Exabeam has released a new survey finding 46% of all respondents operate more than one cloud or on-premises SIEM platform.
The State of the SIEM report also revealed that out of the 500 IT security professionals surveyed, 97% feel confident that they are well-equipped with the necessary tools and processes to recognise and stop intrusions and breaches.
However, 83% of organisations experienced more than one data breach in 2022, according to recent security industry reports.
"The findings indicate a sizable disconnect between market promises and team perceptions. As a result, teams lack the holistic visibility and context to zero in on adversary behaviour to identify the causes of major incidents and breaches," says Steve Moore, Chief Security Strategist at Exabeam.
"As a result, large-scale data breaches and multi-million-dollar remediation efforts are taking a toll on organisations' brands, customer retention, and act as a distraction to business momentum and budgets."
One of the key findings from those with SIEM tools is that 64% of those with one platform are "very confident" they can detect cyber attacks based on adversary behaviour alone, compared to 59% of those with two or more platforms.
4% of security professionals report not using a SIEM platform, and of those respondents, 81% were confident.
However, only 17% of all respondents can see 81–100% of their network.
Exabeam notes that because many analysts lack complete visibility, there is a greater likelihood of adversaries lurking in dark corners.
Adversaries are often already in a network when a breach is underway, making it difficult for security teams to prevent them.
However, this research sheds light on the fact that 65% of security teams are choosing prevention over threat detection, investigation and response (TDIR) in spite of this.
Additionally, only 33% say detection is their highest priority.
Security investments also reflect this perception, with 71% spending 21-50% of their security budgets on prevention and 59% investing the same percentage on TDIR.
"As widely known, the real question is not if attackers are in the network, but how many there are, how long have they had access, and how far have they gone," Moore adds.
"Teams need to socialise this question and treat it as an unwritten expectation to realign their investments and on which to perform, placing the necessary focus on adversary alignment and incident response. Prevention has failed."
The research also finds that teams are generally overconfident in their ability to prevent attacks, with much of this certainty dropping when respondents were challenged.
Just 62% of respondents said they'd feel "very confident" telling a manager or board that no adversaries had breached their network at that time, leaving more than a third with doubts.
"Business leaders are asking, 'Why do bad things keep happening?' The answer is security teams are overconfident," says Tyler Farrar, CISO, Exabeam.
"Many vendors overpromise, leaving organisations with an ineffective SIEM that can't truly baseline normal behaviour, and as the data shows, some lack a SIEM altogether. This is leading to burnout, as teams simply can't detect anomalies or prevent incursions."
Further findings indicate that staff are suffering higher levels of burnout from issues with platforms and processes.
Security jobs are becoming more demanding as the number of attacks grows, with 43% of respondents saying that the worst part of their job is being unable to prevent bad things from happening.
Following this are:
- Lacking complete visibility due to security product integration issues (41%)
- An inability to centralise and understand the full scope of an event or incident (39%)
- Being unable to manage the volume of detection alerts, with too many false positives (29%)
- Not feeling confident that they've resolved all problems on the network (29%)
Exabeam also found that more than 90% of security professionals are struggling with compromised credentials.
The company notes that it is vital to recognise that some SIEMS don't use behavioural analytics and can flag legitimate user actions as malicious by mistake, increasing the chances of a false positive alert for teams to triage and causing mental fatigue for the team involved.
This has resulted in the following:
- Only 11% of respondents being able to scope the overall impact of detected malicious behaviours in less than one hour
- 52% reporting they can analyse it in one to four hours
- 34% taking five to 24 hours to identify high-priority anomalies
However, Exabeam points out that data exfiltration usually starts minutes into an attack, and adversaries can do significant damage in just a few hours.
"Despite significant spending on prevention tools, adversaries are still breaking into organisations using compromised credentials — which prevention solutions can't detect," says Sam Humphries, Head of Security Strategy, EMEA, Exabeam.
"And if these are the patterns we are seeing in the US, where the security market is ahead, it's likely worse in other regions such as EMEA and APAC.
"Fortunately, when organisations invest in detection tools with automated insights, behavioural analytics, and processes provided by platforms like the New-Scale SIEM, security practitioners are better positioned to detect, investigate, and respond to adversaries."