Firms throw money at technology but fail to take care of security basics

Tools

In this Editor's Corner, I want to take a deep dive into the annual State of Security Operations report prepared by Hewlett Packard Enterprise.

I recently sat down with Chris Triolo, vice president of HPE Security Product Global Services, to go over the report. Triolo said that HPE uses its experience with clients to provide an overall assessment of security operations centers (SOCs) at more than 100 enterprises in its report.

Unfortunately, things are not looking very good. Enterprises are investing heavily and setting up SOCs, but are not finding security personnel with the maturity and skills to run those centers effectively.

"The shortage of skilled resources is a major theme [in the report] … One of the struggles these SOCs are having is in the people area. It's really tough to staff out 24x7 monitoring with analysts when that happens," Triolo said.

HPE evaluates SOCs in four areas: people, process, technology and business function. It uses a maturity model adapted from the Carnegie Mellon Capability Maturity Model for Software, Triolo related.

Applying the maturity model to SOCs that HPE assessed, the report found that a disturbing 85 percent of enterprises fell below the recommended maturity level.

Fewer than one-quarter of assessed enterprises met minimum requirements to provide security monitoring, which translates to a lack of documentation with actions being executed on an ad hoc basis.

Triolo noted that enterprises are spending money on cutting-edge security, such as harnessing big data analytics and employing "hunting" techniques, in these SOCs, but they are not taking care of the basics.

"You have to have the foundational monitoring mission in place first before you go for the advanced stuff. ... Unfortunately, SOC foundational stuff is not as sexy as hunt and analytics are. But you have to do both," Triolo stressed.

This is a theme often heard in the pages of FierceITSecurity. Enterprises often throw money at security technology without taking care of security best practices, which often prove more effective in the long run. - Fred@FierceFred1