According to a recent report released by Hewlett-Packard Enterprise, a large majority of security operations centers, or SOCs, have not attained the requisite level of maturity to enable them to adequately protect their organizations against cyberattacks.
HPE’s State of Security Operations Report 2017, the fourth annual assessment of its kind, found that 82 percent of SOCs are falling below target maturity levels, due in large part to difficulties in attracting and retaining skilled IT security talent. I had the opportunity to discuss the report with Chandra Rangan, vice president of product marketing for HPE Software, who indicated that getting SOCs to where they need to be is a monumental task:
Security operations really started off as a means for compliance, 15 years back. With everything that’s happened since the Target breach, more and more security operations are getting serious about protecting the organization as their primary goal — not just compliance. That shift is tough to make, because it’s like setting up an ERP system from scratch, with all the processes and everything that’s involved — that’s kind of what you’re looking at. To do a decent job of protecting the organization, you’ve got to start with the business side: What are the real objectives? Where is the important data? What am I trying to protect? What is the risk that I’m willing to take on as an organization? That’s not a security operations role — that’s a business role. And then security operations needs to work with IT to collect the data; build use cases to understand what’s happening across all of these data sets; put a very robust process in place to be able to monitor and investigate; and then hire the right analysts with the right skillsets who can do that.
One of the findings that came out of the report was that SOC maturity decreases with hunt-only programs, and that programs that focus solely on hunt teams have an adverse effect. I asked Rangan to what he would attribute the fact that this approach has been adopted as widely as it has, and he explained it this way:
These aren’t the sophisticated security operations centers — these are maybe five or eight people, maybe a couple of folks who are part-time, and they need to have some sort of security operation. So what do they start with? They start with the network guy finding a problem, or they find a bunch of infected PCs. They need an answer quickly, so you have your few precious security analysts trying to firefight, and go back and investigate what has already happened. And it becomes a never-ending cycle. Once you solve one of these problems, you feel like a hero, and it perpetuates itself. Once you get in that mode, in the short term you feel great — you feel you’re driving value. But really what is happening is, you’re finding issues after the fact — you’re not proactively protecting the organization. It is those security operations centers that were not very mature to start with, and we’re trying to get them to a higher level of maturity — trying to staff up without falling into the trap of firefighting mode. There are quite a few euphemistically termed security operations groups who are not really doing security operations — they’re doing hunting.
I asked Rangan if HPE learned anything from the report that has prompted it to make any internal changes in terms of mitigating its own risk. He opted to focus his response more on HPE’s security operations prowess:
We actually do have one of the most sophisticated security operations on the planet. In fact, we have two security operations teams. One manages HPE’s own security posture — we have a huge footprint, and they do it with a very small team. They do it with tens of people, not hundreds. They are just phenomenally effective, because they have done a lot of automation. We are actually very, very efficient internally. And we have a second security operations team that does managed security services. It has more than 10 security operations centers globally. These security operations that we have internally are part and parcel of the assessments that we do. We actually learn from them, and we give back, as well.
In the context of that response, I brought up the well-publicized incident in October, in which the United States Navy announced that the names and Social Security numbers of 134,000 current and former service members were accessed as the result of the compromise of the laptop of an HPE employee. I asked Rangan what lessons HPE has learned from that incident. He thanked me for bringing it up, but said he wasn’t the right person to talk about that topic. He steered me to an HPE spokesperson who could put me in touch with the right people, but the spokesperson was only able to provide the following statement from HPE:
“The security and privacy of our clients is a top priority for Hewlett Packard Enterprise (HPE). This event has been reported to the Navy and because this is an ongoing investigation, HPE will not be commenting further out of respect for the privacy of our Navy personnel.”
That was a shame, because The Navy Times had reported that the Navy was pressing HPE to pay for credit monitoring services for sailors affected by the data breach, and I was eager to find out if that issue had been resolved. My hope is that by the time HPE comes out with its next State of Security Operations Report 2018, it will have been able to share some lessons learned from this incident.
A contributing writer on IT management and career topics with IT Business Edge since 2009, Don Tennant began his technology journalism career in 1990 in Hong Kong, where he served as editor of the Hong Kong edition of Computerworld. After returning to the U.S. in 2000, he became Editor in Chief of the U.S. edition of Computerworld, and later assumed the editorial directorship of Computerworld and InfoWorld. Don was presented with the 2007 Timothy White Award for Editorial Integrity by American Business Media, and he is a recipient of the Jesse H. Neal National Business Journalism Award for editorial excellence in news coverage. Follow him on Twitter @dontennant.