A (Candid) TEN18 Analysis: The State of Threat Detection, Investigation, and Response Report 2023

Exabeam and International Data Corporation (IDC) recently announced The State of Threat Detection, Investigation and Response 2023 research report. The threat detection, investigation and response (TDIR) research was conducted by IDC on behalf of Exabeam and includes insights from 1,155 security and IT professionals spanning three regions including North America, Western Europe, Asia Pacific and Japan.

The data shows some very interesting findings. First and foremost, a very real and significant gap between self-reported security measures and reality. Here we break down the main findings and share our insights.

In this article:

• Conflicts that keep on giving
• More outcomes, less mean times
• Is it a pain point or a problem
• TDIR is time consuming
• Concluding thoughts: Reconciling the report with reality
• High-level findings from The State of Threat Detection, Investigation, and Response 2023

Conflicts that keep on giving

According to the TDIR report, the overwhelming majority of organizations (over 90%) believe they have good or excellent ability to detect cyberthreats. This isn’t the first report we’ve conducted or seen that highlights extraordinarily high confidence in the ability to detect cyberthreats, and then goes on to reveal significant volumes of security incidents (in this case 57%). 

The contrast between confidence in threat detection and the prevalence of security incidents points to a deeper issue in the current cybersecurity landscape. Despite advancements in technology and the adoption of various security measures, many organizations find themselves unprepared for both the subtleties and complexities of modern cyberattacks. The report indicates a need for a more nuanced understanding of what constitutes robust cybersecurity capabilities, going beyond conventional measures like SIEM rules and endpoint security.

The core question that emerges from the report is whether the cybersecurity industry truly comprehends what constitutes an effective security posture. When assessing the efficacy of TDIR capabilities, it’s critical to consider the benchmarks used for comparison. A potential reason for the conflicting data observed in the study could be attributed to a general lack of awareness regarding the full spectrum of available solutions. Some of these solutions are significantly more advanced than what many teams might be aware of or currently utilizing. This gap in knowledge and understanding of the market’s cutting-edge technologies poses a challenge in accurately evaluating and enhancing cybersecurity capabilities.

In the realm of cybersecurity processes, there has been noticeable stagnation in development over recent years. Most organizations structure their cybersecurity strategies around established frameworks, meticulously documenting every procedure. While the documentation of processes is undoubtedly crucial, it becomes apparent that real-world security challenges often deviate from these predetermined scripts. Each security incident tends to present a unique set of challenges, underscoring the need for a flexible and adaptive approach. In these scenarios, the reliance on relevant capabilities becomes as vital as the established processes themselves. It’s this synergy between technological innovation and procedural rigor that forms the backbone of effective cybersecurity strategies, enabling organizations to respond to dynamic and complex security threats effectively.

More outcomes, less mean times

An encouraging finding in the report is the improvement in cybersecurity key performance indicators (KPIs), such as reduced mean times to detect and respond to incidents. While we believe this is an accurate finding, we take these types of metrics with a grain of salt. Mean times often don’t measure true effectiveness of security operations and they certainly can’t measure the specific effectiveness of TDIR capabilities. 

Adopting an outcomes-based approach offers a more robust framework for measuring the effectiveness of TDIR capabilities. This methodology focuses on the end results of cybersecurity efforts rather than just quantitative metrics. While improving these mean times are important, it doesn’t necessarily equate to enhanced overall security. For instance, a reduction in mean response time is of little consequence if the same types of security incidents continue to occur. It is crucial for organizations to not just speed up their response times but also improve the quality and effectiveness of those responses.

To enhance the efficacy of their cybersecurity strategies, it’s crucial for security operations teams to not only focus on identifying and mitigating the specific offensive TTPs used by attackers but also to understand the desired outcomes of such a strategy. This process begins with a deep and nuanced understanding of the unique threats each organization faces, particularly how these threats operate within their specific network environments. To bridge the gap between identifying TTPs and achieving strategic outcomes, teams should implement a robust validation process. This involves regularly testing their security measures against simulated or real-world attack scenarios to assess their effectiveness. Furthermore, continuous evaluation of the security posture through metrics and key performance indicators will help in measuring the success of the mitigation strategies against the identified TTPs, ensuring that the organization’s cybersecurity measures are not only reactive but also proactive and adaptive to evolving threats.

