The State of Threat Detection and Response

Security teams shoulder the enormous responsibility of protecting their organization from attacks that could compromise data, ruin brand trust and result in costly damages. In my more than ten years as a security analyst, engineer and now founder of a company that solves the challenges of security operations at scale, I’ve seen the successes and struggles of that responsibility firsthand. What I’ve learned is that in order to succeed in their mission as defenders, security teams need the right tools, resources and personnel.

In the last decade, the volumes of data that security teams need to analyze to proactively defend their environments has grown exponentially and unfortunately, many of the tools they rely on just haven’t kept up. To learn more about what’s working and what’s lacking in security teams’ threat detection and response capabilities, we surveyed 400 security practitioners to better understand the state of threat detection and response.

Four Insights Into Threat Detection and Response

Overall, only 41% of respondents categorized their detection and response program as “very effective,” which is certainly a concern given the critical importance of securing company data and infrastructure. What factors are impeding security teams’ confidence in their detection and response capabilities? Here’s what we learned about the key challenges and frustrations they are facing.

1. The biggest challenge is efficiency.

Security teams say their biggest challenge today is being efficient in their operations, which often stems from frustrations with high volumes of false positives and a lack of adequate processes.

Additionally, they also cite technical issues like the growing volume of data, complex cloud environments and lack of proper tools as another major challenge to their threat detection and response efficacy.

Also concerning was the significant portion (29%) who responded that their biggest challenges stemmed from HR and budget challenges, namely budget restrictions and insufficient staffing which is contributing to team burnout.

2. For most, the volume of alerts has increased dramatically.

The responses to this survey paint a clear picture that security teams are being inundated with alerts. A full 64% of those surveyed have seen their volume of alerts increase in some capacity over the past year, and 48% of security engineers and analysts have seen their alerts triple, quadruple or even quintuple in that time. This is an alarming growth rate, especially when considered alongside the growing security skills shortage. Most security teams are struggling to hire, train and retain staff, meaning that already busy and overtaxed security teams are facing a situation that is getting worse rather than better.

3. Over 50% find that at least half of alerts are false positives.

Not only has there been a massive increase in the number of alerts, but many of those alerts also turn out to be false positives. Three-quarters (75%) of security practitioners said that of the alerts they receive, false positives constitute more than half.

This is why 56% responded that they were suffering from alert fatigue. Spending time investigating so many alerts only to find that they are false positives not only wastes valuable time, it leads to frustration and discouragement. In fact, one study found that 62% of security teams said that alert fatigue contributed to turnover in their organization, and 60% have seen alert fatigue cause internal friction. Of course, all of this contributes to reduced efficiency and impact.

4. With a lack of adequate tools, 55% have built their own detection and response tool.

If current tools are failing to handle the influx of data from cloud infrastructure and applications and don’t allow security teams to be as effective as they need to be, what’s the solution? While security teams do use a number of tools for monitoring and detection, like IDS, IPS and others, our report found that they’re not very satisfied with how well the tools do the job, leading over half of the respondents to try to build their own tools in-house to meet their needs.

The Right Tools for the Right Fight

Having a security team tasked with protecting their organization yet using outdated or underperforming tools is like sending a fire company to fight a blaze with a garden hose. Security teams need the right resources, like platforms made for cloud-scale data ingestion and modern detection processes, as well as organizational support in order to reduce the barriers to efficiency they’re hindered by today. Threat detection and response are never easy, but having the right tools can make the fight to keep an organization safe much less complicated.

Avatar photo

Jack Naglieri

Jack Naglieri is a professional with a passion for information security, cloud infrastructure, and security software. His exposure to information security began as an incident responder for Verisign. After graduation from George Mason University, he moved to the San Francisco Bay area and spent two years at Yahoo as an incident responder. He later transitioned into a security engineering role, with the challenge of deploying security monitoring tools at a massive scale. In 2016, he joined Airbnb, and open sourced a framework that enables real-time data analysis and alerting at scale called StreamAlert. He then managed a team of engineers further developing detection and response infrastructure at Airbnb. Now, he has formed his venture-backed startup, Panther Labs, to help companies detect and prevent security breaches in the cloud-first world.

jack-naglieri has 4 posts and counting.See all posts by jack-naglieri