Automation and Analytics versus the Chaos of Cybersecurity Operations Research Insights Paper: Automation and Analytics versus the Chaos of Cybersecurity Operations 3 Executive Summary ESG recently surveyed 412 IT and information security professionals representing large midmarket (500 to 999 employees) and enterprise-class (more than 1,000 employees) organizations based in North America and Western Europe. The survey included representation from multiple industry verticals including manufacturing, financial, retail/wholesale, business services, government (federal/national and state/local), and healthcare, among others. All respondents were involved in the planning, implementation, and/or daily operations of their organization’s security analytics and operations. Based upon the data collected as part of this research project, ESG concludes: • Cybersecurity analytics and operations are getting more difficult. Seventy-two percent of those surveyed believe that cybersecurity analytics and operations are more difficult today than they were two years ago for several reasons. Survey respondents say it is difficult to keep up with the evolving threat landscape, they lack adequate cybersecurity skills or the appropriately sized security staff, and they have too many tools. That last response—too many tools—is a new challenge, while the others are perennial. Alarmingly, more than one-quarter (27%) say they spend most of their time responding to high-priority or emergency issues. It seems that security analytics and operations scaling needs may be overwhelming many organizations. • Organizations are consolidating their security operations. To accommodate data growth while enriching, contextualizing, and acting upon security intelligence in real time, CISOs realize that they need a tightly integrated security operations and analytics platform architecture (SOAPA). This trend is early but gaining momentum as 15% of organizations have actively moved toward a more consolidated operations model, while another 66% are moving toward a more consolidated and integrated approach today. Additionally, 21% of organizations say consolidating their security operations technologies is one of their highest priorities. • Operationalizing security analytics is a primary objective. The time and effort organizations expend to acquire and deploy each new point tool takes a toll. Implementing new tools distracts the infosec team from addressing tactical issues, and they can’t reap the benefits until they both tune the tool to their specific environment and obtain tool mastery. Twenty-nine percent of those surveyed want to improve the operationalization of behavioral intelligence and 25% want to integrate disparate tools into a more efficient and effective architecture. • Security operations automation and orchestration is a high priority. Two-thirds of respondents’ organizations consider automation of security analytics and operations to be a high priority. Technology initiatives are rampant, with 19% already adopting extensively, 39% adopting on a limited basis, and 26% engaged in a project to deploy technology for security analytics and operations automation and orchestration. • Machine learning (ML) for security operations and analytics is gaining interest. The future appears bright for cybersecurity technologies based upon machine learning as 12% of survey respondents say that their organization has deployed machine learning technologies for security analytics and operations extensively, while another 27% have deployed machine learning for security analytics and operations on a limited basis. Despite less than a third of respondents declaring themselves very knowledgeable about these technologies, the data indicates that organizations hope to use these nascent advances to improve the productivity, efficiency, and efficacy of their security analysts. © 2017 by The Enterprise Strategy Group, Inc. All Rights Reserved. Research Insights Paper: Automation and Analytics versus the Chaos of Cybersecurity Operations 4 The Chaotic State of Security Operations and Analytics Today Cybersecurity operations and analytics is made up of a complex set of processes, tools, and personnel focused on cyber threat prevention, detection, and response. Organizations must block known malicious behavior, as well as collect, process, and analyze internal and external data, identify and investigate suspicious activities, and remediate problems quickly before minor issues become major data breaches. These standard requirements have become more sophisticated and complicated, according to nearly three-quarters (72%) of survey respondents. The research points to several issues including: • The evolving threat landscape. Twenty-six percent of survey respondents said that the threat landscape is evolving and changing rapidly, making it difficult to keep up. Operational and analytics tasks and workloads have changed as threats have done a better job of penetrating countermeasures and establishing persistence within an organization. Attackers are leveraging hundreds of anti-security, anti-sandbox, and anti-analyst evasion techniques that make their activities look benign and their software look innocent, so analysts are seeing more demand for subtle data assessments of more context-sensitive incidents. • Too many tools. The survey revealed that 40% of organizations use ten to 25 tools while 30% use 26 to 50 tools (see Figure 1). Cybersecurity operations and analytics toolsets have grown organically as security professionals deploy new tools to address specific issues. This army of point tools presents a problem because organizations require more resources as they deploy more tools. For example, each tool comes with its own installation, configuration, maintenance, compute, storage, and networking requirements, and generates data that must be managed and assimilated. Since no single member of the security team can develop expertise with every tool, organizations must hire and train more staff as the pool of tools expands. Unfortunately, the plethora of point tools seldom comes with ways to integrate each data set into analysis processes and dashboards. They can’t provide a holistic view of the organization’s security status, forcing cybersecurity professionals to manage security operations on a tool-by-tool basis. This doesn’t scale or provide real-time visibility to existing threats or compromises. Figure 1. Number of Security Technologies and Services in Use Approximately how many security technologies and services (commercial, open source, and homegrown) is your organization using to support its efforts around security analytics and operations? (Percent of respondents, N=412) 40% 30% 20% 10% Less than 10 Between 10 and 25 Between 26 and 50 Between 51 and 75 0% 0% More than 75 Don’t know Source: Enterprise Strategy Group, 2017 © 2017 by The Enterprise Strategy Group, Inc. All Rights Reserved. Please complete the form to gain access to this content Access Now Related Resources Navigating the General Data Protection Regulation Mini Guide Die Herausforderung „Endgerätesicherheit“ meistern Machine Learning optimiert die Arbeit der Sicherheitsteams Cloud-Sicherheit: Schutzmaßnahmen unter der Lupe Threat Visibility and the Zero-Trust Virtual Data Center Cloud Security: Defense in Detail if Not in Depth 10 Ways to Accelerate Time to Detection and Response Beyond the General Data Protection Regulation (GDPR) Integrating SIEM into Your Threat Hunting Strategy IDC MarketScape: Worldwide Endpoint Specialized Threat Analysis and Protection 2017 Vendor Assessment Machine Learning Raises Security Teams to the Next Level IDC Expert ROI Spotlight Case Study: U.S. Bank Minimizes Security Risk with McAfee Security Atrius Health: Reducing Operational Costs and Combating Ransomware
