Yet research shows the SOC is allocated less than one-third of the total IT security budget, on average. What can be done to change this?
It’s worth considering what we know about how security, and a SOC in particular, justifies its existence, budget and organisational value.
A well-resourced security operation is a risk offset - a type of insurance. How much risk are you taking and what are the consequences if you don’t invest?
Risk continues to be a useful justification for security spend given the number of high-profile companies that keep getting pwned, and growing acknowledgement of the certain attack types in the forward-looking risk factor statements of listed entities.
Over the past decade, we’ve seen methodologies like the return on security investment (ROSI) try to quantify what this risk looks like in real dollar terms, though many of these methodologies fall short on delivery.
“CFOs and CEOs would be ecstatic to see detailed and specific ROSI, especially if it could be boiled down to a dollar figure. This would streamline budget assignment and approvals as you could easily calculate a quantifiable benefit,” writes Attivo Networks’ Chief Deception Officer Carolyn Crandall.
But risk is not the only path to security budget. A SANS Institute presentation suggests the first 80% of the budget battle is to “find a friend” in the C-Suite and show them “how investments in the SOC act as force multipliers.”
Proving that any security spend is a force multiplier is already hard to quantify with existing methodologies.
Additionally, by pinning future hopes of investment on executive visibility, one must bank on the executive’s tenure being long enough to produce a sustainable funding outcome; CEO turnover in Australia last year was 21.9%, according to PwC figures.
Achieving longevity of security funding may require us to step away from opaque costing of risk and a reliance on executive relationships, and instead find better ways to price and value what it is we do.
Two possible measures come to mind.
First, it may be possible to quantify the cost of not containing an attacker at the perimeter of the corporate network where their ability to inflict damage is still somewhat limited.
Recent Mandiant research showed 54 percent of early-stage attack tactics are missed and 53 percent of attacks “successfully infiltrate environments without detection”.
Dwell time - how long an attacker is able to remain undetected before being discovered and booted out - has drastically improved over the years, down from a median of 418 days in 2011 to 78 days more recently.
Ideally, attacks are detected quickly and contained to a point where the attackers (and their motives) can be safely observed without impacting operations.
Deception Technology layered over traditional endpoint protections such as endpoint detection and response (EDR), firewalls or intrusion detection prevention (IDP) systems provides one way to create that containment.
An attacker can be lured into engaging with fake credentials, data and systems, leaving them with an impression they are making headway while they are, in fact, firmly sandboxed at the periphery.
There is a clear benefit from not letting an attacker break out from the first system they hit. However, more work is needed to model this as a tangible value of security investment.
Second, it may be possible to put a price on security alerts: or, more to the point, on the value of alerts produced by different security systems.
SOCs handle masses of alerts, yet many of them aren’t particularly useful. Mandiant’s recent research pointed to only 4% of reconnaissance activity and 9% of attacks actually generating alerts.
Of alerts that are generated and received, up to 82 percent are never followed up, one security industry analyst mentioned to me recently.
Security teams have long desired a way to cut through the noise and false positives to get to the most sensible and serious alerts. Some systems do this better than others.
There is an overall productivity enhancement to be had from receiving only high-fidelity alerts that are actionable or even automated - so that if ransomware, for example, is detected, you can automatically prevent the spread.
The fidelity of alerts from Deception Technology platforms can be extremely high, because there is no chance of false positives. Nothing legitimate should ever touch a deception environment.
There is no business-as-usual value in deceptive credentials, data or systems, which means they won’t ever be found except by those that come looking.
*Jim Cook is the, ANZ Regional Director at Attivo Networks