Exabeam survey finds organisations prioritise prevention over detection while breaches continue to rise

Research also shows the inability to prevent bad things from happening as the worst part of a security job with more than a third of respondents unsure they could tell their boards that no adversaries are inside

Exabeam, a global cybersecurity leader and creator of New-Scale SIEMTM for advancing security operations, has announced its State of the SIEM survey of 500 IT security professionals, revealing that 97% feel confident that they are well-equipped with the tools and processes they need to prevent and identify intrusions and/or breaches.

However, according to recent security industry reports, 83% of organisations experienced more than one data breach in 2022.

“The findings indicate a sizeable disconnect between market promises and team perceptions. As a result, teams lack the holistic visibility and context to zero in on adversary behaviour to identify the causes of major incidents and breaches. As a result, large-scale data breaches and multi-million-dollar remediation efforts are taking a toll on organisations’ brands, customer retention, and act as a distraction to business momentum and budgets,” said Steve Moore, Chief Security Strategist at Exabeam.

The Current State of SIEM at U.S. Organizations 

Nearly half (46%) of all respondents operate more than one cloud or on-premises SIEM platform. Among those with SIEM tools:

  • 64% of those who have one platform are very confident they can detect cyberattacks based on adversary behaviour alone, while 59% of those with two or more platforms are very confident.
  • In addition, 4% of security professionals report not using a SIEM platform, and of those respondents, 81% were confident.

However, just 17% of all respondents can see 81–100% of their network. Since many analysts lack full visibility, the likelihood that adversaries are lurking in dark corners grows ever greater.

Prevention a Higher Priority Than Threat Detection, Investigation, and Response (TDIR) 

One reason security teams struggle to prevent breaches is that adversaries are often already in the network, undetected. Despite this reality:

  • 65% still prioritise prevention over detection, investigation, and response as their most important security goal.
  • Just 33% said detection was the highest priority.

Security investments mirror this thinking:

  • Nearly three-fourths (71%) spend 21-50% of their security budgets on prevention.
  • 59% invest the same percentage on TDIR.

“As widely known, the real question is not if attackers are in the network, but how many there are, how long have they had access, and how far have they gone,” continued Moore. “Teams need to socialise this question and treat it as an unwritten expectation to realign their investments and on which to perform, placing the necessary focus on adversary alignment and incident response. Prevention has failed.”

Teams Overconfident in Ability to Prevent Attacks 

While nearly all respondents are certain they can prevent attacks, this confidence drops when challenged. When asked if they’d feel very confident telling a manager or the board that no adversaries had breached the network at that time, only 62% say yes, leaving more than a third with doubts.

“Business leaders are asking, ‘Why do bad things keep happening?’ The answer is security teams are overconfident,” said Tyler Farrar, CISO, Exabeam. “Many vendors overpromise, leaving organisations with an ineffective SIEM that can’t truly baseline normal behaviour, and as the data shows, some lack a SIEM altogether. This is leading to burnout, as teams simply can’t detect anomalies or prevent incursions.”

Platform and Process Issues Increasing Staff Burnout

As attacks surge, security jobs become ever more demanding. Some 43% of respondents cited being unable to prevent bad things from happening as the worst part of their job, followed by:

  • Lacking full visibility due to security product integration issues (41%)
  • An inability to centralise and understand the full scope of an event or incident (39%)
  • Being unable to manage the volume of detection alerts, with too many false positives (29%)
  • Not feeling confident that they’ve resolved all problems on the network (29%)

Compromised Credentials a Leading Attack Vector

Adding to the complexity of incident detection, Exabeam found that more than 90% of security professionals are battling compromised credential cases. It’s critical to note that some SIEMs don’t use behavioural analytics and can incorrectly flag legitimate user actions as malicious, increasing the number of false positive alerts teams must triage, adding to their mental fatigue.

With blind spots and noisy alerts, it’s not surprising that security teams can’t match pace with adversaries:

  • Just 11% can scope the overall impact of detected malicious behaviours in less than one hour.
  • 52% report they can analyse it in one to four hours.
  • 34% take five to 24 hours to identify high-priority anomalies.

However, data exfiltration typically begins minutes into an attack, and adversaries can do significant damage in just a few hours.

“Despite significant spending on prevention tools, adversaries are still breaking into organisations using compromised credentials — which prevention solutions can’t detect,” said Sam Humphries, Head of Security Strategy, EMEA, Exabeam. “And if these are the patterns we are seeing in the U.S., where the security market is ahead, it’s likely worse in other regions such as EMEA and APAC. Fortunately, when organisations invest in detection tools with automated insights, behavioural analytics, and processes provided by platforms like the New-Scale SIEM, security practitioners are better positioned to detect, investigate, and respond to adversaries.”