Image by tonymalony from Thinkstock.com
Image by tonymalony from Thinkstock.com

Organizations that have invested in creating security operations centres are spending an increasing amount of money on cybersecurity, but a new study suggests many may not be getting further ahead.

For five years Hewlett-Packard Enterprise (HPE) has been measuring the progress of SOCs in 114 organizations and service providers in 26 countries including Canada, the U.S., Britain, Australia, China India and Brazil.

But HPE’s third report, released Tuesday, finds as a group they went backwards last year when scored in four areas: People, processes, business alignment and technologies.

“The median maturity level of cyber defense teams remain well below optimal levels,” says the report, adding there was a “year-over-year decline in overall security operation maturity” in 2015.

“In the quest for higher maturity, operations often suffer from stagnation, rigidity, and an overall low level of effectiveness,” the report says.

Briefly, the report says organizations are focusing more on technology than on people and processes — despite the fact that they are taking a more business attitude to security, such as increasing stakeholder involvement.

“Cyber defense teams (or providers offering managed SOC services) who aspire to achieve maturity levels of “5”  (the highest) lack an understanding or appreciation of the nature of such capabilities and the threats they are defending against. Given an agile and adaptive threat actor, optimizing for repeatability and consistency is only marginally effective.”

The fault lies in a combination of the shift in IT to hybrid models including cloud, mobile, social, and Big Data; a continued focus on cost management; and the continued collaboration and professionalization of attackers, Chris Triolo, HPE’s vice-president of security product global services, said in the report’s introduction.

For the study a security division that monitors the network for events (not necessarily 24 hours a day) qualifies as an SOC.

Some organizations in the study have made great progress and sustained it, Kerry Matre, an HPE senior product marketing manager, said in an interview, while others are just getting into security operations and are low scoring  But, she added, many have put money into an SOC and then funding dries up or the IT department’s focus has changed.

IT departments “are still struggling with the basics — having anything repeatable in their security operations. So there’s a lot of ad hoc (activity) … If you don’t have things documented that greatly affects your maturity score.”

HPE uses a modified version of the Carnegie Mellon Software Engineering Institute’s Capability Maturity Model for Integration (SEI-CMMI) to create a a five point scale where higher is better.

The most advanced security operations centers in the world will typically achieve an overall score between a level 3 and level 4 says the report — which adds that very few meet those marks. today. For most organizations, a consolidated aggregate score of level 3 is an appropriate goal. But in each of the areas measured, the report says the industry median score continues to fall between a 1 and 2.

In fact continuing a five-year trend, one-quarter of SOCs studied last year couldn’t even score 1. Only 15 per cent of assessed organizations met business goals and were working toward or have achieved recommended maturity levels. That left 85 per cent of organizations not achieving the recommended maturity levels, which is slightly lower than last year’s findings.

SIDEBAR: How two SOCs were scored

“A continual focus on mastering the basics and creating a solid foundation of risk identification, incident detection, and breach escalation as well as response remains key to effectiveness,” says the report. “Benefits from advanced analytics capabilities and threat intelligence will only be realized if a strong foundation of security operations exists.”

HPE “sees this as a pivotal moment for SOC leaders to adapt and re-invent their operations in order to show definitive value to the business” by adding capabilities such as hunt teams, deception grids (another term for honeypots or malware traps) and data analytics-driven security.

The goal, the report suggests, should be a so-called fifth-generation (5G/SOC) of security operations. They recognize the change in the threat landscape and take a holistic approach to defence. They train analysts in security counter-intelligence, surveillance, criminal psychology, and analytical thinking to augment technology investment. Most organizations have not implemented a 5G/SOC, says the report, “but those who have, seem to have benefited greatly from the intelligence-driven methodologies, information sharing, and the human adversary approach.”