For CISOs, the focus should shift from conventional metrics to more substantial outcomes that paint a clearer picture of an organization’s cybersecurity health. This involves reporting on metrics that encapsulate the broader impact of security measures on the organization’s overall risk posture. These could include the number of successful threat mitigations, the reduction in the severity and frequency of breaches, improvements in threat identification accuracy, and the effectiveness of response strategies in mitigating potential damage.

Remember, the best outcome metrics are those that reflect the actual reduction in risk and improvement in security posture. These metrics should provide a holistic view of an organization’s cybersecurity effectiveness, encompassing not only the speed of response but also the adaptability, precision, and overall impact of the security measures in place.

Is it a pain point or a problem

Assessing the severity of resource dependency in cybersecurity

The necessity for additional resources in handling security incidents is not merely a minor inconvenience; it’s a substantial challenge. According to the survey, 57% of companies encountered severe security incidents last year that demanded external assistance for remediation. This statistic transcends what Exabeam and IDC refer to as “pain points”, elevating it to a critical concern. The fact that over half of the organizations had to seek external help indicates a significant gap in their in-house capabilities to manage security incidents effectively. This finding starkly contrasts with the confidence expressed by over 90% of organizations in their ability to detect cyberthreats.

It’s crucial to recognize the diverse nature of security incidents. They are not always the result of external threats; internal risks, such as inadvertent errors by employees, also pose significant security challenges. These incidents, though not always as dramatic as external attacks, can still jeopardize an organization’s security and must be addressed with the same level of seriousness.

Visibility is a problem

Another critical issue identified in the report is the limited visibility organizations have over their IT environments. On average, companies report the ability to monitor only 66% of their environment. This lack of visibility is particularly concerning in a landscape where companies are rapidly evolving and adopting new technologies. The constant introduction of new innovations in the cloud and the integration of new software applications by various departments compound this challenge. The rise of artificial intelligence (AI) and other technological advancements further intensifies this visibility issue, presenting a complex security dilemma for organizations of all sizes.

The problem of visibility is exacerbated by the lack of collaboration between chief information officers (CIOs) and CISOs. Often, these key figures are not working in tandem to monitor and secure new assets and applications continually being introduced into the IT environment. This disjointed approach can leave significant gaps in an organization’s security posture, underlining the need for a more unified and comprehensive strategy in managing cybersecurity risks. (Source: Top 8 challenges IT leaders will face in 2024, CIO.com – see section; “Security – on a budget”)

It’s more normal to not know normal

Thirty-five percent of respondents in the TDIR report expressed the need for a better understanding of normal user, entity, and peer group behavior within their organizations. This indicates a growing interest in TDIR solutions that incorporate user and entity behavior analytics (UEBA) capabilities. However, this figure might underrepresent the true extent to which organizations struggle to grasp “normal” behavior within their environments.

From our extensive work with numerous CISOs and security teams, a common observation is that many organizations are not fully aware of what constitutes normal user activity in their own IT ecosystems. This lack of awareness often becomes apparent only after a security breach has occurred. Typically, the focus of these organizations is intensely trained on identifying specific malicious activities, leading them to overlook broader patterns of anomalous behavior that might indicate a security threat. These patterns of abnormal behavior are not always easily discernible without the aid of sophisticated behavioral analysis.

To draw a parallel, consider an orchestra where each musician plays a distinct, yet harmonious part. In such a setting, it’s challenging to notice if one instrument subtly deviates from the expected rhythm or tune, especially if you’re only listening for glaring mistakes. Similarly, in the complex symphony of daily IT operations, it’s not easy to detect subtle anomalies in user behavior that might signal a cybersecurity threat, amidst the multitude of regular activities. This complexity is compounded by the industry’s reliance on technical jargon and abbreviations, which can obscure the need for a fundamental understanding of normal operational patterns.

