Insight and analysis on the information technology space from industry thought leaders.

Why the Traditional Security Operations Model Fails and How To Fix It

The traditional security operations model is ineffective due to an overwhelming volume of alerts, leading to missed critical warnings.

Industry Perspectives

August 30, 2024

5 Min Read
digital globe surrounded by cybersecurity icons such as padlocks and shields
Alamy

By Seth Goldhammer, VP of Product Management at Graylog

The security operations model is broken, and enterprise organizations seek an answer. In an era of constant cyberattacks, organizations of all sizes are increasingly vulnerable. According to Forbes, 2023 saw a 72% increase in data breaches compared to 2021. The solution is not to overwhelm already overburdened security teams with more alerts but to shift the conversation to how security operations can be more effective and better align with business objectives to assess and manage risk.  

Leveraging Automation That Makes Sense 

Security operations automation often focuses on what occurs after the alert, but what about automation before the alert? One of the key issues with the traditional security operations model is the overwhelming volume of alerts that security teams face daily. These alerts, often generated by Security Information and Event Management (SIEM) platforms, typically contain a high rate of false positives. The current model requires manual triage of each alert, leading to alert fatigue, where critical warnings are missed due to the sheer volume of noise. Conversely, tuning alerts within the team’s capacity risks false negatives – missing the alerts that truly matter. 

Related:DevSecOps Needs Are Shifting in the Cloud-Native Era

To address this, organizations must automate an understanding of their attack surface by intertwining the following: 

  • Internal context: Who is the user or host? What is the vulnerability state of the host? What access privileges does the user have? 

  • Runtime knowledge: What remarkable activities have targeted the user or system? 

  • External knowledge: How do these events connect to Indicators of Compromise or known attack tactics? 

By examining not just a single event but the totality of events related to a user or host – and prioritizing them based on the importance of the user (e.g., access privileges, company role) or system (e.g., production system, sensitive data) – organizations can create a score indicating the probability of compromise, rated by its potential impact.  

This scoring method allows security teams to concentrate on incidents that genuinely matter. Instead of being reactive, security operations can become more proactive, focusing on high-probability threats before they cause considerable damage. 

Attack Surface Awareness, Risk Assessment, and Security Operations 

SIEMs have incorporated risk prioritization by assessing risk on an event-by-event basis. While this approach may account for the priority of the user or system, it misses the context of other activities that could either corroborate a concern or help dismiss a false positive. The introduction of User and Entity Behavior Analysis has improved this by using machine learning to assess risk through peer behavior analysis, scoring deviations from previously learned behavior norms. However, anomalies occur frequently across networks without any security relevance, and the larger and more diverse the environment, the more anomalous activities there are. 

Related:6 Tips for Outsourcing to a SOC Provider

What is needed is a “360-degree” understanding of each entity: a full understanding of its role, vulnerability state, and every finding from various analytical techniques (e.g., known threat indicators, statistical analysis, behavioral analysis). This combination creates a dynamic score that updates as new activities are captured. This approach flips the current security operations model by encouraging the collection of more activities without fear of overwhelming the SOC. With more activities, risk scoring becomes more accurate without generating more alerts. 

By operationalizing the security process around these scores, organizations better understand their current threat exposure with immediate context to respond and adjust their defenses accordingly. Integrating attack surface understanding and runtime risk assessment into security operations transforms the model from a reactive, alert-driven process to a proactive, risk-driven one. This shift not only eases the burden on security teams but also makes the organization more resilient to cyber threats. 

Related:Master AI Cybersecurity: Protect and Enhance Your Network

Elevating the Discussion to the C-Suite 

One challenge in transforming the security operations model is ensuring the discussion resonates with the C-Suite. CISOs currently struggle to demonstrate the effectiveness of security operations. Instead of positioning risk reduction by alert volume and time to detect and respond, this scoring enables CISOs to understand visibility and security risk across their attack surfaces. This allows a business-level discussion about risk and probability rather than technical jargon about vulnerabilities and threat techniques. 

When security operations are framed within the context of attack exposure and risk, it enables a strategic discussion regarding the appropriate investment of people, processes, and tooling aligned to the organization’s risk profile. For example, instead of discussing the technical details of a potential vulnerability, the conversation centers on the likelihood of a significant business impact should an attack surface be exploited. This shift in language helps the C-Suite understand the necessity of security measures and makes them more likely to support the necessary investments. 

Furthermore, a discussion on risk and probability naturally leads to a conversation about compromise – what level of risk is acceptable, and what measures are needed to minimize that risk? This approach encourages a more strategic view of security, where decisions are made based on the potential impact on the business rather than just technical considerations. 

Aligning Security Operations With Business Objectives 

The traditional security operations model is inefficient in protecting organizations from today’s evolving threat landscape. By shifting the focus from generating more alerts to understanding the probability of compromise within attack surface groups, security operations become more effective and aligned with business objectives. Leveraging intelligent automation, integrating attack surface awareness and risk assessment into security practices, and elevating the discussion to the C-Suite are critical steps in transforming how organizations approach security. This new model not only reduces the burden on security teams but also provides a clearer understanding of true threats, leading to a more secure enterprise. 

About the Author:

Seth Goldhammer, Graylog’s Vice President of Product Management, holds more than 20 years of experience in cybersecurity with a proven track record of driving innovation in the industry. He founded network access control pioneer Roving Planet and held product management leadership roles at TippingPoint, 3Com, and HP. He was the inaugural product manager at LogRhythm and the first executive hire at Spyderbat, a cloud-native security startup.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like