Intel Security recently discussed its research report on how SOCs work in enterprises today, with a writeup in HelpNetSecurity. They interviewed 400 security practitioners and found some interesting stats:
- On average, security teams are unable to sufficiently investigate 25% of their alerts. This was consistent across company sizes and geographies. That’s for a full investigation.
- Even worse, 93% of companies were unable to triage all potential threats.
- 67%, two thirds, reported a rise in security incidents, and 57% say this is due to an increase in overall attacks.
- Overall, the highest priority for investment is to improve the ability to respond to confirmed attacks.
These results make a lot of sense, based on what we see in our own customer base. Security engineering tends to be the primary buyer and consumer of security technologies, and these teams are usually very focused on detection. Incident response is often a separate group, and security engineers don’t have much exposure to response policies and procedures. As a result, IR may not receive the same investment and attention as security architecture.
When we read about security staffing shortages, this often means the IR teams that have expertise to investigate thoroughly. Those experts aren’t born, they’re trained, and are very valuable.
Our own industry, UEBA, is very focused on detection. At Exabeam, we’ve found that the ability to create investigation timelines, showing both good and bad activity, can be extremely useful to IR teams. Responding effectively to completely eradiate threats is just as important as finding those threats.