Monthly Archives: October 2020

A tale of two security operations centers – 78% say the job is ‘very painful’

The 2020 Devo SOC Performance Report tells a tale of two SOCs. Based on the results of an independent survey of IT and IT security practitioners, the second annual report looks at the latest trends in security operations centers (SOCs), both positive and negative. The report presents an unvarnished view of the current state of SOC performance and effectiveness based on responses from people with first-hand knowledge of SOC operations, identifies areas of change from the prior year’s survey, and highlights the challenges that continue to hinder many SOCs from achieving their performance goals.

Devo commissioned the Ponemon Institute to conduct a comprehensive, independent survey in March and April 2020 of professionals working in IT and security. The survey posed a broad range of questions designed to elicit insights into several key aspects of SOC operations, including:

  • The perceived value of SOCs to organizations
  • Areas of effectiveness and ineffectiveness
  • The ongoing challenge of SOC analyst burnout, its causes, and effects

The picture painted by the data from nearly 600 respondents shows that while some aspects of SOC performance show modest year-over-year improvement, major problems persist that continue to adversely affect organizational cybersecurity efforts and the well-being of SOC analysts.

A Tale of Two SOCs
Overall, the survey results tell a tale of two SOCs. One is a group of high-performing SOCs that are, for the most part, doing reasonably well in delivering business value. This group generally enjoys sufficient talent, tools, and technology to have a fighting chance of overcoming the relentless challenges that commonly afflict many SOCs.

Sharply contrasting with the high performers are the low-performing SOCs. This group struggles greatly because they are unable to overcome the myriad problems hindering their ability to deliver better performance. These SOCs generally lack the people, technology, and budget resources to overcome these challenges, resulting in them sinking even lower in effectiveness, putting their organizations at ever-greater risk of cyberattacks.

This report examines the specific areas where high- and low-performing SOCs most diverge, while also shining a light on the challenges with which both groups struggle. By identifying the differences and similarities between the two classes of SOCs, it illuminates the variable return on investment these SOCs are delivering to their organizations.

The Good(-ish) News
Before delving into the most significant—and in many cases, disturbing—findings from the survey, let’s start by looking at how organizations rate the value their SOC provides. This year, 72% of respondents said the SOC is a key component of their cybersecurity strategy. That’s up from 67% in 2019. This increase reflects more respondents feeling their SOC plays an important role in helping the organization understand the external threat landscape.

Other findings with a somewhat positive take on SOC performance include:

There is an eight-percentage-point increase among respondents who say their SOC is highly effective in gathering evidence, investigating, and identifying the source of threats. So far, so good. However, when you realize that last year only 42% of respondents felt that way, this year’s “jump” to 50% means that half of those surveyed still don’t believe their SOC is performing particularly well.

Respondents see improvements in their SOC’s ability to mitigate risks. This is another example of good news/bad news. Last year only 40% of respondents felt their SOC was doing a good job reducing risks. In 2020, a still-modest 51% say their SOC is getting the job done in this area. That’s a nice increase, but it still means that almost half of all respondents find their SOC lacking in this important capability.

Contributing to this rise, more SOCs (50%, up from 42% in 2019) are providing incident-response capabilities including attack mitigation and forensic services. The brightest spot in this aspect of SOC performance is that in 2020, 63% of respondents say SOCs are helpful in understanding the external threat environment by collecting and analyzing information on attackers and their tactics, techniques, and procedures (TTPs), up from 56% last year.

There was a slight bump in the alignment between the SOC and the objectives and needs of the business. This year 55% of respondents say their SOCs are fully aligned (21%) or partially aligned (34%), a slight increase from 51% in 2019. One possible reason for the improved alignment is that more lines of business are leading the SOC team (27% this year vs. 18% in 2019). But that practice also could be contributing to the rise in turf battles and silo issues. More on that later.

Organizations are investing in SOC technologies. Seventy percent of respondents say it is very likely (34%) or likely (36%) that their organization will open up their wallets to introduce new tools designed to improve SOC operations.

The SOC forecast is cloudy. A majority of organizations, 60%, now operate their SOC mostly (34%) or partly (26%) in the cloud. In 2019, only 53% of organizations identified as mostly cloud (29%) or operating a hybrid environment (24%). SOCs with limited cloud presence are declining, with only 40% of organizations identifying as mostly on-premises, down from 47% in 2019. This trend toward more cloud-based SOC operations reflects the overall move of IT and other business operations technologies taking advantage of the scale and cost benefits of cloud deployments.

The Really-Not-So-Good News

The first Devo SOC Performance Report in 2019 showed that the issue of analyst turnover due to stress-related burnout was significant. Unfortunately, it’s become an even bigger problem in 2020:

  • 78% say working in the SOC is very painful, up from 70% last year
  • An increased workload is the number-one reason for burnout according to 75% of respondents, up from 73%
  • Information overload is an even bigger problem this year (67%) than in 2019 (62%)
  • And 53% say “complexity and chaos” in the SOC is a major pain point, up from 49%

For all of these reasons, and many more as you’ll see, organizations must find ways to reduce the stress of working in the SOC—now.

