Industry research firm Gartner asked cybersecurity thought leaders to submit a video of themselves answering the question “What are your customers’ top security priorities?” for the Gartner Security & Risk Management Summit, a virtual event for the EMEA region held this month. Julian Waits, general manager of cybersecurity for Devo, was among those to whom Gartner posed the question. His video is below, and this blog post offers an expanded version of his response.
I regularly speak with CISOs and other security leaders who are Devo customers and ask them about their priorities. Three topics consistently appear at the top of their lists: people, visibility, and automation.
CISOs and other enterprise security leaders know that security operations center (SOC) analysts have one of the most challenging jobs in cybersecurity: keeping their organizations safe from a vast array of cyberthreats. The biggest challenge for SOC analysts—and those who manage them—is fatigue. SOCs must run 24 hours a day/7 days a week. With so many people working from home due to the pandemic, new threat vectors are appearing daily. The number of alerts is immeasurable. That’s why SOC analysts must be at the top of their game—every day.
As the 2020 Devo SOC Performance ReportTM shows, SOC analyst burnout is a huge problem. This year, 78% of those surveyed said working in a SOC is “painful,” up 8 percentage points from 2019. And 75% of respondents cited heavy workload as the number-one reason for SOC analyst burnout.
A SOC is only as good as the analysts who work in it. Alleviating the enormous pressure on SOC analysts is a crucial component of security transformation. CISOs know that when it comes to operating a successful SOC, technology is important but people are the key. Simply put: people matter.
The next priority for CISOs is ensuring their teams have visibility into the environment they’re responsible for protecting. CISOs strive to provide technologies that enable people to do their jobs well. And the first thing those technologies must deliver is visibility. SOC analysts can’t secure what they can’t see.
According to the new Devo eBook Building the Modern SOC, the first step to achieving full visibility is to centralize all of your organization’s security data. The place to do this most effectively is the cloud. Analysts need high-fidelity detections that focus on the known, the unknown, and the specific entities involved in a threat. High-fidelity detections give analysts what they deserve—data they can actually use to see and stop the threats that matter most to your organization quickly and accurately. Visibility is the vital ingredient that enables analysts to extract intelligent insights from your data.
If you thought that data volumes were already outrageous for large organizations, the average Devo customer has more than 10 terabytes of daily data ingest. Compound that amount of data with the unknown number of indicators of compromise (IOC) that are coming into the environment during the pandemic. There’s no way to tell exactly what the security posture is of each of the places people are working today, whether they’re at home or on the road.
Last but not least on the list of CISO priorities is one of the fastest growing areas of SOC technology: automation. CISOs say they spend a lot of time trying to determine if the technologies they have purchased for their SOCs are actually helping analysts find threats and eliminate them as quickly as possible. CISOs recognize that breaches will occur, so they ask themselves and their teams to determine if their SIEM and SOAR (security orchestration, automation, and response) solutions are tuned so most of the detection work that typically was performed by Tier-1 analysts is now being handled automatically. By automating as much routine detection work as possible, Tier-1 analysts can focus on responding to the most severe threats instead of trying to handle every threat, which overwhelms analysts and leads to alert fatigue.
The Building the Modern SOC eBook talks about how to “supercharge analysts with the power of automation.” In addition to automating a great deal of detection work, automation can play another important role in today’s SOCs. Automated enrichment of events enables analysts to see a clear, complete picture of the threat landscape without having to spend valuable time manually querying multiple tools. A true next-gen SIEM can provide a context-rich view of entities, alerts, and prior learning to speed detection and, ultimately, triage and investigation. Using automation to enrich events provides analysts with real-time, actionable data and rich context, enabling them to investigate and threat hunt more effectively and efficiently.
There will always be new challenges and new priorities for CISOs. That’s why Devo will continue to raise the bar for next-gen SIEM performance by delivering the visibility, instant access to enriched data, and automation of alerts and workflow that drive security transformation and enable analysts to detect, investigate, and respond to threats with a higher degree of confidence than before.