These three elements are listed among the top 4 SecOps challenges security teams face in the “Modernizing Security Operations” report from SANS. The top 3 include cost, which is a symptom of staffing and technologies.

SecOps staff shortage

Even though the ISC documented a slight decrease in the cyber professionals’ workforce gap, from 3.1 million to 2.4 in 2021, a structural gap still needs to be filled.

On top of that, as we’ve documented in previous articles, the pathway to cybersecurity is highly heterogeneous. Most cyber professionals started in IT among older generations and then transitioned to cybersecurity. This isn’t the case for younger generations, though. Although there’s a higher percentage of education in cybersecurity, there’s also a more significant part of young cyber professionals who explored cybersecurity before being recruited for a job in this domain, meaning two things.

First, there’s a structural lack of offer cybersecurity professionals specialists. Second, cybersecurity attracts a wide diversity of candidates, where the majority don’t hold computer science graduation, although being graduated with degrees in STEM fields.

As we’ve seen above, there have been important inflows of workers into the cybersecurity workforce in the last years. More precisely, starting in 2019, the global workforce grew from 2,802,700 to 4,192,255 people in 2022, an 85% increase in just two years!

As a result, the workforce is relatively young. A significant part has an average experience between junior and mid-level. However, they often end up on the first line of defense. There, they’re doing the most repetitive and low-value-added tasks. They also fill the ranks for more complex tasks on reduced frames of time that require extended shifts across nights, weekends, and holidays.

Thus, inducing high factors of stress doing their jobs. It helps explain why the cybersecurity turnover rate is slightly above global averages, topping 20%. This explains the reduced percentage of cybersecurity professionals with above ten years of experience among SecOps teams. It all comes down to the organization’s retention capacities which reflect its ability to ease the stress and the workloads burdening its employees’ shoulders.

These factors are gathering into the global need for A. more people to join cybersecurity ranks B. better-prepared team members. SecOps members point out a need in surveys when they point at staffing and workforce as the top 1 reason involved in attacks.

Interestingly, phishing, visibility, and ransomware rely on the execution of highly repetitive actions by the same analysts. They’re also among the most common incidents they had to face these couple of last years. Still today, they’re the biggest threat to their organizations.

SecOps increasing workloads

Even though the staffing shortages hinder SecOps, they still have to deal with increasing workloads, quantitatively and qualitatively.

A growing number of attacks

We’re read everywhere for a couple of years now; cybersecurity has become a top priority for most companies worldwide. Because of the pandemic and its consequences on labor organization, companies left critical surfaces uncovered. Without any preparation in most cases, millions of employees had to resort to remote work. IT departments were forced to move workloads to the cloud in days instead of months in regular times. Traditional cybersecurity architectures weren’t ready for such changes.

Vulnerable companies were an immense opportunity for attackers and criminal organizations that quickly jumped on the occasion and started to inflict great deals of damage worldwide. Statistics are well known. Year-to-year, cyberattacks exploded in number by two and even threefold. In most cases, companies were first hit by phishing attacks that helped attackers directly deliver a payload or gain initial access.

You also have to count on the democratization of cyber criminality. Today, almost anybody with some good (wrong) will have their hands on some ransomware kit for less than $100. Of course, some kits are better (cost more, up to the tens of thousands) than others and back you up with more chances of success. Still, the general environment is becoming increasingly hostile, with millions of potential attackers.

Back to the work environment. Given that human interactions were reduced to the bare minimum, employees had to use emails to contact their colleagues, clients, or even personal relationships on their devices (we all know someone who keeps doing this…). Campaigns of indiscriminate and massive phishing emails were reported. Still, we also saw a recrudescence of spear-phishing attacks, where attackers targeted a precise person, which requires more resources, preparation, and determination, resulting in a better chance of success than usual phishing emails.

The number of attacks soared in 2020, and 2021 continued on its track and broke the record. 2022 is already on a solid path to, at the bare minimum, keep up with the precedent couple of years. Further, attacks are also complexifying.

Complexification of attacks

Attacks did not only grow in number but also complexity for a substantial number of them. Zero-day vulnerabilities tend to be exploited quicker by attackers, but also new Remote Code Execution techniques are an easier way to gain access to a network. For instance, in March 2021, days after the Microsoft Exchange Server vulnerability was revealed and classified by the Mitre Corporation, the Proof-of-Concept was available on GitHub. Several cybersecurity research companies tracked the evolution of attacks using this exploit. They noticed an exponential growth of such attacks in a matter of days. The same goes for Log4j exploits that we’ve already reported on. Attacks using it grew sharply in a matter of days.

