The 2020 State of Security Operations study from Forrester Consulting finds that enterprise security teams around the world continue to struggle with the growing pace, volume and sophistication of cyberattacks. The commissioned survey of over 300 enterprise security operations professionals reveals that only 46% of enterprises are satisfied with their ability to detect cybersecurity threats. Since the COVID-19 crisis began, the rate of attacks has soared. One FBI spokesperson was quoted as saying that cybersecurity complaints to the Bureau’s Internet Crime Complaint Center have spiked by 200-300% since the pandemic began. 

Every Business Is Vulnerable to a Cyberattack  

Despite all their resources, a number of industry-leading global companies have fallen victim to high-profile cyberattacks in 2020. According to the Forrester survey, 79% of enterprises have experienced a cyber breach in the past year, and nearly 50% in the past six months. This is despite the fact that most organizations have an internal security operations center (SOC) or some form of 24×7 coverage. 

Mike Weber, Vice President at Coalfire, a Westminster, Colorado-based provider of cybersecurity advisory services, says, “In review of the Forrester report, the number of companies that had a data breach within the last year is staggering. However, the impact of a data breach can range from inconsequential to catastrophic. I would surmise that the vast majority of these are somewhere in between, and that these were mostly not life-changing events for these organizations. This shouldn’t reduce the gravity of the report, though. Coalfire put out a report this year that examined the data from penetration tests undertaken over the period of a year, and looking at these numbers next to our findings, it really doesn’t surprise me. Our data demonstrated that over 50% of all organizations could be breached, given an insider threat, and about 20% of organizations could be breached from the internet – and our numbers don’t even address “user error”.

"Companies everywhere, regardless of size or industry see similar problems with detection and response capabilities, whether that’s a lack of integration of technologies, or having too many technologies to optimize, or simply having manual processes waste resources chasing alerts that result in false positives, says Weber. "Security is a continuous arms race, and there needs to be a formative change in the technologies that enable rapid and accurate responses to attackers supported with high-quality and actionable information. Perhaps the future will bring AI-powered solutions that can anticipate malicious behavior before it happens? One can hold out hope for tomorrow, but as the saying goes, hope is not a strategy.”

Cyberattackers are relentless and getting more sophisticated by the day. Businesses are under constant attack, with the average security operations team receiving over 11,000 security alerts daily. Hamstrung by siloed applications and manual processes, the report finds that a majority of organizations are unable to address most or all of the security alerts they receive in a single day. Alarmingly, 28% of alerts are simply never addressed, the report found.   

The net result is that security analysts are drowning in alerts, which is having a profound impact on their health, wellness and overall job satisfaction. This reactive approach to cybersecurity also has decision makers frustrated and dissatisfied. With Forrester Research estimating the cost of an average data breach at as much as $7 million per incident, a more proactive approach is needed to quickly prevent, identify and address cyber threats. 

Security Teams Face Significant Resource and Technology Challenges

Security analysts are understandably frustrated that they are spending so much time chasing false leads and performing manual processes. They are working longer hours, taking on more responsibility and increasingly under more pressure to protect the business. Despite their efforts, security operations teams are unable to hit key metrics like mean time to investigate, number of incidents handled, mean time to respond, threat score and number of alerts. Less than 50% of teams report that they meet these metrics most of the time. Based on the survey, Forrester Consulting found two key reasons for this disconnect:

Resource gaps: IT decision makers say finding and keeping experienced security operations staff and enough analysts to support the workload is a major challenge. 

Technology gaps: SecOps teams use an average of over 10 different categories of security tools, including firewalls, email security, endpoint security, threat intelligence, vulnerability management and more. But these tools are typically siloed, and implementation tends to be poor.

This wide range of tools that enterprises invest in to combat security threats creates a number of problems, including:

• Difficulty hiring, training and retaining employees who are adept at using the full security technology stack.
• Too many low-priority alerts that obscure visibility into the real threats and leave security analysts with little time for threat hunting and process improvement.
• Siloed workflows that add complexity and time to security processes.

Mark Kedgley, CTO at New Net Technologies (NNT), a Naples, Florida-based provider of IT security and compliance software, notes, “One of the big issues cited in this latest report is Security Alert fatigue. It’s a headache that too many cybersecurity vendors are actually guilty of helping to create. It comes about as a side-effect of the features-race, especially in the SIEM market, and trying to automate the identification of security breach activity. Unfortunately, far too many of these Threat Signature technologies just aren’t smart enough to deliver valuable intelligence leading to false positives that serve to mask genuine security incidents. Increasingly, security professionals are looking to simplify their security strategy, seeking to master fundamental security controls instead of being distracted by the latest silver bullet product. As a case in point, using intelligent change control as a more reliable breach detection technology not only cuts out the unwanted change noise from business as usual activities, but provides more meaningful context to changes than simple log data is able to.”

The Modern SOC Requires Automation and Visibility

According to the report findings, only 13% of the surveyed organizations are leveraging the value of automation and machine learning to triage, analyze and respond to threats. On the flip side, sophisticated cyberattackers are rapidly developing new ways to use these same tools to scale the scope and impact of their operations. 

Cody Beers, Technical Training Manager at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, “SecOps teams have been inundated since COVID began, as attacks have increased drastically during this pandemic. On top of that, the plethora of tools that an organization chooses to use can create a time barrier, preventing SOCs from mitigating or preventing attacks at a faster clip. Using AI automation and Machine Learning can be extremely useful for detecting true threats, and there are also products available today that deliver human-verified results directly to the client. These types of tools can be integral to ensuring an expedited response to cyber-attacks, as well as reducing the time-to-fix windows for discovered vulnerabilities.”

Forrester Consulting says there are opportunities and solutions businesses can take advantage of to increase control and visibility across the infrastructure. For example, an extended detection and response (XDR) solution can help with analyst fatigue, tool inefficiency and overall security outcomes by:

• Improving visibility with unifying technology that seamlessly integrates telemetry from multiple sources.
• Leveraging security analytics capabilities such as machine learning to surface stealthy attack techniques
• Automating root cause analysis.

To learn more, download the full Forrester Consulting report: The 2020 State of Security Operations.