Incident Detection & Response Survey Results

February 10, 2016

In today’s Whiteboard Wednesday, Eric Sun, Solutions Marketing Manager, IDR at Rapid7, will discuss the 2015 Incident Detection and Response survey findings.

Last year we were able to survey over 270 security professionals at organizations of all shapes and sizes. Some of the key focus areas within the survey were:

  • Size and resources of your fellow security teams
  • Security solutions that are in organizations today
  • Top initiatives and security concerns
  • Cloud services - who is using what, and is it secure?

Watch this week’s video to learn the details.


Video Transcript

Hi, I'm Eric Sun. This week, I'd like to share top findings from our incident detection and response IDR survey. The mission was to learn more about your existing security stacks, initiatives in 2015, and the pain points in your incident detection and response program. We had a great response. 271 security professionals from around the world, representing organizations of all sizes, contributed their insight. Here's the Whiteboard Wednesday Edition.

Show more Show less

Our first questions were about organization size and security team. It wasn't surprising to find that security teams have to do a lot with a little, but that extended even to organizations with thousands of employees. For companies under 1,000 employees, 48% have one InfoSec person or no dedicated team. That still continues at 26% for organizations between 1,000 and 5,000 employees. At 5,000 plus, 29% have 5 people or fewer, 22% have 6-10 people, and the remaining 49% do have 10 or more dedicated team members. This large variety in team size highlights that security is a very different priority even between similarly sized organizations. Of course, even as companies look to expand their teams, it's a challenge to find security talent, to bring it to the people, process, and technology equation.

Respondents did note that security budgets are shifting to higher spending for incident response. 43% of organizations are spending more than last year, 37% are spending the same, and only 19% are cutting back on the spend. Why? Prevention-based systems are becoming decreasingly ineffective as every day we access critical data across network, mobile, and cloud. So we might check our email on a smartphone coming into work, then plug into the Ethernet once we get into the office. Meetings take place on WiFi across the company, coffee shops, airports, hotel rooms. As we jump everyday between IPs, assets, and services, the network perimeter now revolves around the user. As a result, detecting security incidents and applying analytics-driven approaches are essential to reduce and manage organizational risk.

So the next questions were about existing security stacks, new initiatives, and today's challenges. So what we learned are that the top three are IPS, intrusion prevention systems, often bundled into the firewall, endpoint agents, and SIEM solutions. So this closely aligned with the respondents' top future security initiatives, which were maintaining and deploying SIEM, threat exposure management, which includes penetration testing, vulnerability management, and the tuning, the placing, and deploying of their firewall solutions.

So when asked about what could be improved, three pain points were consistently selected. No user context, too many alerts, and investigations take too long. So let's delve a little bit into these three pain points.

User context. Today's alerts don't indicate the effected user to follow up with. Therefore, analysts need to retrace users across IP, assets, and services, and that does include the Cloud. There isn't an easy way to identify risky users and their exposed risk surface across the organization. So a scary stat is that 66% of employees report being able to access company data on Cloud services after leaving the company. So when we asked about Cloud services, 79% allow these services but only 33% had security visibility into those same Cloud services.

Too many alerts. Security analysts must weed out false positives from multiple systems, each spawning many, many alerts. Validating and assessing the severity of these alerts takes a ton of time and can mean a lot of work just to determine that it's a false positive. So when we asked about alerts generated by SIEM solutions, 62% noted that they received more alerts daily than they can actually feasibly investigate.

Finally, long investigations. Teams must dig through disparate sources of raw log data or know exactly what they're looking for. On top of that, there's still the possibility that stealthy user based attacks, such as compromised credentials and malicious lateral movement, remain undetected. From our survey, 90% were worried about compromised credentials, the number one attack factor behind breaches, but only 40% could detect an attack today.

If you'd like to learn more, check out our full IDR survey report, the link is available below, along with a webcast where we break down these findings and share the Rapid7 approach to incident detection and response with our solution InsightIDR [formerly UserInsight]. Shifting to an analytics driven, risk-based approach to security can sound daunting, but you're not alone. At Rapid7 we have both products and services to help you catch the attacks you're missing fast, without overloading you with workflows and alerts. To learn more, visit our incident detection and response page or contact us. That's it for this week. Looking forward to seeing you at the next one.