This eBook discusses trends happening within enterprise security operations centers. When you read this eBook, you will see data showing:
- The challenges driving change in security operations.
- How your peers are changing up prioritizing and addressing growing attack surface and threat landscape complexity.
- How improving detection engineering and the shortcomings of current approaches are top of mind for security strategists.
- Forward-looking data on the pay off security professionals expect from transforming their SOC and if their organization will fund changes required.
In the first quarter of 2022, ESG conducted a double-blind survey of 250 security decision makers in North America responsible for threat detection at their organization and who spend 50% or more of their daily time focused on security operations. All organizations represented in the research were enterprises employing 2,500+ individuals, and the sample was composed of a horizontal mix of industry verticals.
Organizations are struggling to keep up —change in the present mode of operation is needed
Organizations are taking a hard look at current security operations strategies, processes, and technologies in support of modern, cloud-driven, hybrid work usage models. As IT teams accelerate the move to modern cloud application development and deployment models, IT infrastructure and the threats targeting it are becoming more complex, leading security teams to rearchitect core security operating infrastructure.
This rearchitected security stack must be capable of scaling and analyzing signals from multiple cloud environments, while supporting a growing, diverse endpoint world comprises corporate-owned devices, personal devices used for work, third-party supply chain and partner devices, and the many connected IoT devices supporting infrastructure operations.
Alert volumes continue to increase, resulting in a growing number of alerts that go uninvestigated
Meanwhile, as security controls grow in number and scope, security teams are facing a growing number of alerts, resulting in over half of surveyed security professionals reporting that alert triage is challenging or overwhelming. There are two logical drivers to this in the research:
- Improperly configured threat detection solutions create a lot of noise.
- The threat landscape continues to evolve, frequently outpacing SecOps countermeasures.
As a result, 96% of of security professionals surveyed indicated having made tradeoffs between efficacy and efficiency in order to keep up with security alerts.
Most will reevaluate SecOps priorities to keep up
Given the level of change underway, organizations are reprioritizing investments in existing tools and processes, redirecting budgets and projects to implement converged, scalable platforms that can support this new IT operating environment.
Visibility into cloud workloads is a gap for many, which should drive investments in cloud detection and response solutions capable of sifting through a diverse, distributed set of signals to isolate threats.
Rapid attack surface growth is causing others to prioritize asset discovery and risk management, supporting security posture assessment and management activities, leading to prioritization of high-risk assets and infrastructure.
Where will security operations get more difficult over the next 12 to 24 months?
What will be more difficult in the coming months?
As security teams rearchitect operational infrastructure, daily SecOps activities must continue to mitigate risk. This means security teams must leverage existing, less-thanoptimal solutions for daily operations while this infrastructure is upgraded in parallel.
Meanwhile, attack surface growth continues, especially with more cloud workload and infrastructure adoption, leaving many to supplement existing tools with manual processes to close gaps. And while change is underway in most organizations, many must continue to utilize current solutions for 12 to 24 months until modernization activities are implemented.
To what extent do line of business executives recognize the business value of the SOC?
C-suite alignment to the importance of SOC effectiveness is cause for concern
While security is a top priority for most organizations, almost two-thirds report that their executive leadership teams lack an understanding of the role of their security operations team in mitigating business risk or enabling future growth.
As organizations develop new strategies to modernize security operations, those who engage the C-suite early in the process stand a better chance of gaining visiblity and support for this critical business function. As CISOs engage further in business-level growth and operational planning, they have an opportunity to unleash friction and constraints that would otherwise limit opportunities.
Yet for many, this is more of a journey, requiring engagement with individual line-of-business leaders to bring risk mitigation and the security agenda into operational business strategies. As security leaders leverage hard metrics to demonstrate the value of security strategies, business leaders can begin to digest the strategic value of ongoing security infrastructure investment.
Biggest SecOps Gaps
As a core security function, security operations depends on effective mechanisms to detect potential threats from all facets of their IT operating infrastructure.
With more advanced threats involving many different types of infrastructure, including network, endpoint, cloud workloads, SaaS applications, supply chain, and more, growing threat detection complexity is challenging many, driving new investments in mechanisms that are more capable of assimilating and analyzing security signals from this diverse set of operating infrastructure.
The rapid growth of extended detection and response (XDR) mechanisms is an outgrowth of this challenge, but these XDR mechanisms are highly dependent on a new level of threat detection rules to support them.
The relative criticality of detection engineering
With such an important focus on threat detection, security teams are prioritizing investments in rules development, refinement, and management. Security leaders put a premium on time spent on detection engineering, when compared to other security operations activities, yet limited skills exist in this important area, limiting many in making progress.
As organizations rearchitect core security operations infrastructure, special focus is needed to ensure that investments in detection rules can be applied across multiple detection mechanisms, optimizing detection engineering investments.
