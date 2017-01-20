Many folks started the new year by making resolutions. For many security professionals, one goal for 2017 is to find balance. It seems that this theme is also trending in security operations centers, according to the fourth annual HPE's 2017 State of Security Operations Report released this month.

Some key observations of the report include:

SOC maturity decreases with hunt-only programs

Complete automation is an unrealistic goal

Focus and goals are more important than size of organization

Hybrid solutions and staffing models provide increased capabilities

Matt Shriner, vice president of professional services at Hewlett Packard Enterprise, said that security isn't an all-or-nothing game. If enterprises are making decisions between automation and hunting, they're not going to optimize their programs.

"Our observation and recommendation is in both automation and hunt programs. Having a SIEM platform, on boarding devices in real time, that must be your first line of defense. You have to be looking at IoCs while you are seeing data exfiltration," Shriner said.

The danger in collecting events over a period of time, is that most enterprises end up with a data lake. As a result, not every suspicious event is caught. "There are no correlation rules for zero days. In a data lake, every event is still stored. Organizations will have a month or several months, even years of historical data that hasn’t been analyzed," Shriner said.

That historical data can be a breeding ground for hypotheses. "You’ll find low and slow attacks or lateral movement going from system to system and then slowly starts exfiltrating," Shriner said.

Unless security teams know what they are testing, they aren't really engaging in a search for prey. "They are going all in for a hunt, where they dump everything into a repository and focus all analysts on hunting. That's not really effective. A hunt team is only part of the solution because they still must have real time correlation," Shriner said.

SOCs that focus on just hunting are then missing anything happening in real time, which then makes the hunt almost fruitless since every hunt needs to start with a premise or hypothesis. "If you don’t know what to start with, you don’t know what to look for," said Shriner.

Perhaps that is why the report also found that the hybrid resourcing model is trending. "There's a big shortage of security personnel, but an even greater shortage of security analysts. There's a super high turnover. The work can be monotonous, and as analysts become good at their jobs, they become hugely valuable. They are amongst the highest recruited talent," said Shriner.

That high turnover rate resulted in the growth of organizations that provide MSSP service for clients. "The trend is to outsource the Level 1 analyst. There are some good MSSPs, and they will do a lot of that heavy eyes-on-glass work. Outsource that kind of heavy lifitng. The Level 2, and incident response types, save that for on premise," Shriner said.

Outsourcing, as with most other aspects of security, is about balance. The more that is outsourced, the more access third parties have. And speaking of access to information, another interesting trend on the rise is the fusion center.

"This comes from public sector. From the early 2000’s after 9/11 or hurricane Katrina. In the last year, this idea of coordination in the commercial sector is picking up steam. Now we see fusion centers saying let’s make sure we have identified use cases that specifically protect us," Shriner said.

Despite these new trends, one thing remains consistent. "There is no silver bullet. No technology out there is without vulnerabilities. It’s important to automate what you can, but not automate everything. There's still the significant people and process component," Shriner said.

This article is published as part of the IDG Contributor Network. Want to Join?