IT departments regularly ask us questions about their security posture, their security concerns, and specifically, the makeup of their Threat Management (TM) organizations.Generally speaking, Threat Management includes anything in the Intel-Detection-Response arena, generally encompassing Security Operations Centers, Intelligence Organizations, and Incident Response Teams.When it comes to the makeup of their TM organizations, companies vary, and there is no one-size-fits-all model. In fact, ask any number of organizations what defines a SOC or IRT, or where an Intel team fits within their organization, and you're bound to get countless answers that sound similar, but ultimately differ. What doesn't often vary, however, is the answer to the follow-on question about how large the team is: "We have a guy/gal."
Based on these conversations and our experience, including when I was originally "the guy" responding to incidents at a large, well-respected enterprise -it's quite obvious that there are Haves & Have Nots in the Threat Management space. Since we weren't aware of a maturity model for TM teams, we decided to draft one.
To be clear, much of this is anecdotal and not yet based upon a scientific sampling. But we've shopped this around a bit with some of the smartest folks we know and have gotten lots of head nodding. Some agreement can be found in Lancope's sponsored Ponemon report which, when you consider the data, supports the notion of a TM continuum.
To dive a little deeper into the three main categories:
In our experience, this accounts for the majority of organizations. These companies have generally not invested in TM and typically deal with issues on a case-by-case basis. They have basic tools such as AV, FW's, and even IDS/IPS and SIEM; but their implementation supports basic use cases, like addressing common malware and supporting compliance efforts.
We'd estimate 25% of organizations fall into this category in which they are in the early stages of building out a TM function. In this stage, firms are standardizing processes, harvesting intelligence, building relationships outside of their company, and becoming more specialized and responsive -perhaps even starting a Security Operations Center. Commitment can yield significant results at this stage, but fairly quickly firms will encounter bandwidth issues and need further investment in human capital to get any further.
We'll call these the One-Percent. Very few firms consider Threat Management a strategic function of the organization, let alone leverage it to drive their security program. But these organizations do. They recognize the power of intelligence, proactive hunting, and incident dissection, and also partner with business units, keep tabs with government intel organizations, lobby The Hill, and more. This doesn't happen overnight. Rather, they progressively leverage the fruits of these activities over time to gain the personnel, bandwidth, muscle, and budget to achieve this a reality.
This is just a first crack at a maturity model for TM. We're sure it could be a lot better. But so far, the categories and their components resonate with our experience and what we see in the market generally. We suspect that this will be a hotly contested topic, with countless differing opinions -your feedback and continued conversation is welcome.
This post was co-authored with Ted Julian from Resilient Systems. Feel free to reach out to us on twitter @SeanAMason & @eajulian to provide us your thoughts.