IT security making poor use of analytics, Big Data: HPE

Hewlett Packard Enterprise’s third annual State of Security Operations Report finds that while security organizations are investing in analytics and Big Data, many are making preventable errors that give them a poor return on their investment.

kerry matre - headshot

Kerry Matre, Senior Product Marketing Manager, Services, Hewlett Packard Enterprise Security Products

Hewlett Packard Enterprise (HPE) has released findings from its third annual State of Security Operations Report, and in a world where IT security has become an absolute top priority the results are surprisingly disappointing. Over those three years, HPE has found that the security operations centre (SOC) has been unable to keep pace with the improvements by attackers and the demands of the new style of IT, and the result has been a year-over-year decline in overall security operation maturity.

“We started doing this report three years ago because we had so much knowledge from doing these assessments of SOCs in the industry, and we wanted to share it with the industry,” said Kerry Matre, Senior Product Marketing Manager, Services, Hewlett Packard Enterprise Security Products. “The report is prescriptive of things that every organization can do today. What’s disheartening is we aren’t seeing those improvements yet.”

The data comes from HPE Security Intelligence and Operations Consulting (SIOC) assessments of the capability and maturity of 114 discreet SOCs in 154 assessments since 2008. Most of them are from larger enterprises, but Matre said that it scales down to SOCs as small as three people where the SOC is a secondary and part-time part of their job.

“The scoring covers four different categories – people, processes, technology and business aspects – and there are subcategories in each,” Matre said. “For example in people, the subcategories include how staffing works, how people are trained, and whether there is a career path. Each subcategory is given a weighted score and they are all rolled up within the categories.”

The data indicate that 25 per cent of cyber defense organizations that were assessed failed to score a security operations maturity model (SOMM) level 1. A quarter of security organizations operate in an ad-hoc manner with undocumented processes. In addition, in 2015, only 15 per cent of assessed organizations are meeting business goals and are working toward or have achieved recommended maturity levels. This leaves 85 percent of organizations that are not achieving the recommended maturity levels – slightly lower than last year’s findings.

So what’s causing the decline in maturity?

“The biggest problem is a lack of focus,” Matre said. “Many SOCs are considered to be more of a project than a program, which means that they get money to get up and running, but there isn’t follow-up to make sure they mature properly. Another problem is that extra demands on a security centre expand the scope of duties.”

One particularly dispiriting finding is that even though the IT industry has become obsessed with analytics and Big Data, and is now spending freely on them, that spending isn’t translating into results.

“Analytics and Big Data need to be better leveraged,” Matre said. “It all comes down to use cases. Many organizations have created data lakes and they have their searching tools – but they are not repeatable. They don’t know what they are looking for, so they don’t succeed. There are organizations who have a purpose before they spent the money. But there are also ones who have bought data lakes, and bought data scientists to ruffle through the data, but they haven’t operationalized the process. The result is that if they find a breach, it’s not tied back so it can be brought back and institutionalized and automated for the future. It becomes a one-time success. It is still success, but because it is not repeatable, it is expensive, and therefore not mature. If they establish defined use cases such as looking for users with no standard behavior printing at odd hours of the night, they are more likely to be successful.”

The HPE report says that 2016 is a critical year for the adoption of analytics products and whether or not people succeed with them. The mind-shift to the “we’ve already been breached” way of thinking has fueled the industry’s adoption of analytics solutions and hunt teams. But the key question is whether their design is mature enough to be successful.

“This mind-shift is a good thing, but it needs to be balanced,” Matre said. “You have to keep up with preventative measures and monitoring. But if you have the mindset to tie this in to other parts of the organization to remediate breaches quickly, your successes will be repeatable and you will be more effective. The better and more mature SOCs are succeeding with this. The less mature and smaller SOCs want to do this, want to do hunt teams. They are attempting it, and we will see if they succeed.”

Another key problem, which is not new, is access to skilled security resources, with an inadequate number of skilled new security specialists coming into organizations.

“This continues to be a huge problem,” Matre said. “It always comes up as the number one concern of enterprises still. We have not hit that tipping point yet of being able to fill that demand. Organizations hire new people out of college who don’t have the experience handling new breaches, so it will take more of them to get results.” Matre said this is equally applicable on the channel side, where the VARs who have resources and security expertise, and who are real experts will be able to maximize the value of the technologies and reduce headcount.

Matre emphasized that the bottom line for security organizations is they need to absorb the information in the HPE report and act on it.

“We give so much information away in this report,” she said. “These are not far-fetched ideas about what somebody could do if they had a gazillion dollars. It’s things they can do today to make themselves more mature and improve the maturity of the industry as a whole by putting money and focus into automation and orchestration and workloads, and not just plugging in another box.”