My Take on the Market Trends Outlined in the Latest Analyst Report

In the Forrester Wave™: Security Analytics Platforms, Q4 2020, authors Joseph Blankenship and Claire O’Malley state from the outset that: “As security information and event management (SIEM) technology becomes outdated and less effective, cloud-delivered security analytics platforms that provide custom detections will dictate which providers will lead the pack.” Moreover, they state that: “Vendors that can provide customization, MITRE ATT&CK mapping, and SaaS delivery position themselves to successfully deliver improved detection, faster investigations, and flexibility to their customers.” I’ll expand on these market trends below.

Before I do, it’s worth pointing out that JB and Claire also show that they know their audience of security professionals by kicking off the report with an “Empire Strikes Back” quote. This is the first Star Wars reference I remember seeing in an analyst report.

But back to the market trends.

Not all analytics are created equal

As I mentioned, the thesis of the report is that analytics have assumed primacy when it comes to detecting threats. They go further, explaining that not all analytics are created equal: “Many security analytics vendors offer basic analytics, focused on user behavior, and little to no automation. The strongest vendors offer analytics capabilities with multiple machine learning types and include security orchestration, automation and response (SOAR).” Said another way, the best security management solutions combine machine learning-based analytics and automation.

Correlation rules are not enough to detect today’s attackers. One of many examples is the inability of correlation rules to detect attackers’ use of compromised credentials. In the case where an employee’s ID and password have been stolen (or otherwise obtained), the attacker logs in undetected. Traditional security tools don’t detect credential-based attacks. As a result, credentials have been the top threat vector for the past 10 years. Attackers use credentials to access systems and then hide by mimicking legitimate user actions: “living off the land.” Their systems can’t distinguish between normal user activity and an attack. SOC and insider threat teams often completely miss attacks by people who have been able to log into the network. Or, if they have set up correlation rules to detect them, they are inundated with false positives and distracted from identifying attacks in progress.

Machine learning-based analytics work because they map all historical behavior to a user and then detect abnormal user activity such as a novel login process, a user accessing assets for the first time and unusual credential switches or privilege escalations. What was impossible to see, can now be seen plain as day.

Automation is not just for response

The report remarks on the importance of automation in the form of “security orchestration,  automation and response (SOAR).” I don’t disagree. Establishing actions and playbooks that ensure your organization has a consistent response to similar incidents is fundamental, and goes a long way to improving the effectiveness of junior staff. Automating those processes allows for a faster mean time to response (MTTR).

But only automating response leaves detection, triage and investigation as manual processes. According to a recent Ponemon report on SIEM productivity, detection, triage and investigation take up 74% of analysts’ time. For example, it takes over 20 hours to manually build an incident timeline and get some semblance of the scope of an attack. As a result, many security teams find that time continues to be in short supply.  According to the Exabeam 2020 State of the SOC Report, “SOC staffing remains an issue, with nearly 40% of organizations feeling they are understaffed.”

Customization is about outcomes

Each organization is unique, so customization is essential. The report states that, “Most vendors deliver out-of-the-box (OOTB) content that can be customized by enterprises to meet their individual needs. More advanced users also want to develop custom detections for specific scenarios. Some vendors make their machine learning models available to be customized by customers that want to create their own.” Again, right on the money. No surprise that as a leader in the report, Exabeam provides hundreds of detection models OOTB and allows practitioners to easily create custom detection rules and models. But, like automation, I see custom content as something that is needed across the entire analyst workflow. In this case not just for detection.

Every organization I talk to isn’t looking to buy technology for technology itself. They are looking to add coverage for a specific use case, be it phishing, ransomware, compromised credentials or a compliance requirement. To solve these problems they need visibility, detection logic and response procedures; not just a detection use case. At Exabeam, we do this by providing clear guidance on what data sources are needed, and use case content at each stage of your workflow: parsers and cloud connectors, OOTB detection rules and models, actionable context during triage and investigation, and prebuilt response actions and playbooks. These include turnkey playbooks where we have already licensed third-party tools, like threat intelligence, so you don’t have to bring your own license (BYOL).

MITRE mapping is about faster investigations

The rise of the MITRE ATT&CK framework over the past couple of years has been astonishing. Forrester sees this, and points out that: “Vendors with the most-advanced capabilities also show which parts of MITRE ATT&CK are covered in customers’ environments.” Most vendors have been quick to provide MITRE mapping in their products. As a leader in the report, it should be no surprise that Exabeam has done this, too. The hard part for organizations I’ve spoken to is operationalizing MITRE into their day-to-day workflow. We’ve worked closely with our customers to identify some best practices for doing so. I captured many of them in this webinar: Using the MITRE ATT&CK Framework for Detection and Threat Hunting.

The future is here. The future is the cloud.

One of the most significant changes for companies and governments alike in 2020, has been the acceleration of their digital transformation, including an expedited move to the cloud. This is captured in the opening subtitle of the report: “The future of security analytics is in the cloud.” At Exabeam, I’ve seen this rapid change first hand as we became a SaaS company in 2020. Our cloud offering now makes up most of our new sales. I agree with the report authors for the underlying reason why: “This change has enabled vendors to more quickly roll out new capabilities to their customers and decrease the management overhead for these systems.” Combine that with the inability of many teams to access their own data centers during the pandemic, and it’s easy to understand why the move to the cloud is underway (and may have something to do with that “Star Wars” quote I mentioned earlier!).

To learn more about Exabeam SaaS Cloud and why we are a leader in the Forrester Wave^TM: Security Analytics Platforms, Q4 2020, request a personal demo or watch a recorded demo today.