83% of organizations experienced more than one data breach in 2022. However, 97% of respondents feel confident that they are well-equipped with the tools and processes needed to prevent and identify intrusions or breaches, according to Exabeam.
“The findings indicate a sizable disconnect between market promises and team perceptions. As a result, teams lack the holistic visibility and context to zero in on adversary behaviour to identify the causes of major incidents and breaches. As a result, large-scale data breaches and multi-million-dollar remediation efforts are taking a toll on organizations’ brands, customer retention, and act as a distraction to business momentum and budgets,” said Steve Moore, Chief Security Strategist at Exabeam.
The current state of SIEM at U.S. organizations
46% of all respondents operate more than one cloud or on-premises SIEM platform. Among those with SIEM tools:
- 64% of those who have one platform are very confident they can detect cyberattacks based on adversary behaviour alone, while 59% of those with two or more platforms are very confident.
- In addition, 4% of U.S. security professionals report not using a SIEM platform, and of those respondents, 81% were confident.
However, just 17% of all respondents can see 81–100% of their network. Since many analysts lack full visibility, the likelihood that adversaries are lurking in dark corners grows ever greater.
Prevention a higher priority than threat detection, investigation, and response (TDIR)
One reason security teams struggle to prevent breaches is that adversaries are often already in the network, undetected. Despite this reality:
- 65% still prioritize prevention over detection, investigation, and response as their most important security goal.
- Just 33% said detection was the highest priority.
Security investments mirror this thinking:
- 71% spend 21-50% of their security budgets on prevention.
- 59% invest the same percentage on TDIR.
“As widely known, the real question is not if attackers are in the network, but how many there are, how long have they had access, and how far have they gone,” continued Moore. “Teams need to socialise this question and treat it as an unwritten expectation to realign their investments and on which to perform, placing the necessary focus on adversary alignment and incident response. Prevention has failed.”
Teams overconfident in ability to prevent attacks
While nearly all respondents are certain they can prevent attacks, this confidence drops when challenged. When asked if they’d feel very confident telling a manager or the board that no adversaries had breached the network at that time, only 62% say yes, leaving more than a third with doubts.
“Business leaders are asking, ‘Why do bad things keep happening?’ The answer is security teams are overconfident,” said Tyler Farrar, CISO, Exabeam. “Many vendors overpromise, leaving organizations with an ineffective SIEM that can’t truly baseline normal behaviour, and as the data shows, some lack a SIEM altogether. This is leading to burnout, as teams simply can’t detect anomalies or prevent incursions.”
Platform and process issues increasing staff burnout
As attacks surge, security jobs become ever more demanding. Some 43% of respondents cited being unable to prevent bad things from happening as the worst part of their job, followed by:
- Lacking full visibility due to security product integration issues (41%)
- An inability to centralise and understand the full scope of an event or incident (39%)
- Being unable to manage the volume of detection alerts, with too many false positives (29%)
- Not feeling confident that they’ve resolved all problems on the network (29%)
Compromised credentials a leading attack vector
Adding to the complexity of incident detection, Exabeam found that more than 90% of security professionals are battling compromised credential cases. It’s critical to note that some SIEMs don’t use behavioral analytics and can incorrectly flag legitimate user actions as malicious, increasing the number of false positive alerts teams must triage, adding to their mental fatigue.
With blind spots and noisy alerts, it’s not surprising that security teams can’t match pace with adversaries:
- Just 11% can scope the overall impact of detected malicious behaviours in less than one hour.
- 52% report they can analyse it in one to four hours.
- 34% take five to 24 hours to identify high-priority anomalies.
However, data exfiltration typically begins minutes into an attack, and adversaries can do significant damage in just a few hours.
“Despite significant spending on prevention tools, adversaries are still breaking into organizations using compromised credentials — which prevention solutions can’t detect,” said Sam Humphries, Head of Security Strategy, EMEA, Exabeam.
“And if these are the patterns we are seeing in the U.S., where the security market is ahead, it’s likely worse in other regions such as EMEA and APAC. Fortunately, when organizations invest in detection tools with automated insights, behavioural analytics, and processes provided by platforms, security practitioners are better positioned to detect, investigate, and respond to adversaries.”