Research Insights Paper: Automation and Analytics versus the Chaos of Cybersecurity Operations 3 Executive Summary ESG recently surveyed 412 IT and information security professionals representing large midmarket (500 to 999 employees) and enterprise-class (more than 1,000 employees) organizations based in North America and Western Europe. The survey included representation from multiple industry verticals including manufacturing, financial, retail/wholesale, business services, government (federal/national and state/local), and healthcare, among others. All respondents were involved in the planning, implementation, and/or daily operations of their organization’s security analytics and operations. Based upon the data collected as part of this research project, ESG concludes: • Cybersecurity analytics and operations are getting more difficult. Seventy-two percent of those surveyed believe that cybersecurity analytics and operations are more difficult today than they were two years ago for several reasons. Survey respondents say it is difficult to keep up with the evolving threat landscape, they lack adequate cybersecurity skills or the appropriately sized security staff, and they have too many tools. That last response—too many tools—is a new challenge, while the others are perennial. Alarmingly, more than one-quarter (27%) say they spend most of their time responding to high-priority or emergency issues. It seems that security analytics and operations scaling needs may be overwhelming many organizations. • Organizations are consolidating their security operations. To accommodate data growth while enriching, contextualizing, and acting upon security intelligence in real time, CISOs realize that they need a tightly integrated security operations and analytics platform architecture (SOAPA). This trend is early but gaining momentum as 15% of organizations have actively moved toward a more consolidated operations model, while another 66% are moving toward a more consolidated and integrated approach today. Additionally, 21% of organizations say consolidating their security operations technologies is one of their highest priorities. • Operationalizing security analytics is a primary objective. The time and effort organizations expend to acquire and deploy each new point tool takes a toll. Implementing new tools distracts the infosec team from addressing tactical issues, and they can’t reap the benefits until they both tune the tool to their specific environment and obtain tool mastery. Twenty-nine percent of those surveyed want to improve the operationalization of behavioral intelligence and 25% want to integrate disparate tools into a more efficient and effective architecture. • Security operations automation and orchestration is a high priority. Two-thirds of respondents’ organizations consider automation of security analytics and operations to be a high priority. Technology initiatives are rampant, with 19% already adopting extensively, 39% adopting on a limited basis, and 26% engaged in a project to deploy technology for security analytics and operations automation and orchestration. • Machine learning (ML) for security operations and analytics is gaining interest. The future appears bright for cybersecurity technologies based upon machine learning as 12% of survey respondents say that their organization has deployed machine learning technologies for security analytics and operations extensively, while another 27% have deployed machine learning for security analytics and operations on a limited basis. Despite less than a third of respondents declaring themselves very knowledgeable about these technologies, the data indicates that organizations hope to use these nascent advances to improve the productivity, efficiency, and efficacy of their security analysts. © 2017 by The Enterprise Strategy Group, Inc. All Rights Reserved. Research Insights Paper: Automation and Analytics versus the Chaos of Cybersecurity Operations 4 The Chaotic State of Security Operations and Analytics Today Cybersecurity operations and analytics is made up of a complex set of processes, tools, and personnel focused on cyber threat prevention, detection, and response. Organizations must block known malicious behavior, as well as collect, process, and analyze internal and external data, identify and investigate suspicious activities, and remediate problems quickly before minor issues become major data breaches. These standard requirements have become more sophisticated and complicated, according to nearly three-quarters (72%) of survey respondents. The research points to several issues including: • The evolving threat landscape. Twenty-six percent of survey respondents said that the threat landscape is evolving and changing rapidly, making it difficult to keep up. Operational and analytics tasks and workloads have changed as threats have done a better job of penetrating countermeasures and establishing persistence within an organization. Attackers are leveraging hundreds of anti-security, anti-sandbox, and anti-analyst evasion techniques that make their activities look benign and their software look innocent, so analysts are seeing more demand for subtle data assessments of more context-sensitive incidents. • Too many tools. The survey revealed that 40% of organizations use ten to 25 tools while 30% use 26 to 50 tools (see Figure 1). Cybersecurity operations and analytics toolsets have grown organically as security professionals deploy new tools to address specific issues. This army of point tools presents a problem because organizations require more resources as they deploy more tools. For example, each tool comes with its own installation, configuration, maintenance, compute, storage, and networking requirements, and generates data that must be managed and assimilated. Since no single member of the security team can develop expertise with every tool, organizations must hire and train more staff as the pool of tools expands. Unfortunately, the plethora of point tools seldom comes with ways to integrate each data set into analysis processes and dashboards. They can’t provide a holistic view of the organization’s security status, forcing cybersecurity professionals to manage security operations on a tool-by-tool basis. This doesn’t scale or provide real-time visibility to existing threats or compromises. Figure 1. Number of Security Technologies and Services in Use Approximately how many security technologies and services (commercial, open source, and homegrown) is your organization using to support its efforts around security analytics and operations? (Percent of respondents, N=412) 40% 30% 20% 10% Less than 10 Between 10 and 25 Between 26 and 50 Between 51 and 75 0% 0% More than 75 Don’t know Source: Enterprise Strategy Group, 2017 © 2017 by The Enterprise Strategy Group, Inc. All Rights Reserved.
