ALPS blog

Security leaders are finally coming to terms with the reality of today’s threat landscape. That means adopting a post-breach mentality increasingly focused on detection and response. Yet admitting that it’s now a case of “when not if” your organization is breached is different from mounting an effective security operations (SecOps) response. Building a Security Operations Centre (SOC) is only half the battle. As we’ve demonstrated before, you also need the right tools, or your analysts will be overwhelmed with alerts they’re unable to prioritize.

So how bad is the current challenge for SOC teams? According to new Trend Micro stats, tool sprawl has reached epic proportions—with potentially serious implications for cyber risk and the mental health of SecOps analysts.

More tools, more problems

According to our global SecOps study, organizations are laboring with an average of 29 security monitoring solutions in place. Larger companies have it even worse: those with more than 10,000 employees have an average of almost 46 monitoring tools. Tool sprawl of this sort is a sure-fire way to reduce the effectiveness of your SecOps team. It can lead to:

  • Extra administrative overheads, as each tool needs managing separately
  • Security and detection gaps
  • Wasted/duplicated effort where tools overlap
  • Extra licensing costs
  • Extra costs associated with training SecOps pros on different UIs
  • Alert overload

We found that over half (51%) of organizations no longer use many of their monitoring tools because they’re outdated, they can’t be integrated, they’re untrusted or because they lack the skills to operationalize them. This is actually a step in the right direction: organizations should be rationalizing their toolsets. But there needs to be an altogether more strategic approach if organizations are going to maximize the effectiveness of SecOps teams.

What are the options?

Of all the negative impacts of tool sprawl, alert overload is one of the most critical. It means analysts are unable to filter out the noise of false positives and low severity incidents to prioritize the signals that matter. The result is that serious breaches inevitably fly under the radar, allowing threat actors far longer than they should have inside targeted networks. In fact, it takes an average of 287 days to identify and contain a data breach today, according to IBM.

SecOps teams need a single source of the truth to work from if they’re to do their job properly. That means data from multiple layers (endpoints, email, servers, networks, and cloud infrastructure) to which is applied intelligent analytics to correlate and prioritize alerts. It could be done in-house or outsourced to an expert provider. In fact, 92% of respondents said they’ve considered managed services for detection and response.

However it’s done, this is the kind of approach to deliver effective SOC or SecOps-powered threat detection and response. Platforms like Trend Micro Vision One work to minimize cyber risk and provide a stable foundation on which to build digital transformation.

Organizations eyeing business growth in the new post-pandemic era would do well to take note.