Respondents are concerned that frustrated, stressed, and burnt-out analysts will vote with their feet and quit their jobs. An appalling 60% say the stress of working in the SOC has caused them to consider changing careers or leaving their jobs. Even worse, 69% of respondents say it is very likely or likely that experienced security analysts would quit the SOC, more discouraging than the 66% who felt that way last year.

Turf tussles and silo skirmishes are killing SOC effectiveness. This is another problem that’s getting worse. This year, 64% of respondents say these internal battles over who is in charge of what are a huge obstacle to their SOC’s success, a disheartening increase from 57% in 2019. 27% of respondents say lines of business are in charge of the SOC, an increase from 18% in 2019. However, 17% of respondents say no single function has clear authority and accountability for the SOC. And it’s not a stretch to connect the dots and realize that an organization infected with in-fighting among its technology teams is likely to be more vulnerable to the potentially devastating effects of a successful cyberattack.

Budgets are not adequate to support a more effective SOC. SOC budgets increased slightly year over year, but not enough to close the gaps in effectiveness and performance. The average annual cybersecurity budget for the survey respondents’ organizations rose to $31 million this year, a slight bump from $26 million. The average funding allocation for the SOC is 32% of the total cybersecurity budget or $9.9 million, a slight increase from 30% or $7.8 million in 2019. These figures are heading in the right direction, but they’re still insufficient to fund the important work of an effective SOC team.

You can’t stop what you can’t see. SOC teams are handcuffed by limited visibility into the attack surface, which 65% of respondents cite as one of the primary causes of SOC analyst pain.

The mean time to resolution remains unacceptably high. MTTR is one of the benchmark metrics for SOC performance, and the responses to the survey show it is another significant problem area. According to 39% of respondents, MTTR can take months or even… years! Less than a quarter of respondents, 24%, say their SOC can resolve security incidents within hours or days. Compare these unsettling metrics with the industry estimate that it takes skilled hackers less than 19 minutes to move laterally after compromising the first machine in an organization. This points to a significant gap for the vast majority of SOCs, as only 8% have an estimated MTTR that is “within hours,” which is even worse than the 9% of organizations in 2019.

Is it time for the rise of the machines? It’s obvious from these survey results that the trend of SOC analyst stress, burnout, and turnover is getting worse. The question is what can organizations do to turn the tide? Well, if you listen to 71% of those surveyed, a big step in the right direction would be to introduce automation to the analyst workflow, and 63% state that  implementing advanced analytics/machine learning would help. Respondents feel organizations should invest in technologies that would reduce analyst workloads. They believe automation and machine learning are even more important than a normalized work schedule in reducing SOC pain. The idea is to automate many of the repetitive, pressure-packed tasks typically performed by Tier-1 analysts who often have had enough of SOC work before they ever make it to Tier-2.



I was asked to help both the defense and the prosecution at Father of ID theft’s sentencing

This is quite a business card. One of my prized possessions from James’ better days. ‘Because there should be only one you.’

Bob Sullivanh

I ended up in a press release issued by the Department of Justice last week — I believe that was a first for me. Fortunately, I was not the subject of the release. My book, Your Evil Twin, was used by prosecutors to help put a notorious identity thief behind bars for 17 years. That criminal was James Rinaldo Jackson, whom I had named “The Father of Identity Theft” in my book almost 20 years ago.

Thus ended — for now — a crazy episode in my life that involved an old prison pen pal and a federal case in which I was asked to help both the prosecution and the defendant.

Most recently, James had lit fires in his house and kept a woman and her three children hostage while trying to destroy evidence after police surrounded his place …and soon after, tried to use a dead man’s identity to buy a Corvette.

To James, that was a pretty typical Tuesday.

James’ story is so convoluted, episodic, tragic, and amorphous that I can only hope to offer you a glimpse in this email. I’m hard at work looking for broader ways to tell this crazy story. While he’s now going to be in a federal prison for 207 months, likely the rest of his life (he’s 58), I can’t help thinking his story isn’t really over.

I hadn’t thought about James for nearly a decade when I received an email from the DOJ about his case last December. James had been in and out of jail and managed to squirt back out into public life again and again. This time, DOJ wanted to throw the book at him — MY book — and a federal agent wanted to know if I had any additional evidence I could share.

I had spent a couple of years writing letters back and forth to James when he was in jail for previous crimes. In thousands of single-spaced, typed pages, he had disclosed amazing “how I did it” details about his early days committing insurance fraud, and then trail-blazing in ID theft.

Like all journalists, I was in a strange spot. Generally, reporters don’t share information with prosecutors unless compelled to do so by a court. On the other hand, it really is best for James and the rest of the world that he be protected from society and vice versa.

While I pondered the situation and made plans to cover his sentencing hearing in Tennessee, I was contacted by James’ court-appointed defense attorney. James had told his legal team that I could be a character witness for him at sentencing. His letters to me were always framed as an effort to warn the world about a coming wave of ID theft — and he was right about that. He thought perhaps I could help the judge go easy on him.

