Global SOC maturity improves, yet some still operate with serious gaps in security

Despite the volume of threats rising, the global findings of a new Micro Focus report indicate that more mature Security Operational Centres (SOCs) are becoming more efficient in detection with greater ability to recover from breaches than ever before.

SOC maturity

Although SOCs are moving in a positive direction globally, the UK showed the greatest change with 17% improvement in SOC maturity. Regional analysis revealed that this is linked to multinational organisations making security investments in preparation for the GDPR before it comes into force in May 2018.

Combining these regulation-led changes with the consolidation and relocation of SOCs within EMEA to form Security Fusion Centres has greatly increased the effectiveness of security operations in this region.

Lack of capability

While the report reflects positive global momentum in organisations adopting and deploying security solutions, it also indicates that 20% of the cyber defence organisations assessed over the past five years failed to score a Security Operations Maturity Model (SOMM) level 1. According to the model, this translates as a complete lack of capability. These organisations continue to operate in an ad-hoc manner with undocumented processes and significant cracks in security and risk management.

“Over the last five years, we have watched organisations attempt to achieve a complete security transformation by applying short-term fixes – such as the purchase of peripheral products or dismantling of solutions – only to find poor results and poor business alignment,” said Matthew Shriner, VP, Security Professional Services for Micro Focus. “With that in mind, it is refreshing that when it comes to cyber defence capability, Micro Focus is seeing a much higher degree of operational sophistication than ever before. Whether linked to data regulation, such as the GDPR, or a result of changing internal processes and technology, SOCs are increasingly satisfying the objectives of companies’ cyber defence investments. Nearly 25% of organisations assessed are meeting business goals, representing a nearly 10% year-over-year improvement.”

Key observations from the State of Security Operations Report

Private sector organisations are systematically investing in the development of fusion centres in EMEA. In their initial form, fusion centres took the “one SOC to rule them all” approach. This model continues to serve decentralised organisations well, along with those that have grown quickly through M&A activity. Over the past year, fusion centres have evolved into combined disciplines that most organisations would have deliberately separated in the past. The new form includes fusion centres that are preparing to combine data security monitoring & incident response and compliance reporting for the GDPR.

SOCs are quickly shifting to co-managed operations. This approach has allowed cyber defence programmes to overcome the greatest challenge: a global shortage of cyber security talent. By setting up an operational relationship with a partner that includes regular interactions, SOC leaders can narrowly focus on the assets they want to protect and work with the partner operationally to perform the technology integration to make it happen.

SOCs running short on staff are adopting security orchestration, automation, and response (SOAR) solutions. Organisations are investing in automating security incident investigation and management toolsets, and with deliberate implementation goals in mind, are experiencing positive results. The concept is sound, yet adoption is slow due to operational knowledge gaps.

The use of deception grids and impact on operations maturity has increased over the last year. The shift in the economy of an attack means that deception grid solutions can be very attractive. Misinformation about target systems can alter the findings of scripted reconnaissance and cause attackers to deploy resources that are ineffective on the target system. Organisations are also starting to learn more about the attacker and the target of their campaign by analysing the behaviour of the attacker in the deception-oriented environment.