Observe
Inc. published the 2023 State of Security
Observability report. Conducted
by CITE Research, it
examines the convergence of security and observability. The inaugural report
surveyed 500 full-time security decision-makers and practitioners - 40% of whom
were either CISOs or CSOs - to understand their current approach to security
and how it intersects with observability.
Organizations have been using log data to identify known and
unknown attacks since the beginning of the Internet, but each generational
shift in data volume and velocity has broken legacy tooling. Security
observability - which uses logs, metrics, and traces to infer risk, monitor
threats, and alert on breaches - brings SecOps forward with an architecture
that separates storage from compute. Ninety-nine percent of organizations said
security observability was a priority.
Notably, the report found that 84% of security professionals
indicate their organization combines security and data operations into a single
analytics tool. However, more than half of the security relevant data that goes
into observability systems needs to be transformed before it can be used.
Nearly half (48%) of respondents are using Microsoft's ASIM for this purpose,
followed by Amazon's OCSF (32%) and IBM's QRadar (28%), indicating significant
data manipulation to the standards of cloud SIEM vendors. The inability to use
data or get relevant data into current monitoring tools are the top challenges
for organizations switching to a new observability tool in the coming
year.
The majority of respondents (95%) say they are using a SIEM in
some form. SIEM has been positioned as a content and integration-rich entry
point that gives access to dozens of rules and add-ons specific to the other
products that your organization runs on. The reality is each integration has
versioning and configuration requirements, each rule only works with properly
abstracted data, and each alert expects that the customer can decide if it's
important or not. This requires continual maintenance from skilled users or
costly professional services time.
The State of Security Observability report
reveals that organizations clearly feel the need for knowledgeable teams that
can hunt for unknown threats and respond - 73% of respondents said they have
Incident Response (IR) teams and Security Operations Center (SOC) in-house, and
95% use a SIEM (Security Incident and Event Manager). Product categories
intended to replace the SIEM - such as SOAR, UEBA, and EDR - have not done
so.
"Security observability borrows concepts from observability to
enable security operations teams to understand risks and incidents in a more
holistic way," said Jack Coates, Senior Director of Product Management
at Observe. "This report shows that 99% of organizations are prioritizing
security observability. Embracing this pivotal technique is imperative for
security professionals, empowering organizations to discern nuanced
interactions between systems and individuals over time. This approach enhances
security efficacy while optimizing costs and elevating monitoring
capabilities."
Other key findings from the State of Security
Observability include:
-
Smaller organizations struggle with limited resources in the
security tools market, hindering effective adoption. However, they avoid the
hype-driven churn experienced by larger teams, opting for technology upgrades
within their SIEM as cost-effective alternatives.
-
Cloud infrastructure doesn't provide sufficient operations or
security observability on its own and agents must be used. Host agents are used
by 57% of organizations for observability and 51% for security, along with
container agents (42% for observability and 44% for security), and sidecar
agents (29% for observability and 28% for security).
-
Half of security incidents require escalation, and tool sprawl
isn't helping. Only 11% of respondents report staying in a single pane of
glass, with 18% using six or more tools to investigate issues.
-
Cloud conversion has crossed the hallway mark and 74% of
organizations have built their current systems to be mostly or entirely
cloud-native.
For more information, visit https://www.observeinc.com/resources/the-state-of-security-observability-2023 to
access the full 2023 State of Security Observability report.