I called journalism ethics experts to discuss my next steps and stalled. Then, Covid hit. James’ sentencing was repeatedly delayed. I suspected he might somehow get out of a long jail sentence. But last week, he was put away for a long time without my involvement.

“Aggravated identity theft and schemes to defraud or compromise the personal and financial security of vulnerable and deceased victims will not be tolerated,” said U.S. Attorney D. Michael Dunavant in the press release. “This self-proclaimed ‘Father of Identity Theft’ will now have to change his name to ‘Father Time’, because he will be doing plenty of it in federal prison.”

James has done some very bad things, and hurt a lot of people. Still, I felt a strange sadness. I thought about all the opportunities he had to set his life straight; all the second chances wasted. He just couldn’t NOT be a criminal. I’ve met other criminals like this in my life. One rather pointedly told me, “I just get too comfortable.” For some people, it seems, comfort is intolerable.

If you could indulge me for a bit, let me go back in time, to when I was first contacted by prosecutors about James:

When a federal prosecutor sends you an email with a subject line that’s the title of a book you wrote almost 20 years ago, you call immediately.

“This is probably the least surprising call you’ve ever received, but James is in trouble again,” the prosecutor said to me.

James Jackson had recently tried to burn his house down with his female friend and her kids held hostage inside, sort of.  Then after that, he was arrested at a car dealership while trying to buy a car with a stolen identity. A Corvette. James doesn’t do anything small.

The prosecutor had found my book when they executed a search of James’ home and his life.  Of course he did.

Two decades ago, James Rinaldo Jackson — the man often credited with ‘inventing’ identity theft — was my prison pen pal.  I was a cub technology reporter at MSNBC and I had latched onto a new, scary kind of financial fraud. It was so new, the term identity theft hadn’t really been coined yet.  James was my teacher. We spent years corresponding; I often received 2-3, 4 missives a week. He’s hopelessly OCD, and the letters were often dozens of pages, single-spaced, impeccably typed.  Slowly, but surely, hidden inside pages of rambling prose, James unraveled for me all the tricks he used to steal millions of dollars, to amass a fleet of luxury cars, to impersonate a Who’s Who of famous CEOs and Hollywood personality of the 1990s – often armed only with a payphone and some coins.

At one point, James stole Warner Bros CEO Terry Semel’s identity, and sent Semel the evidence to him home via FedEx, in the form of a movie pitch — “Really, sir, it would be an important film. People are at great risk,” he wrote.  For good measure, he included evidence of stolen IDs from famous actors he hoped star in the movie.

James  Jackson’s misadventures became the core of my book about identity theft, Your Evil Twin, published in 2003. In it, I dubbed James The Father of Identity Theft.  The name stuck.

Years later, James served his debt to society, got out, and we finally met. He was beyond charming, and I liked him. It was easy to see why people would give him hundreds of thousands of dollars.  He became mini-famous for a while, He starred in infomercials about tech crimes. The last time I saw him, we spoke on a panel together in New York at a bank fraud conference.  I remember riding up a glorious escalator with him in the Heart of Times Square, and he beamed that someone else was paying for his $400-a-night hotel room. James could easily have become another been Frank Abignale, the real-life criminal-turned-hero from the film Catch Me if You Can, who now nets 5-figure payouts for speeches.

Instead, he couldn’t even be James Jackson.

James insatiable desire to be someone more important than himself — not to mention his desire for Corvettes – couldn’t be tamed.  James took that escalator and just kept going down, so low that he eventually found himself once again surrounded by police. A new fleet of luxury cars had attracted law enforcement attention. It’s crazy, but when I heard about the fire, I was sad for James. I know what happened. He panicked and started lighting computers and paperwork on fire, hoping to destroy the evidence.

To James, crime was always just a game. He never “hurt” anyone; he just talked his way into the nicer things in life. In fact, he usually targeted people who’d recently died – stealing their money is rather trivial – so where’s the victim? The way he flaunted the proceeds, it was also obvious to me that James was always desperate to be caught. Who tries to buy a Corvette while on the run for trying to burn down your house with your family inside?

The prosecutor called me for help putting James behind bars for good. He wanted more evidence that would convince a judge and jury that James is beyond reform, that 20 years ago James had told me things that still possess him today.   And I have (had? It was a long time ago) mountains of letters that might sound like confessions to a jury today.

This is, to say it mildly, an unusual request. Journalists don’t share information with prosecutors. But then, James is a most unusual case. It would be good for James, and the rest of the world, for James to be kept away from telephones and computers forever.  But that’s not my job. So, now what?

An excerpt of my book detailing James Jackson’s original crimes, originally published by NBC News, can be found here:

Eventually the NYTimes covered some of his story:

Here is James on an infomercial, about as close as he ever came to straightening out his life:

Here’s a local story about the more recent fire at James house and his arrest

And here’s a local story about his sentencing, with plenty of details from Your Evil Twin