BETA
This is a BETA experience. You may opt-out by clicking here
Edit Story

IT Detects Security Threats First. It's Worth Considering Why.

ExtraHop

It's been a long road, but Security and IT teams are making great progress in terms of collaboration, according to a new Dark Reading survey of IT and cybersecurity professionals. Dark Reading tracks progress year-to-year, and reported an impressive positive movement in terms of how teams view each other, but still saw room for improvement around disparate tools (leading to silos of data) and inadequate visibility in the cloud.

Before we get to the key findings of the survey, it's worth explaining exactly why Security and IT collaboration is so important:

First, they have to work together on security policy. Security Operations teams set policies, but often rely on IT teams to implement them. IT is also responsible for the all-important practice of patching vulnerabilities, and is often responsible for the maintenance and configuration of firewalls and other security tools. IT staff can detect threats during the course of their normal work (more on this later). And finally, during incident response, it is up to the IT team to take remediation actions—such as quarantining and blocking.

Download the Dark Reading survey here or scroll down for a discussion of the most important takeaways.

Key Findings:

Collaboration is improving. For the 2019 survey, 47% of respondents said that Security and IT Operations teams are working well together and described the relationship as improving. To be sure, less than half is not ideal, but it's a huge improvement over 2018's survey, when only 30% of respondents said things were going well.

Growing transparency. The lines of communication are opening up between Security and IT teams, with 57% of respondents in 2019 saying that teams communicate well and are aware of each other's activities. This is a marked improvement over the 47% of respondents that said the same in 2018.

Threat detection needs help. Only 37% of respondents in the 2019 survey said that Security Operations teams are the first to detect threats. This number is actually a noticeable drop from 2018, when 43% of respondents said Security was first to flag threats.

The last point above, that Security is behind in threat detection, can be interpreted a few ways so I'd like to dig in a little here.

Why do IT Operations teams frequently detect threats before their Security counterparts?

First, there are more general IT staff than dedicated cybersecurity professionals, and as much as threat detection analytics technology has improved, human eyes and brains are still the best at identifying suspicious activity even if those humans don't have "security" in their title.

The second reason is that IT Operations staff really get to know their machines. If you're a database admin, you know what types of queries are normal and which aren't.

People sometimes say that IT Operations teams treat their machines like pets. I can relate, as I raise chickens in my backyard. I check on them regularly and can tell when something's wrong by the way their feathers look or the color of their comb. In the same way, IT Operations personnel can quickly spot something strange going on with their systems. For example, web operations personnel pay attention to spikes in 404s, which may indicate the web app is failing but also may indicate that an attacker is scanning the web directory.

The final reason Security Operations isn't always first to detect threats is because they simply don't have as much visibility as their IT counterparts.

Enterprises can have dozens of monitoring products, and because there are more monitoring tools spread among IT departments than in the SOC, it's not surprising that Security Operations didn't detect threats first. The problem is this: disparate tools create visibility gaps. This will get worse as organizations' cloud footprints grow and teams deploy additional disjointed tools for cloud visibility.

The Dark Reading report cites 451 analyst Daniel Kennedy, who puts a point on it: "The key issue with cloud adoption is the completeness of visibility."

In Conclusion

It's great news that collaboration between Security and IT Operations teams is improving because that cooperation is critical to maturing the security posture of organizations. But the 2019 Dark Reading survey also uncovers some worrying obstacles, not least being the need for unified security and performance visibility in the cloud.

A more nuanced takeaway from the Dark Reading report, which I've outlined in this post, is that IT Operations teams are still integral to threat detection—and not because they're trying to wrest that responsibility away from their counterparts in Security. Realizing this, organizations have even more reason to equip their Security Operations and IT Operations teams with the shared visibility needed to tighten collaboration.