Security operations centers (SOCs) are becoming increasingly proficient at detecting threat activity inside an organization. As threat actors breach preventative controls, the SOC triages alerts, validating and assessing the impact on the organization, while determining a course of action to contain the activity and remediate, if necessary, the affected information technology (IT) assets.
While the SOC is on the “front line” of this alert handling process, IT personnel and even business owners often must complete the containment and remediation actions that address the alert and threat.
At the same time, other security services often require assistance from IT to correct or remediate vulnerabilities and risks of IT systems, applications, and assets. For example, the vulnerability management (VM) service will periodically detect vulnerabilities that require treatment actions — applying a patch, changing a configuration, or implementing a mitigating control—to reduce the security risk. In some cases, it requires multiple IT teams to address these vulnerabilities.
Collectively, the SOC, VM and other security services can overwhelm an IT organization that is already working at maximum capacity while trying to manage other competing concerns:
— Similar IT service requests sent from various security services may carry different requested turnaround times or urgencies, leaving IT to speculate on the urgency of any given request, and
— Without a defined set of service request urgencies and service level agreements in place, it is difficult to measure the operational effectiveness of the security and IT teams.
The result? Confusion, disagreement, and an uneasy tension between security and IT teams, which ultimately affect the overall security of the organzation.