When Seconds Count: How Security Analytics Improves Cybersecurity Defenses sponsored by SAS Institute was conducted to evaluate organizations’ experiences with security analytics solutions. Specifically, how have these solutions impacted organizations’ security postures? Where have security analytics initiatives succeeded or encountered roadblocks?
Ponemon Institute surveyed 621 IT and IT security practitioners who are familiar and involved with security analytics in their organizations. Eighty-seven percent of these respondents have personally been using the security analytics solution in their organizations and, 80 percent of these organizations have solutions that are fully implemented.
Although many respondents cite deployment challenges, they still believe security analytics has been effective. They report a major improvement in reducing the number of false positives in the analysis of anomalous traffic. Before implementation, 80 percent of respondents say it was very difficult to reduce false positives. After implementation, only one-third of respondents say reducing the number of false positives is very difficult.
Key findings
In this section of the report, we provide an analysis of the findings. The complete audited research results are presented in the Appendix of this report. We have organized the report according to the following topics.
- Organizations’ security analytics experiences
- Results of organizations’ security analytics initiatives
- The future of security analytics: the integrated security intelligence platform
- Tips for successful security analytics initiatives
Organizations’ security analytics experiences
Most organizations adopt security analytics after an attack. As shown in Figure 2, 68 percent of respondents say the main driver to implement a security analytics solution was a cyber attack or successful intrusion and 53 percent of respondents say their organization was concerned about becoming a victim of a cyber attack or successful intrusion. Only 33 percent of respondents say their organizations are proactive and regularly update their cyber defenses with new technologies.
Organizations use a variety of security analytics solutions, but in-house developed tools are most popular. According to Figure 3, 50 percent of respondents use in-house developed tools used with data lake, followed by 47 percent of respondents who use a Security Information and Event Management (SIEM) solution. Thirty-nine percent of respondents say their solution is delivered and managed by a third party.
Security analytics solutions are mostly deployed both on premise and in the cloud (40 percent of respondents). Thirty-three percent of respondents say the solution is deployed on premise and 23 percent of respondents say it is deployed in the cloud.
Most respondents say the initial deployment of security analytics was challenging. Fifty-six percent of respondents say it was very difficult (26 percent) or difficult (30 percent) to deploy security analytics.
According to Figure 4, 67 percent of respondents who feel the deployment was difficult cite extensive configuration and/or tuning before it was usable. Fifty-one percent of respondents felt there was too much data to deal with and 45 percent of respondents say they had issues getting access to the required data.
Data is a critical component of security analytics initiatives. According to Figure 5, 65 percent of respondents say data challenges are a barrier to success followed by lack of in-house expertise (58 percent of respondents) and insufficient technologies (50 percent of respondents).
Only 40 percent say insufficient resources is a challenge. The findings reveal the average cybersecurity budget is $12.5 million and an average of 22 percent of this budget is earmarked for big data analytics.
The quality of data collected and used for security analytics is the biggest data challenge. As shown in Figure 6, 66 percent of respondents say data quality is an issue followed closely by the ability to integrate data (65 percent of respondents) and data volume (55 percent of respondents). Only two percent of respondents say they have no data challenges.
Most organizations are looking to security analytics to learn what is happening in their networks now. Each one of the objectives listed in Figure 7 is considered important. Seventy-two percent of respondents say it is important or essential to be able to detect security events in progress followed by the ability to determine the root cause of past security events or forensics (69 percent of respondents).
Also important are to: provide advance warning about potential internal threats and attackers (65 percent of respondents), provide advance warning about potential external threats and attackers (62 percent of respondents), prioritize alerts, security threats and vulnerabilities (62 percent of respondents) and analyze logs and/or events (61 percent of respondents).
To read the rest of this research, visit the SAS website.