The challenges facing security operations teams

With most organizations, the only thing standing between them and a data breach potentially resulting in huge financial losses is the security operations (SecOps) team. Every day they’re charged with identifying, classifying, and remediating a growing number of cyber-threats, making efficient and repeatable processes essential. This is becoming increasingly difficult as the volume of threats continues to explode.

To put it into perspective, the AV-TEST Institute is registering over 390,000 new malicious programs every day. Yet most SecOps groups are being hamstrung by the combination of a shortage of trained professionals and ineffective, unrepeatable processes for managing incident response.

The SecOps labor shortage is becoming particularly acute. The Peninsula Press (a project of the Stanford School of Journalism) says that more than 209,000 cybersecurity jobs in the US are currently unfilled. And postings are up 74% over the past five years. Simply hiring more staff to meet the increased risk is not a viable option in this job market.

The skills shortage is also compounded by growing increases in the daily workload of SecOps professionals. A recent Ponemon Study shows that every week, the average SecOps team receives nearly 17,000 alerts. So an organization with five dedicated security analysts, for example, would require each one to review nearly 3,400 alerts per week. In most organizations, this isn’t possible with existing processes and tools, forcing them to triage which alarms get any attention. Another Ponemon study finds that only 29 percent of all alerts are even investigated. And the same study shows that 68% of organizations spend a substantial amount of time chasing false positives.

So while SecOps are not only missing a substantial percentage of potential threats, more often than not those that do get investigated represent wasted effort. A major reason for this is that many existing malware tools just don’t provide enough context and information for adequate incident response, requiring time consuming manual intervention and research. According to the survey, 82% of the current malware tools in use don’t even provide the potential risk level for each incident, throwing alarm triage responsibilities back on the analyst.

The lack of available staff combined with an unsustainable workload demands a better approach to enable the SecOps team to operate effectively. Automated security orchestration and ­incident response­ is the answer. The ability to execute pre-defined processes and workflows without requiring manual intervention provides the scalability necessary to meet the high volume of both existing and future threats. And for those incidents where a hands-on approach is warranted, immediate access to all security event details—with relevant threat intelligence—is critical for efficient incident response. These two capabilities form the foundation of a “better process” that security operations teams need to maintain in the face of staff shortages and an increasing threat presence.