Fear and Loathing in the SOC



A new survey by Forrester and Endgame finds 92% of companies surveyed said they were the victim of a successful cyber attack in the previous year, with firms pessimistic they can stop such incidents.

Pessimism is in vogue – at least in the cyber security world. Pessimism, if not outright resignation, has been a common theme in recent surveys of attitudes about cybersecurity. Whether the topic is data security, cyber attacks or the Internet of Things, that old “American optimism” is noticeably missing.

Take the recent Pew Foundation poll of Americans’ attitudes towards cybersecurity, which found that most Americans have experienced cybercrime directly and have little hope that better days await us in the future. An Experian survey in 2015 found that fewer than one in ten consumers who have had personal information exposed in a major data breach take advantage of credit monitoring services offered by the company responsible for the breach – evidence of what the company described as "data breach fatigue."

Those sentiments appear to extend to companies as well. A new survey by the analyst firm Forrester and the security threat detection firm Endgame found that companies are encountering data and security breaches as often as every day, but are struggling to find the staff and tools to respond to them – despite recognizing the high cost of adverse security incidents.

The survey of 156 individuals at organizations with –security operations centers (SOCs) in industries like technology, financial services, oil and gas and energy found that organizations fear the high costs associated with severe breaches as well as the potential damage to their brand and reputation, but lack staff with the technical skills to help them thwart such incidents.

Fewer than half of those surveyed (44%) said they had a highly skilled (“Tier 1”) or higher analyst working in their security operations center. Short-handed, most companies are performing a kind of cyber triage in their SOCs, the Forrester and Endgame survey found: concentrating on the most severe threats to their business, even as some threats slip through the net.

Ninety-two percent of survey respondents said they had experienced at least one successful attack or data breach that put their organization at risk in the previous year. Almost one in three of those surveyed said they had experienced 20 or more such attacks in the previous year.

Among the most serious (perceived) threats are phishing attacks, malware and targeted attacks against the organization. Forty-six percent of survey respondents said their organization had experienced phishing attacks in the past year, and 44% said their company had experienced a targeted endpoint attack. More than one in four (26%) said their organization was targeted by a criminal or nation-state actor “daily,” while 38% said that they encountered phishing or watering hole attacks daily or weekly. So too malware attacks targeting an employee endpoint.

And cybercriminals are combining online and offline attacks in novel ways: using network compromise and data theft as fodder for more traditional schemes. For example, the CISO of a global energy company who was one of the survey respondents told Forrester analysts that organizations based out of China and Russia attempt to extort, steal, or blackmail them to get money.

The challenges facing these organizations are complex. Respondents recognize the existential threat that successful attacks pose to their company, but despair for the people and tools to counter the threat. In addition to the difficulty of finding trained and knowledgeable employees, firms said that their existing tools were only somewhat useful in stopping attacks. Part of the problem is complexity. Seven in 10 of those surveyed said their company was using five or more technologies in their SOC. A third of respondents are using eight or more technologies. Worryingly: fifty-seven percent of organizations “accept that breaches will occur as a result of the tools they use,” Forrester and Endgame found.

Forrester warns about creeping resignation: just 15% of organizations said they have no tolerance for breaches from their tools (meaning they have zero tolerance for breaches and have done everything possible to prevent them), and 27% said their tolerance was low (meaning they are trying to prevent all breaches from occurring while recognizing a determined adversary may still get past their defenses).

The solutions to these problems are – themselves – complex and not entirely in organizations’ control. The Forrester report urges companies to take a ‘zero tolerance’ approach to breaches rather than allowing complacency to take root. What they call “breach intolerance” is about reducing the attack surface of your organization and, thereby, lowering the number of incidents (and thus the demands on your SOC).

Forrester also encourages companies to increase detection beyond traditional malware signatures and “indicators of compromise” or IOCs (which are just a fancy, new word for signatures. Finding ways to spot threats and attacks independent of specific “signatures” is advised.

Finally, on the “headcount” issue – Forrester said that better automation is one way to reduce the load on employees. Companies also need to cultivate talent internally: finding employees who can be trained for Tier 1 activities like digital forensics and incident response.

Paul Roberts

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.