Exabeam Survey: Prevention Prioritized Over Detection While Breaches Rise

Exabeam closed out 2022 surveying 500 IT security professionals about the state of the security information and event management (SIEM) market in the U.S. It revealed some interesting insights from security pros as they strive to protect their organizations in environments where threats and incidents continue to rise. 

Watch the latest Exabeam LinkedIn Live! hosted by Head of Security Strategy, EMEA Samantha Humphries, joined by Stephen Moore, VP and Chief Security Strategist, and Tyler J. Farrar, Chief Information Security Officer to learn more about the Exabeam SIEM Market Survey findings.

According to recent security industry reports, 83% of organizations experienced more than one data breach in 2022.

While 97% of respondents reported feeling confident that they are well-equipped with the tools and processes they need to prevent and identify intrusions and/or breaches, when we dug deeper, we found some contradictions in their responses. An equally high number of respondents shared less confidence when reporting realities to their managers or boards.

Our research shows the inability to prevent bad things from happening as the worst part of a security job with more than a third of respondents unsure they could even tell their boards that no adversaries are inside. This could be one reason why security teams still report prioritizing spend on prevention tools over threat detection, investigation and response (TDIR) solutions. 

We learned that the market still has some hurdles, including vendor overpromises, security team burnout, and a misalignment between perception and reality. 

In this article:

• Current state of the SIEM
• Four main themes revealed in the survey
• Takeaways

Current state of the SIEM

At the top of the survey, we asked respondents about their environments. Here’s what we found as a baseline: 

• 80% of survey respondents have adopted cloud-based security information and event management (SIEM) platforms to gain advantages such as rapid deployment, simpler operational processes, scalability, and the potential to reduce costs. 
• 46% of all respondents operate more than one cloud or on-premises SIEM platform (likely as a result of corporate M&A or past tools that haven’t performed properly).
• Among those with SIEM solutions, 64% of those who have only one platform are very confident they can detect cyberattacks based on adversary behavior alone, such as living off the land, credential compromise, and lateral movement. 
• 59% of those with two or more platforms are very confident they can detect cyberattacks based on adversary behavior alone.
• 4% of U.S. security professionals report not using a SIEM platform. Of those respondents, 81% were confident they can detect attacks solely based on behavior. 
• Among those who don’t have a SIEM and are not currently evaluating one, 80% have centrally logged 41% to 80% of their environment.
• 17% of all respondents can see 81–100% of their network with current tools. Another 21% can see 61–80%, 29% can see 41–60%, 27% can see 21–40%, and 6% can see just 1–20% of the network they manage. 

Four main themes revealed in the survey

1. Prevention over detection…yet breaches keep rising

When asked about their most important security goal:

• 38% surveyed said it was preventing problems or attackers from getting inside, versus 27% who believed that detecting, investigating, and responding to incidents was the highest priority
• 27% of all respondents said both prevention and detection are goals of their security program, but prevention is more important
• 6% said that both are important, but detection is a higher priority
• Nearly three-fourths (71%) spend 21–50% of their security budgets on prevention, while 59% invest the same percentage on threat detection, investigation, and response (TDIR)

2. Confidence prevails, until it comes to talking to the board

We found that security teams are overconfident in their ability to prevent attacks. Nearly all respondents surveyed (97%), whether they have one or two SIEMs in place, said they are certain they can prevent attacks, but this confidence drops when challenged. 

Some 43% of respondents cited being unable to prevent bad things from happening as the worst part of their job, followed by:

• Lacking full visibility due to security product integration issues (41%)
• An inability to centralize and understand the full scope of an event or incident (39%)
• Being unable to manage the volume of detection alerts, with too many false positives (29%)
• Not feeling confident that they’ve resolved all problems on the network (29%)

When asked if they’d feel very confident telling a manager or the board that no adversaries had breached the network at that time, only 62% say yes. 38% still have doubts and aren’t sure if any adversaries are currently lurking in their networks.

3. Burnout is real

With blind spots and false alerts, security teams can’t match pace with adversaries. Just 11% can scope the overall impact of detected malicious behaviors in less than one hour, 52% report they can analyze it in one to four hours, and 34% take five to 24 hours to identify high-priority anomalies. Data exfiltration typically begins minutes into an attack, and adversaries can do significant damage in just a few hours.

Meanwhile, some SIEM platforms can’t detect the difference between legitimate access and role-based behavior. SIEM tools that don’t use advanced behavioral analytics can incorrectly flag legitimate user actions as malicious, increasing the number of false positive alerts teams must triage and adding to their mental fatigue. 

These conditions create job burnout. 

• 84% of respondents are concerned about burnout from productivity issues like alert fatigue and overwork to the point they think their colleagues could be looking for another job
• 51% of professionals are extremely concerned
• 34% are somewhat concerned
• 16% aren’t concerned at all 

Compounding this issue is the fact that many organizations over-rely on their top analyst, increasing the pressure on a single individual. If they lost that top team member, just 59% are very confident they could continue to rapidly detect attacks, leaving 40% uncertain they could keep pace. 

4. Compromised credentials, compromised credentials, compromised credentials

We found that more than 90% of security professionals are battling a number of compromised credential cases, indicating that this attack vector continued its popularity with attackers again in 2022 and it shows no signs of easing in 2023. 

The 2022 Verizon DBIR also found that an alarmingly high number of breaches involved compromised credentials as the way in. Phishing, ransomware, malware — these all tie to compromised credentials. Once a threat actor gets in the door, they’re often leveraging credentials to access their target. The Verizon DBIR reported that of data-related threats to small and medium businesses, 93% of attacks involved credentials. Our own discussions with customers of all sizes show similar insights.

Companies have spent a lot of money trying to prevent credential misuse from happening with tools like two factor authentication. But it’s no longer enough — time and time again we see bad actors bypass prevention tools.

Takeaways

Cybersecurity vendors overpromise that they can help organizations completely prevent breaches or identify anomalies that can lead to breaches. But when it comes to detection, the reality is that many organizations are using ineffective legacy SIEMs that aren’t designed to baseline normal behavior, which is essential to detect abnormal adversarial behavior — especially when it comes to threat actors using legitimate credentials to get in the door and move around once inside.

Our data showed that at some organizations in the U.S., whether dealing with no SIEM (4% our respondents lack one altogether) or an ineffective one, security staff are feeling burnout because teams simply can’t detect anomalies or prevent incursions.

The script must be flipped. The survey reveals there continues to be more emphasis on incident prevention and not enough on detection and response, both in terms of budget dollars spent and actual time spent at work focusing on detecting the adversaries that are inevitably still getting in. As Exabeam Chief Security Strategist, Steve Moore, says “prevention has failed.”

Read the press release for more details on the survey findings.

How to Build an Insider Threat Program with Exabeam

Sometimes even having a SOC isn’t enough to address insider threats. Security operations teams are managing massive amounts of data across billions of events from on-premises and the cloud, but looking for specific needles like insider threats has special requirements that encompass both searching historic data and seeing evolving credential behavior changes as they happen.

Whether from downsizing or expanding business, employees, vendors, contractors and others are moving in and out of your environment. And often, it is during these turbulent times that insider threats go unobserved — because everything is changing.

In this webinar, you will learn about:

• The four common scenarios where you need an insider threat team, and how to build a mission statement and tools
• Four attributes of a successful insider threat program
• How behavioral analytics baselines “normal” behavior of users and devices — showing risk faster
• Automated investigation experience that automates manual routines and guides new insider threat teams