Sisyphus could be the official mascot of security operations.
Sixty-three percent of respondents to a recent ESG survey of 406 IT and cybersecurity professionals say that security operations is more difficult today than it was 2 years ago. Why?
- 41% of survey respondents point to the rapidly evolving and changing threat landscape, which is forcing SOC teams to keep up on cyber threat intelligence analysis, track the latest indicators of compromise, and understand the tactics, techniques, and procedures of cyber adversaries.
- 35% cite the increased volume of security data that is collected and processed. I’m not surprised by this. In my experience, many organizations underestimate the resources, skills, and time necessary to manage the security data pipeline … and it is catching up with them.
- 34% say the volume of security alerts has increased over the past two years. As security alert volume escalates, it exposes other security operations issues like a reliance on manual processes and point tools.
- 30% say that growth in the attack surface increases the workload on the SOC team.
It’s also important to remember that these security operations challenges are exacerbated by the ongoing cybersecurity skills shortage as there just aren’t enough skilled bodies to throw at problems.
Looking to get off this security operations treadmill, many organizations are looking for help from the public cloud: 41% of organizations say that they now prefer cloud-based security analytics/operations technologies, while another 17% are willing to consider cloud-based security analytics/operations technologies on a case-by-case basis.
How cloud-based technologies can help
Traditional security analytics and operations platform architectures rely on racks of servers and storage devices while generating lots of network traffic. This means upfront capital costs, engineering, deployment, customization, system tuning, etc. All that goes away when an organization points its security telemetry toward the cloud. This is often referred to as “lift and shift,” or the “dumb cloud.”
Whatever you call it, cloud-based security operations technologies can transition capital to operating costs and alleviate all the overhead associated with technology implementation and maintenance.
“Lift and shift” is an obvious short-term win, but there’s another more strategic benefit with cloud-based security operations technology: With unlimited access to storage and processing resources, cloud-based security operations technologies can enable technical capabilities that most organizations can’t do on their own. For example, cloud-based security operations technologies make it feasible to retain security data online for longer periods of time for retrospective security investigations/threat hunting or to process massive amounts of data to build and tune machine learning algorithms. And cloud-based applications can be built using containers and microservices for flexibility and scalability.
Since security analytics/operations is a big data application, why not align it with big data technology resources available in the public cloud?
In an enterprise technology world increasingly dominated by Amazon, Google, and Microsoft, this all may seem like a no-brainer but remember that we are talking about security data here. In ESG research from just a few years ago, over 70% of respondents claimed they would never move security data to the cloud. Since then, attitudes have radically changed. CISOs now feel like maintaining control of their security data is sort of worthless if they can’t collect, process, analyze, and act upon security telemetry in a timely and effective manner.
Security operations technology vendors see the writing on the wall and are responding accordingly. Yes, everyone is moving their technology to the cloud, but the real leaders will go beyond “lift and shift” to take advantage of massive cloud-based processing and storage resources in innovative ways. Stay tuned!