to say, “AI is only as good as the model on which it’s built. AI and automation lose to human beings because we’re unconstrained and do the unpredictable, which is exactly what attackers do in security.”

Penfield’s stance is that of, gone are the days of attempting to replace Analyst’s with AI… Human-Machine Intelligence Technology has arrived to optimize cybersecurity defense against attackers!

Want to hear more about utilizing AI to help your Analysts, book a demo!

Covid-19 Vaccine Supply Chains are Under Cyber-Attack – What can we do?

Google trends tells us that the global Google search for “Covid-19 vaccine” reached the maximum search interest around the world this week (Figure 1). This personal interest in vaccine developments is paralleled by the interest of malicious cyber criminals and nation-state actors, who seek to exploit vaccine procurement for information, disruption and financial gain. For perspective, Johnson & Johnson’s CISO has stated that healthcare organizations are seeing cyber-attacks from nation-state threat actors “every single minute of every single day”.

Read More