Recently, Command Zero released its “Top Challenges in Cyber Investigations & Recommendations for SecOps Leaders” report.  The data in the report comes from interviews conducted with 352 security leaders over a period of 24 months.  The respondents came from a variety of company sizes, industry verticals, and job titles.

While the full report is definitely worth a read, I’d like to analyze the data contained in the report along three different dimensions:

1. Simplifying complexity can help address the talent gap
2. Increasing visibility, particularly in hybrid and multicloud environments, is necessary
3. Empowering analysis and improving analytics can facilitate security investigations

Let’s dive in and have a closer look at each of these three points.

Simplifying Complexity

Simplifying complexity is a topic most of us hear about regularly in the security field.  But how can simplifying complexity help us address the security talent gap?  The report includes some interesting data points that can help us understand the answer to that question:

• 88% of respondents expressed concerns about operational issues related to the lack of access to skilled staff and high attrition rates
• 74% of respondents stated they felt their team lacked the skills in public clouds to perform high-quality investigations

Not surprisingly, nearly all of the respondents are experiencing operational issues that stem from not being able to recruit and retain talented and trained security professionals.  Further complicating this is that a strong majority of respondents felt that public cloud skills were lacking in their teams.

Indeed, nearly all organizations today have complex infrastructures, most often involving hybrid and multicloud environments.  This has greatly increased the knowledge burden on security professionals.  The breadth of skills required to adequately perform security functions in modern environments is far greater than it was even 10-15 years ago.

This complexity has a direct impact on an organization’s security posture. There are too few resources that need to perform too many varied tasks in too many different environments.  This is not a recipe for success.  Solutions that abstract the complexity of modern environments and make it easier and simpler for security professionals to interact with those environments are sorely needed.  This is the case both for preventive and detective controls.

Increasing Visibility

No organization can protect what it cannot see, and unfortunately, visibility across modern infrastructures is most often not where it should be. Because of this, increasing visibility, particularly in hybrid and multicloud environments, is a must.  Given that, I found the following data points from the report to be quite thought provoking:

• 75% of respondents cited the lack of resources and skills required for integrating data sources into SIEM and SOAR
• 76% of respondents were unsure if they had collected all the data necessary to adequately investigate breaches across all their computing platforms
• 83% of respondents stated that access to SaaS log data is essential for incident response. However, less than 50% ingest SaaS logs into their incident response data platforms
• Only 28% of organizations automate the integration of non-security data sources

Based on these data points, it seems that there is significant room for improvement.  In particular, priorities around increasing visibility throughout the industry would seem to be:

• Making it easier for organizations to integrate data sources, including those from cloud environments, into their security operations workflow
• Enabling organizations to collect data from all environments and systems, regardless of where they live
• Facilitating the incorporation of SaaS log data into the security operations workflow
• Including non-security data sources that are critical for incident response investigations into the security operations workflow

These are priorities that will require focus, dedication, and an investment in time and technology, though they will go a long way towards addressing the challenges noted by the respondents.

Empowering Analysis

Security investigations can be hampered by a number of factors. One of these is when security analysts have difficulty efficiently and effectively analyzing data. Indeed, several data points in the report highlighted this challenge:

• 92% of respondents cited the lack of a standardized collaboration tool as a key challenge during cyber investigations
• 80% of CISOs find tracking and complying with regulatory reporting overly complex
• 79% of respondents cited time-consuming reporting requirements and updating management (as well as other stakeholders) as a significant challenge

Given these findings, it seems to me that there are a number of challenges that need to be addressed in this area:

• Empowering analysis and improving analytics around incident investigations that are complicated by the difficulty that security analysts face when getting the right data, analyzing that data, collaborating with one another, taking lessons learned, and applying those lessons learned going forward
• Improving and simplifying reporting around compliance with regulatory requirements
• Facilitating timely, relevant, interesting, easy to produce, regular reports to and updates for management and other stakeholders

Solutions that can provide relief for and assistance to overtaxed security teams in these areas will likely find a receptive audience in the organization’s security team.

While there are many challenges in security operations and incident response, the Command Zero report (PDF) does a good job of highlighting some of the key ones.  There are likely many ways to slice and dice the data in the report.  By looking at three such ways, I hope to have been able to communicate why simplifying complexity, increasing visibility, and empowering analysis are important to improving the state of security operations.