In the last year, 57% of businesses had significant security
incidents that needed additional resources to resolve, according to new
research from International Data Corporation (IDC) and Exabeam. This research
highlights program gaps brought on by committed but overworked teams lacking
essential, automated threat detection, investigation, and response (TDIR)
resources. North
America experienced the highest rate of security incidents (66%), closely
followed by Western Europe (65%), then Asia
Pacific and Japan (APJ) (34%). Research
for the Exabeam report, The State of Threat Detection, Investigation and
Response, November 2023, was conducted by IDC on behalf of Exabeam and
includes insights from 1,155 security and IT professionals spanning these three
regions.
The findings reveal a significant gap between self-reported
security measures and reality. Despite 57% of interviewed organizations
reporting significant security incidents, over 70% of organizations reported
better performance on cybersecurity key performance indicators (KPIs), such as
mean time to detect, investigate, respond, and remediate in 2023 as compared to
2022, and the overwhelming majority of organizations (over 90%) believe they
have good or excellent ability to detect cyberthreats. Seventy-eight percent
also believe that their organizations have a very effective process to
investigate and mitigate threats. These inflated confidence levels are creating
a false sense of security and likely putting organizations at risk. A continued
lack of full visibility and complete TDIR automation capabilities, which survey
respondents also reported, may explain the discrepancy.
"While
we aren't surprised by the contradictions in the data, our study in partnership
with IDC further opened our eyes to the fact that most security operations
teams still do not have the visibility needed for overall security operations
success. Despite the varied TDIR investments they have in place, they are
struggling to thoroughly conduct comprehensive analysis and response
activities," said Steve Moore, Exabeam Chief Security Strategist and Co-founder
of the Exabeam TEN18 cybersecurity
research and insights group. "Looking at the lack of automation and inconsistencies in many
TDIR workflows, it makes sense that even when security teams feel they have
what they need, there is still room to improve efficiency and velocity of
defense operations."
A visibility crisis in security operations
Organizations
globally report that they can "see" or monitor only 66% of their IT
environments, leaving ample room for blindspots, including those in the cloud.
While no organization is immune from adversarial advances, the lack of full
visibility means that organizations are potentially blind to any advances in
those unseen environments.
"Despite
having the lowest number of security incidents, APJ reports the lowest
visibility of all regions at 62%, signaling that these teams may be missing and
failing to report incidents as a result," noted Samantha Humphries, Senior
Director, International Security Strategy, Exabeam. "With business
transformation initiatives moving operations to the cloud and an
ever-increasing number of edge connections, lack of visibility will likely
continue to be a major risk point for security teams in the year ahead."
Automation lags across TDIR
With TDIR representing the prevailing workflow of security
operations teams, more than half (53%) of global organizations have automated
50% or less of their TDIR workflow, contributing to the amount of time spent on
TDIR (57%). Not surprisingly, respondents continue to want a strong TDIR
platform that includes investigation and remediation automation, yet hesitation
to automate remains.
"As attackers increase their pace, enterprises will have to
overcome their reluctance to automate remediation, which often stems from
concern over what might happen without a human approving the process," said
Michelle Abraham, Research Director for IDC's Security and Trust Group.
"Organizations should embrace all the helpful expertise they can find,
including automation."
The greatest TDIR needs in 2024 and beyond
When organizations were asked about the TDIR management areas
where they require the most help, 36% of organizations expressed the need for
third-party assistance in managing their threat detection and response, citing
the challenge of handling it entirely on their own. This highlights a growing
opportunity for the integration of automation and AI-driven security tools. The
second most identified need, at 35%, was a desire for improved understanding of
normal user and entity and peer group behavior within their organization,
demonstrating a demand for TDIR solutions equipped with user and entity
behavior analytics (UEBA) capabilities. These solutions should ideally minimize
the need for extensive customization while offering automated timelines and
threat prioritization.
"As
organizations continue to improve their TDIR processes, their security program
metrics will likely look worse before they get better. But the tools exist to
put them back on the front foot," continued Moore. "Because AI-driven
automation can aid in improving metrics and team morale, we're already
seeing increased demand to build even more AI-powered features. We expect the
market demand for security solutions that leverage AI to continue in 2024 and
beyond."
The organizations surveyed for the report represent North
America (Canada, Mexico, and the United States), Western Europe (UK and
Germany), and APJ (Australia, New Zealand, and Japan), across multiple world
industries.
Go
to the Exabeam website here to download and read The
State of Threat Detection, Investigation, and Response 2023 study, which
includes results from regional surveys and IDC's crucial recommendations.