Gartner: Expanding SOC capabilities a priority for enterprises

Dawn of the modern SOC

Gartner forecasts 50% of all SOCs will transform into modern SOCs -- with integrated incident response, threat intelligence and threat hunting capabilities -- by 2022.

"While this is probably accurate for Fortune 1000 companies, those below the Fortune 1000 are more likely to outsource SOC capabilities," TCE Strategy CEO Bryce Austin said in an email interview. "However, the contracts around those outsourcing agreements are often heavily skewed in favor of the SOC provider, rather than the recipient of SOC services."

While companies with limited budgets can outsource the SOC capabilities, Firtbrook said, they cannot outsource the business response.

"If you have a huge ransomware incident somebody is going to be responsible for recovering that code, or resuming business operations, or if there's a breach then you need PR and legal involved," Firstbrook said. "You still have to plan your playbooks for business response, but you may not have to plan as much around technical response. You're more likely going to pull those off the shelf and say, 'OK, we've got a couple of different playbooks for different types of threats to the organization.'"

As companies realize they need to adopt a more balanced approach to security -- that covers prevention and detection, with a renewed effort to improve response and prediction capabilities -- they should focus on expanding SOC capabilities beyond just SIEM systems, experts said.

"A SIEM is a very good start, but it's just a start," Austin said. "A SIEM is only as good as the data it is fed, and the knowledge of the operators that are analyzing the data is more important than the SIEM tool itself. SIEM tools are very useful, but they are a tool, just like a good set of Snap-On mechanic's tools. They are no substitute for a good mechanic to use the tool properly."

Incorporating EDR and user and entity behavior analytics tools are helpful in detecting under-the-radar threats that evade perimeter and traditional defenses, Firstbook said. Complementing it with security orchestration and automation response (SOAR) tools helps with orchestrating and automating response playbooks and accelerates the response process, he added.

Drafting an effective risk appetite statement

An ongoing challenge faced by security and risk management leaders is their inability to communicate effectively with senior executives and business decision-makers, Firstbrook said. As a result, CISOs often miss a clear opportunity to advocate for security.

"Security and risk management professionals tend to come from the technology department and the business doesn't understand technology, so we're always looking for new ways to communicate with the business and to agreeing on things like levels of risk that are acceptable," he said.

Think of your risk appetite statement as your mission statement for security.

As a result, security and risk management leaders are beginning to create risk appetite statements that are clear, simple and pragmatic and are linked to business goals, Firstbrook said.

"Think of your risk appetite statement as your mission statement for security," Firstbrook said. "They are what should you be focusing on, what's the most important thing to the business, and you're just going through the project of negotiating these things ... a way of communicating with the business and getting some agreement and buy-in from the business people."

Conducting workshops to agree with the business on a risk appetite statement is an effective measure that CISOs can implement, he suggested.

"If they're wasting their time and priorities on things that [don't] matter to the business, then this will help reveal that," Firstbrook said.

Passwordless authentication is gaining traction

The passwordless authentication trend is being driven by user demands for fewer roadblocks in the way of them doing their job, Firstbrook said. Passwordless authentication when combined with biometrics can be much harder to crack than other forms of multifactor authentication, he added.

"It achieves two goals: It helps the customers because they're happy they don't have to use passwords all the time and it actually improves the security of the applications," he said.

But passwordless authentication will require "both the 'something-you-have' and 'something-you-are' authentication to reach a level of maturity that they are not yet at," Austin said.

"'Something-you-are' authentication is making huge strides thanks to high-end smartphones and laptops, but it still hasn't reached mainstream," he said. "'Something-you-have' is farther along -- the new line of YubiKey is a good example -- but neither are ready to completely replace the password. I think we are five years away from passwordless authentication becoming mainstream."

Findings from the report will be presented during Gartner's Security & Risk Management Summit in June.