Discover PerformanceHP Software's community for IT leaders // April 2014
Rate your security, but don’t aim too high
A new report offers a new scale for measuring security maturity—and finds that it’s not necessarily best to be the best.
With today’s cybercriminals more successful than ever, and the cost to defend against cyber crime growing higher, enterprises are increasingly investing in a formal security operations center (SOC). But a new HP Enterprise Security study finds that while few organizations today have reached optimal maturity, it’s also possible to go too far.
"Our adversaries aren’t following tight controls for attacks and malware, and neither should we," says Jesse Emerson, director of HP security intelligence and operations consulting. "The right place for an enterprise is the level where enough operational components are consistent so you can drive a predictable operation, but not to a point of rigidity where the operation can’t flex and respond to dynamic threats and adversaries."
HP Enterprise Security’s "State of Security Operations" report is drawn from more than 90 assessments of 69 security operations organizations worldwide, performed over five years. It details a number of key learnings (further summarized in a pair of posts on this HP Enterprise Security blog). It also articulates a new scale for measuring security maturity, and warns about the need to balance maturity with flexibility.
Regrettably, an over-mature SOC is a problem that most companies would be lucky to have. Some stats:
- 24 percent of assessed security operations centers do not meet the minimum requirements to provide consistent security monitoring.
- Only 30 percent of assessed organizations are meeting business goals and compliance requirements.
"Very few organizations are overachieving in terms of maturity," Emerson says.
A few holes in your SOC
To measure the maturity of an SOC, the report unveils the Security Operations Maturity Model and Methodology (SOMM). Companies with no security operations capability are rated a 0, while a score of 5 is given for a capability that is tightly controlled, continually measured, and ever-evolving.
Level 5, however, is not the goal.
"If you’re trying to maintain a level higher than a level 3, there’s a huge investment and overhead associated with that," Emerson says. By level 5, analyst procedures are often overly detailed, including exhaustive screen shots and flow charts—details that limit the quality and speed of response. "The benefits of your SOC are overshadowed by cost."
Higher levels of maturity can make sense for specific business profiles. Level 4 is optimal for managed security service providers (MSSPs), for whom the benefits of consistency and repeatability can outweigh the cost of decreased responsiveness. And level 5, says Emerson, "is only appropriate when you have zero tolerance for deviations and a fixed scope of defense of a tightly controlled environment."
Best practices for standout SOCs
Companies with optimized SOCs are learning more than just restraint. They are discovering new best practices that leverage the flexibility and dynamism of optimal—not maximal—maturity. These smart tactics tend to align with the four primary criteria of SOC maturity: people, processes, technology, and business alignment. Some highlights include:
- Relationships and communication matter. Seeking round-the-clock diligence, many security organizations follow the sun with geographically distributed teams—which are significantly less effective than single-location teams. Emerson notes that differences in team culture and geographical culture can lead to different priorities and an unhealthy tension. Sometimes data privacy and data export regulations preclude a single-location SOC, but when possible, a 24x7 team in one location with plenty of shift overlap delivers the best overall result.
- Adopt a SIEM. Data silos are common in enterprise security. A security information and event management (SIEM) system provides a single pane of glass across a wide spectrum of disparate security data and provides analytical efficiencies that are a necessity with today’s data volume.
- Learn to prioritize. It’s no longer feasible to approach your security strategy as if you can prevent every exploit and attack. The reality is that you’ll be breached far more often than you’d like. Instead, security needs to engage with the business to prioritize information assets and focus spending to protect high-value targets.
Don’t take the "quick" route to maturity
While the entire point of security maturity is to prevent a breach, the report found that getting breached is the fastest way to bring focus to your security maturity. It’s a unique opportunity to fail forward. Post-breach SOCs are usually built up quickly to limit future impact of a breach and demonstrate due diligence in the wake of a loss.
However, with the State of Security Operations report in hand, and a fresh focus on the maturity of your security strategy, you can make immediate improvements to your security operations center before a successful attack occurs.
Learn more about the state of SOC maturity in organizations worldwide and core best practices in the “2014 State of Security Operations” report.
HP Software’s Paul Muller hosts a weekly video digging into the hottest IT issues. Check out the latest episodes.
Preparing today for tomorrow’s threats.
Introduction to Enterprise 20/20
What will a successful enterprise look like in the future?
Challenges and opportunities for the CIO of the future.
Dev Center 20/20
How will we organize development centers for the apps that will power our enterprises?
Welcome to a new reality of split-second decisions and marketing by the numbers.
IT Operations 20/20
How can you achieve the data center of the future?
What the workforce of 2020 can expect from IT, and what IT can expect from the workforce.
Looking toward the era when everyone — and everything — is connected.
Data Center 20/20
The innovation and revenue engine of the enterprise.