UK leads global upward trend in SOC maturity

The past year has seen a 12% improvement in global security operations centre (SOC) maturity, with all assessment areas showing improvement for the time in five years, according to the latest State of security operations report from global enterprise software company Micro Focus.

Despite the volume of threats rising, the report’s global findings indicate that more mature SOCs are becoming more efficient in detection, with greater ability to recover from breaches than ever before.

Among the countries whose SOCs moved in a positive direction, the UK showed the greatest change with a 17% improvement in SOC maturity, followed by a 9% improvement collectively in Germany, Austria and Switzerland.

Regional analysis revealed that this is linked to multinational organisations making security investments in preparation for the EU’s General Data Protection Regulation (GDPR) before it comes into force in May 2018. Combining these regulation-led changes with the consolidation and relocation of SOCs within Europe to form security fusion centres has greatly increased the effectiveness of security operations in the region, the report said.

Despite the positive global momentum in organisations adopting and deploying security solutions, the report also revealed that 20% of the cyber defence organisations assessed over the past five years failed to achieve even level 1 on the Security Operations Maturity Model (SOMM) scale. According to the model, this translates as a complete lack of capability. These organisations continue to operate in an ad-hoc manner with undocumented processes and significant cracks in security and risk management.

“Over the last five years, we have watched organisations attempt to achieve a complete security transformation by applying short-term fixes – such as the purchase of peripheral products or dismantling of solutions – only to find poor results and poor business alignment,” said Matthew Shriner, vice-president, security professional services at Micro Focus.

“With that in mind, it is refreshing that when it comes to cyber defence capability, Micro Focus is seeing a much higher degree of operational sophistication than ever before. Whether linked to data regulation, such as the GDPR, or a result of changing internal processes and technology, SOCs are increasingly satisfying the objectives of companies’ cyber defence investments,” he said, adding that nearly 25% of organisations assessed are meeting business goals, representing a year-on-year improvement of nearly 10%.

According to Micro Focus, the report provides deep analysis of the effectiveness of organisations’ SOCs and best practices for mitigating risk in the evolving cyber security landscape, and is the largest available dataset on the state of cyber defence and enterprise security operations around the globe, including public and private sector organisations across all industry verticals.

Each SOC is measured on the Micro Focus SOMM scale, which evaluates people and processes, technology and business capabilities. According to the report, organisations are beginning to see a return on their security investments and are getting more value out of the security systems they have deployed, reporting an average 8% improvement across people and processes.

The report makes four key observations:

1. Private sector organisations are systematically investing in the development of fusion centres in Europe, the Middle East and Africa.

In their initial form, fusion centres took the “one SOC to rule them all” approach. This model continues to serve decentralised organisations well, along with those that have grown quickly through merger and acquisition activity, the report said.

In the past year, fusion centres have evolved into combined disciplines that most organisations would have deliberately separated in the past. The form includes fusion centres that are preparing to combine data security monitoring and incident response and compliance reporting for the GDPR.

2. SOCs are quickly shifting to co-managed operations.

This approach has allowed cyber defence programmes to overcome the greatest challenge of a global shortage of cyber security talent. By setting up an operational relationship with a partner that includes regular interactions, SOC leaders can narrowly focus on the assets they want to protect and work with the partner operationally to perform the technology integration to make it happen.

3. SOCs running short of staff are adopting security orchestration, automation and response (SOAR) solutions.

Organisations are investing in automating security incident investigation and management toolsets, and with deliberate implementation goals in mind, are experiencing positive results. The concept is sound, the report said, yet adoption is slow because of operational knowledge gaps.

4. The use of deception grids and impact on operations maturity has increased over the past year.

The shift in the economy of an attack means that deception grid solutions can be very attractive. Misinformation about target systems can alter the findings of scripted reconnaissance and cause attackers to deploy resources that are ineffective on the target system. Organisations are also starting to learn more about the attacker and the target of their campaign by analysing the behaviour of the attacker in the deception-oriented environment.

The methodology for assessments is based on Micro Focus’s (formerly HPE’s) Security Operations Maturity Model (SOMM), which focuses on multiple aspects of a successful and mature security intelligence and monitoring capability, including people, process, technology and business functions.

The SOMM uses a five-point scale – a score of 0 is given for a complete lack of capability while a 5 is given for a capability that is consistent, repeatable, documented, measured, tracked and continually improved upon.

The ideal composite maturity score for a modern enterprise is 3, according to Micro Focus, while managed security service providers (MSSPs) should target a maturity level between 3 and 4.

The reliable detection of malicious activity and threats to the organisation, and a systematic approach to manage those threats, are the most important success criteria for a mature cyber defence capability, the report said.