Why is SecOps becoming both easier and more difficult?

"Are security operations easier or more difficult than they were two years ago?"

That's a question my colleague Dave Gruber and I ask security professionals each year on a security operations center modernization research project. The most recent version featured a survey of 374 security pros and IT pros with security operations (SecOps) responsibilities at midmarket and enterprise organizations.

The answers are always interesting.

In this year's study, 45% of respondents claimed SecOps is more difficult than it was two years ago; 11% said SecOps is about the same as it was two years ago; and 44% responded that SecOps is actually easier than it was two years ago.

Why would SecOps be easier than in the past? One reason could be increased efforts around process automation. Thirty-eight percent of organizations said they have done so "extensively," while another 50% have done security process automation "somewhat." Most automation efforts have focused on level one type tasks -- for example, looking up an IP address, determining who owns an asset and comparing files to known malware at sites such as VirusTotal. Automating these mundane but frequent tasks helps improve staff throughput and productivity.

It's also interesting to compare organizations with less than 1,000 employees (midmarket firms) to organizations with more than 1,000 employees (enterprises). For example, 53% of respondents from midmarket firms said SecOps is more difficult than two years ago, compared with 42% of enterprises. On the other hand, 32% of midmarket firms claimed SecOps is easier than two years ago, compared with 49% of enterprises. It's likely that enterprises have done far more process automation than their smaller counterparts.

Respondents who believed SecOps has become more difficult were asked a follow-up question: Why? This data is especially insightful regarding enterprise organizations because they tend to have more resources and sophisticated security technologies but also complex hybrid IT infrastructure and business applications.

So what's making SecOps more difficult for these organizations? The following are difficulties organizations encounter:

• Growing security data volume. SecOps depends on scalable and effective data collection, processing and analysis. Given today's data volume, many organizations struggle in areas such as data pipelining, stream processing and storage tiering. Technologies from vendors such as Abstract Security, AWS, Cribl, Databricks, Snowflake and Splunk can help address these areas, but this often requires architectural changes that can take months or years to implement.
• The volume and complexity of security alerts. Security alert overload is well documented, which is why many enterprises are knee-deep in process automation. Still, it's difficult to keep up -- especially when the security team must familiarize itself with new alerts related to cloud security events, IoT technologies and constantly changing API security issues.
• Operationalizing threat intelligence. This has been a common answer over the years. Too many organizations think threat intelligence analysis means monitoring all open source intelligence sources, as well as numerous commercial feeds. This approach to threat intelligence never works. They need to implement a threat intelligence lifecycle, with tailored intelligence feeds specific to their industry, geography and organization from vendors such as Flashpoint, Mandiant, Recorded Future, Ticura and ZeroFox. As they monitor and analyze more data, organizations might also need link-analysis tools from firms such as Maltego to gain visibility across disparate data sources. Operationalizing threat intelligence depends on business executives providing input into what they want and feedback on the reports they receive.
• Monitoring gaps. This issue is a symptom of organizations where security is an afterthought, as well as where DevOps and software developers outpace and don't communicate well with security teams. Security groups need to be involved at the front-end of projects to avoid this pitfall.

It is nice to see that some organizations are easing the SecOps burden, but too many continue to be bogged down by the weight of everything related to SecOps. There's no easy fix here. CISOs must look across people, processes and technologies while working closely with business and IT brethren to address these issues.

Jon Oltsik is analyst emeritus and founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.