TDIR is time consuming

In the realm of cybersecurity, according to the report teams are allocating a significant portion of their time — 57% — to activities related to TDIR. Despite this considerable investment of time, it’s noteworthy that over half of global organizations (53%) have automated less than half of their TDIR processes. This situation highlights a clear opportunity: there is a pressing need for increased automation in TDIR activities. By automating more aspects of TDIR, security teams could free up valuable time to focus on other critical cybersecurity tasks. These include staying abreast of the latest attacker tactics and techniques, refining internal processes, synchronizing efforts with IT departments, managing new software and applications, monitoring for both insider and external threats, and conducting cybersecurity training for executives and staff.

The predominant use of metrics such as mean time to detect, investigate, or respond in security operations is likely influenced by the extensive amount of time devoted to TDIR. As these activities consume a majority of a security team’s time, enhancing automation within this domain could significantly improve these metrics. More importantly, it would allow teams to dedicate resources and attention to strategic initiatives that bolster the organization’s defenses. Enhanced automation in TDIR not only improves efficiency but also broadens the scope of visibility across an organization’s systems and infrastructure, thereby strengthening its overall cybersecurity posture.

Concluding thoughts: Reconciling the report with reality

Despite challenging economic conditions, cybersecurity budgets continue to grow, albeit at a more modest pace than in previous years. This trend, observed in discussions with CISOs over the past year, indicates that while budgets are expanding, the increments are often tied to extraordinary circumstances, such as responding to a security breach. This situation suggests a reactive approach where significant investments in cybersecurity are frequently triggered by immediate threats or incidents, rather than being part of a proactive, long-term strategy. This scenario highlights a nuanced landscape where the commitment to cybersecurity is present but often driven by urgent needs rather than consistent and strategic planning.

The effectiveness of a cybersecurity team hinges on three fundamental pillars: skilled personnel, efficient processes, and advanced technologies. The report suggests that the deficiencies and challenges highlighted in its findings are likely a direct consequence of the scarcity of these essential resources. This gap creates the pain points and problems that the study has brought to light.

Ultimately, the effectiveness of a cybersecurity strategy is deeply intertwined with the overarching goals and commitments of an organization’s leadership. In organizations where leaders possess a profound understanding of the importance of cybersecurity, the allocation of appropriate budgets and resources is more seamlessly aligned with the need to safeguard business operations.

In essence, the foundation of effective cybersecurity lies in the human element. It is the expertise, decision-making, and strategic planning of people that drive the development and implementation of processes and technologies. This human-centric approach remains a crucial consideration for organizations aiming to navigate the challenging landscape of cybersecurity effectively. Process and technology still starts with people.

High-level findings from The State of Threat Detection, Investigation, and Response 2023:

The good news:

• The overwhelming majority of organizations (over 90%) believe they have good or excellent ability to detect cyberthreats. 
• Over 70% of organizations reported better performance on cybersecurity key performance indicators (KPIs), such as mean time to detect, investigate, respond, and remediate in 2023 as compared to 2022.
• 78% percent of organizations believe that their organizations have a very effective process to investigate and mitigate threats. 

The conflicting findings:

• 57% of companies experienced significant security incidents in the last year that required extra resources to remediate.
• North America experienced the highest rate of security incidents (66%), closely followed by Western Europe (65%), then Asia Pacific and Japan (APJ) (34%). 

The visibility crisis:

• Organizations globally report that they can “see” or monitor only 66% of their IT environments.

Time lost to lack of automation:

• Security teams spend 57% of their time on TDIR. 
• More than half (53%) of global organizations have automated 50% or less of their TDIR workflow. 

The greatest TDIR needs in 2024 and beyond:

• When organizations were asked about the TDIR management areas where they require the most help, 36% of organizations expressed the need for third-party assistance in managing their threat detection and response, citing the challenge of handling it entirely on their own. 
• The second most identified need, at 35%, was a desire for improved understanding of normal user and entity and peer group behavior within their organization, demonstrating a demand for TDIR solutions equipped with user and entity behavior analytics (UEBA) capabilities.

Get the Report

Get your copy today to read more about the latest TDIR challenges and trends. Download the report.