Apart from exploiting previously unknown vulnerabilities, such attacks are also fileless or malwareless, making it harder for traditional tools to detect. Indeed, such tools traditionally target malicious processes. Meanwhile, these attacks rely on the execution of native binaries. To detect these, SecOps needs to flag specific queries or even add a behavioral analytic solution to their technology stack, which has to be integrated with their environment to show maximum results.

Whatsmore is that such attacks pave the way for others. Usually, such exploits are used to gain access and escalate privilege into your networks. Once done, attackers can pursue their attack according to the MITRE ATT&CK framework until Impact, which is usually the stage end-users witness in cases such as ransomware attacks, when the device gets encrypted, and the screen goes scary.

Of course, these attacks are also becoming deadlier to add up to the challenge. Total cost is growing, meaning that organizations suffer more significant data breaches, get more time to return to normal, and face higher fines because of the lack of compliance regarding regulatory obligations. In cases such as ransomware attacks, the ransom asked by attackers is also growing because many organizations prefer to pay the ransom.

Lack of automation

We’ve reported that SecOps have to face many attacks and a growing complexification. To the SecOps guy, this is materialized by an ever-increasing number of alerts coming in every day. Each one of these alerts is potentially hiding an actual incident. The analyst thus has to undergo basic tasks, such as triaging incidents, to depart fake alerts and duplicates from real threats. The analyst needs to perform basic tasks such as contextualization enrichment to confirm or infirm. 

Still, these tasks require different tools provided by different vendors. Of course, we’re not advocating resolving this first issue by purchasing an all-in-one solution. We strongly believe that each one has its solution when it comes to solving problems. Suites or “one-size-fits-all” are structurally inadequate to answer a company’s particular issue. But, there is a lack of integration of the whole stack, a kind of glue holding every piece together and making the structure coherent. This leads to the known “pain-of-glass issue. As basic as it can be, each task takes time and energy, although not bringing substantial value. Whatsmore, being repetitive, these tasks are prone to errors, impeding the whole security architecture. 

This is why SOAR solutions were built in the first place—helping and empowering every analyst. A few years after the concept was coined and prominent actors emerged, there’s still a critical need for automation, from triaging to incident response. Today, it is still reported as one of the significant challenges SecOps have to face. 

SecOps’ technologies to diversify further, notably in the cloud

Although SecOps already have to compose an extensive set of tools, fulfilling core functions, such as Monitoring, Vulnerability Management, Incident Response, Threat Intelligence, and Insider Risk, this set of functions is vowed to diversify in the near future.

Indeed, following new usages such as those induced by the increasing movement towards the cloud, SecOps have to adapt. As the migration expands, unknown risks and vulnerabilities emerge. Access and work from anywhere are rebalancing the old security architecture. The fortress isn’t sufficient to cover the evolution of risks as the castle becomes accessible from anywhere.

Thus, when surveyed, SecOps teams envision adopting Cloud security functions to adapt their security architecture.

However, besides best-in-class SecOps, many teams already struggle to integrate their different solutions. Thus communication and processes between these different layers are fragmented. As we’ve demonstrated in previous articles, mainly about IAM and PAM, real-time communication is paramount for modern SecOps because of the sheer amount of alerts to process and the need to maintain constant activity. In that sense, being able to streamline the communication between your existing tools is a top requirement today. This is why we see that, among their top challenges, SecOps teams list automation and orchestration capacities.

Adding new technologies on top of this already complex stack is ultimately going to complexity even more, their work, thus increasing the need for more integration and, therefore, Orchestration and Automation.

Next-Generation SOAR to enhance staff capabilities

As of today, there’s still a need for integration into your environment. Achieving this would enable real-time communication, in both ways, between your technologies. This way, it took the old SecOps many steps further by allowing data collection, analytics, and incident response workflows, thanks to an automation engine based on events, actions, and logic. As a result, the SOAR has been rapidly seen as a backbone of your cybersecurity architecture. It enables your team to orchestrate and automate all their processes from one point.