The detection engineering lifecycle: How long it takes organizations to create a detection, test a detection, and deploy it to production.
Significant time is required to develop and implement new threat detection rules
With such a high value placed on detection engineers, current processes typically require multiple weeks to develop, test, and implement new detection rules. This arduous, time-consuming process creates further challenges for security teams to allocate sufficient resources to this critical task. Combine this with the accelerating pace of new threat introduction and a general lack of resources and skills needed, and, for many, keeping up can seem like an almost impossible task.
How much work is required to manage detection rules?
In fact, 57% of organizations found the amount of work required to design, code, implement, and manage their threat detection rules either overwhelming or challenging. With staffing levels and skill sets identified as not meeting standards, the challenges are compounded by increased alert volume, triage, and analysis.
New strategies are needed to overcome these challenges. While detection engineering challenges result in three-quarters wanting new ways to better create and manage detection rules, organizations see additional challenges impeding progress. Struggles with the integration of security controls, visibility gaps, and lack of correlation and analytics capabilities all further impede threat detection improvement.
The expected impact on dwell time of doubling the resources dedicated to threat detection engineering.
Organizations believe investment in detection engineering will pay of
The good news is that security teams believe that increased investment in detection engineering will pay off, with three-quarters expecting a moderate or drastic reduction in attack dwell time. Detecting threats sooner reduces the potential and scope of damage and thwarts many attacks that would otherwise be successful with longer dwell times. But despite this potential outcome of further investment in detection engineering, few seem to be able to allocate sufficient resources to achieve these outcomes due to challenges in staffing and the long cycle time for detection engineering.
Security professionals’ confidence that their organization will fund the transformations needed in their SOC.
Most are confident that funding will be available
Organizations are providing budgetary support to keep pace with the ever-developing threat landscape. What will differentiate those who make gains versus those simply throwing money at a problem is how effective they are making decisions that not only increase support levels, but also increase efficiency and intelligent insights.
6 Ways to Modernize Your Security Operations
Understand Your Threat Coverage
- Continually measure & prioritize.
- Quickly identify coverage and data gaps through continuous maturity scoring and navigation with AI-driven recommendations mapped to the MITRE ATT&CK framework.
Improve Detection Efficiency & Efficacy
- Automate detection engineering.
- Squash your backlog and reduce time to build and deploy pattern-based detections with no-code, out-of-the-box behavioral threat detection content based on frameworks, like MITRE ATT&CK and kill chains.
Enhance Your Hunting
- Hunt for known & unknown patterns.Continually measure & prioritize.
- Augment your detections with AI-driven hunting to find suspicious behavioral attack patterns and quickly deploy related detections.
Reduce Time to Triage & Respond
- Simplify investigations.
- Automate the manual efforts of alert tuning, allowlisting, and triage observations through visualizing alert attack patterns and timelines on standard frameworks.
Automate Alert Collection & Normalization
- Correlate across disparate vendor & cloud alerts.
- Automatically ingest, normalize, tag, enrich, and correlate alerts from EDR/XDR, email security, and other tools and cloud workloads before events are indexed. One-step integration for ticketing and case management in ServiceNow, Jira, etc.
Modernize Your SOC Architecture
- Become cloud-ready.
- Decouple security operations and analytics from underlying logging. Correlate across traditional storage, cloud workloads, and vendor alerts at ease, and start to phase out legacy SIEMs and costly data indexing.
How Anvilogic Can Help
It’s time for a modern approach: Democratize threat detection across your hybrid, multi-cloud, and other data lakes.
Anvilogic is an AI-driven SOC platform for threat detection and incident response that helps to unify and automate security operations across people, processes, and technology, enabling security teams to reduce time, manual effort, complexity, and expertise needed for building detections and managing your overall SOC—through AI-driven recommendations and frameworks that continuously assess, prioritize, detect, hunt, and triage to quickly mitigate risk.
Start to minimize data ownership costs and empower your security team to automatically detect and respond to the incidents that matter most across your unique attack surfaces. Anvilogic meets your data where it’s at and queries your data within and across your platforms, only correlating the alerts that matter, enabling your security team to focus on high-fidelity alerts and not on configuring tools.
The data in this report was derived from a survey fielded between February 16 and February 19, 2022.
These figures detail the demographics of respondents to the survey. Totals in figures and tables throughout this report may not add up to 100% due to rounding.
The margin of error for a sample size of 250 at the 95% confidence level is + or - 6 percentage points.
Respondents by Title
Respondents by Industry
Respondents by Number of Employees
Anvilogic is a Palo Alto-based AI cybersecurity startup founded by security veterans and data scientists from Fortune 500 companies. In 2019, we started building an AI-based SOC platform to lower the barrier to entry for detection engineering and threat hunting skill sets desperately needed in cybersecurity.