About seven years ago, when serving as the cyber and intelligence director for Israel’s largest defense contractor, one of the biggest projects I oversaw was building a training simulator for security operations teams from around the world.
When these security teams came to our facility, one of the major skills we tested was how well members communicated and collaborated during an incident. It wasn’t uncommon during these drills for one or more of the investigators to pick up a marker and start drawing on the whiteboard, visualizing a process or devising an execution plan.
Unfortunately, face-to-face human connection and collaboration – so vital to a security operations center – has largely been lost because of the COVID-19 pandemic and the new remote normal that has developed. Today, our brainstorming and strategy discussions happen not in person, but on Zoom, Teams or the user's platform of choice.
A recent survey by Siemplify that polled nearly 400 security operations professionals found that more than a quarter (26 percent) of respondents say it will take 12 months or longer before their teams transition back to on-premises work, or that their teams do not intend to ever go back to the office.
And these stats may undercut the new reality in which we now find ourselves. The long-term occupational impacts of COVID-19 are still unknown, but it’s hard to believe that a crisis such as this one will not fundamentally change the cybersecurity industry forever. So, what does this mean for the security operations (SecOps) function? The results of our survey paint a picture of a new reality and what security teams should do to protect their organizations moving forward. Here are some of the high points:
- Alerts are increasing: Alerts increased as more employees began working from home, expanding the attack surface. Forty-two percent of respondents report that their alert volume is higher now than it was prior to the pandemic, and 51 percent said investigating suspicious activities has become more challenging in a remote environment.
- Insecure home networks, cloud adoption and phishing are the biggest threats: When asked to identify the top security risks facing their organization since transitioning to remote work, respondents named their employees’ insecure home networks as the top threat, followed by increased cloud adoption, with VPNs and mobile devices closely trailing. Additionally, 57 percent reported seeing more phishing threats upon the shift to remote work, a substantial increase to a delivery vehicle already heavily responsible for data breaches and ransomware attacks.
- Investments in automation and managed services are increasing: More than three-fourths (76 percent) of respondents said the pandemic has played a role in their actions to increase SecOps automation or is expected to in the near future. Thirty-seven percent have prepared new automated playbooks to respond to emerging, remote-specific threats, and 52 percent say their use of a managed security services provider (MSSP) has increased.
- Budgets and hiring are on the rise: Executive teams understand the importance of securing their newly remote workforces. Eighty percent of respondents reported their budgets either went unaffected by the shift to remote operations or were increased or are in the process of being increased. Hiring saw a boost, too. Notoriously skills-starved SecOps teams are no longer constrained by geography for new hires as one-third of respondents plan to or have already enhanced benefits to help retain staff.
We may no longer gather in a physical SOC at many organizations, but with the right combination of technologies and skills, a company can develop a very strong cybersecurity program.
Investing in security automation technologies and/or entrusting certain duties to an MSSP can help remote SecOps teams augment their ability to efficiently detect, triage, contain and remediate threats. Increased use of automated playbooks can also help speed the response to threats and reduce some of the stress SecOps professionals experience.
Meanwhile, companies can clearly update work-from-home policies, subject employees to strict access control (specifically adopting the principle of least privilege), offer regular security awareness training and issue company-owned and managed devices equipped with VPNs. These steps that can help strengthen the company’s overall security posture in the work-from-home era, while alleviating some of the burden SecOps teams face to detect and respond to threats.
So even if the halcyon days of the on-premises SOC are behind us, it’s comforting to know that analysts will remain dedicated to their craft – and are even a little bit happier and more skilled than in the past. They’ll need to stay sharp as the industry faces the all-but-inevitable security challenges ahead.
Amos Stern, co-founder and CEO, Siemplify