ESG research recently completed a new research project focused on security analytics and operations. As part of this project, ESG surveyed 406 IT and security professionals working at midmarket and enterprise organizations in North America across all industries. Based on the research results, we came to the following conclusions:
Security analytics and operations continue to grow more difficult.
Nearly two-thirds (63%) of survey respondents claim that security analytics and operations are more difficult today than they were two years ago. This increasing difficulty is being driven by external changes and internal challenges. From an external perspective, 41% of security pros say that security analytics and operations are more difficult now due to rapid evolution in the threat landscape, and 30% claim that things are more difficult because of the growing attack surface.
Security teams have no choice but to keep up with these dynamic external trends. On the internal side, 35% of respondents report that security analytics and operations are more difficult today because they collect more security data than they did two years ago, 34% say that the volume of security alerts has increased over the past two years, and 29% complain that it is difficult to keep up with the volume and complexity of security operations tasks. Security analytics/operations progress depends upon addressing all these external and internal issues.
The security data pipeline dilemma: More data, more problems.
Just under one-third (32%) of organizations collect substantially more data to support cybersecurity analytics and operations today than they did two years ago, while 44% collect somewhat more security data. Furthermore, 52% of organizations retain this data online for longer periods of time than they did in the past. The volume of real-time and historical security data creates massive data repositories that are costly and difficult to manage. Security analysts commonly offer a complaint worthy of Yogi Berra: "We have so much security data that we can't find anything we're looking for."
Traditional on-premises SIEM is an incomplete solution.
A full 70% of organizations continue to anchor their security analytics and operations with security information and event management (SIEM) systems. Despite this central role, security operations center (SOC) teams now surround the SIEM with additional tools for threat detection/response, investigations/query, threat intelligence analysis, and process automation/orchestration. This raises the question: If SIEM is essential to security analytics and operations, why do organizations need so many tools?
The research reveals that while SIEM is good at discovering known threats and generating security and compliance reports, it's not well suited for detecting unknown threats or other security operations use cases. What's more, 23% of security pros say that SIEM platforms require lots of personnel training and experience, and 21% believe that SIEM requires constant tuning and operational overhead to be useful. SIEM isn't going away, but it needs help.
Staffing and skills shortages remain ubiquitous.
Three-quarters of survey respondents agree that the cybersecurity skills shortage has affected security analytics and operations at their organizations. Can't CISOs simply hire their way out of this situation? It's not that easy: 70% of security pros say that it is extremely difficult or somewhat difficult to recruit and hire SOC personnel. Organizations are addressing the skills gap by turning to managed services. Seventy-four percent of organizations use managed security services (for security analytics and operations) today, and 90% plan on increasing their use of managed security services in the future. When it comes to the SOC, it seems that no one can go it alone anymore.
Security analytics and operations technologies are migrating to the public cloud.
In the past, CISOs preferred the hands-on control of on-premises security analytics and operations technology, but this is no longer true. The research indicates that 41% of organizations prefer cloud-based security analytics and operations technologies while another 17% are willing to look at cloud-based security analytics and operations technology options on a case-by-case basis.
Why move to the cloud? The most obvious reason is to avoid the cost and complexity of an on-premises security analytics and operations infrastructure (i.e., deployment and ongoing operations of data collectors/processors, load balancers, servers, storage devices, etc.). Interestingly, some progressive organizations believe that scalable, burstable cloud-based processing and storage resources can provide analytics opportunities they simply can't achieve with homegrown on-premises efforts. This is particularly true with the application of machine learning algorithms on massive security data sets.
Based upon this research, ESG has four recommendations for CISOs and security professionals:
- CISOs must address SOC deficiencies with long-term and comprehensive strategies that can improve security efficacy, bolster operational efficiency, and support business objectives. Tactical tweaks won't do.
- Large organizations should understand that security analytics and operations is a big data application. This demands that security teams have appropriate data management skills so they can build and operate security data pipelines at scale.
- CISOs must plan for cloud migration so they can create a security operations and analytics platform architecture (SOAPA) that helps them prevent, detect, and respond to security incidents across hybrid IT infrastructure. "Lift-and-shift" should be viewed as a starting, not an ending, point.
- To address the scale and scope of security operations along with the ongoing cybersecurity skills shortage, SOC managers must lean on artificial intelligence, security process automation, and managed services moving forward. Once again, CISOs need a detailed plan on how these elements will augment the SOC staff, supplement and improve SOC processes, and better safeguard critical business assets.