New data shows a leading group of cybersecurity executives are investing in an emerging set of capabilities — think, next-generation security information and event management (SIEM), endpoint detection and response (EDR), and extended detection and response (XDR) — and have practices in place that are far ahead of most organizations’, highlighting a growing resilience gap.
The study co-sponsored by Elastic, “Cybersecurity Solutions for a Riskier World,” reveals how 1,200 organizations across 16 countries and 14 industries, with a combined cybersecurity spend of $125.2 billion, are investing in their defenses in response to the mounting threat landscape. It is an urgent call to action by research firm ThoughtLab, who identified a small set of leading organizations. However, the majority of survey respondents must accelerate process and technology changes to improve the effectiveness of cybersecurity strategies — or risk falling behind.
Invest more in (next-gen) SIEM
Almost half (44%) of organizations want to augment or replace their SIEM, according to the survey. In fact, SIEM is going to be the top investment area in cybersecurity — along with identity and access management (IAM) — within the next two years.
Currently, the top cybersecurity technologies organizations invest in are: email security, distributed denial of service (DDoS) protection, mobile device management, cloud-access security broker, network security policy management, and security information and event management (SIEM). However, the priorities look different in the near future. In two years, the biggest areas of technology investment ranked are: SIEM, IAM, DDoS protection, cloud workload protection platforms, email security, and secure access server edge (SASE).
Organizations who have yet to optimize threat detection could look to trends like these to guide their planning. A SIEM can provide “more visibility and data points to help make more granular decisions,” said Duc Lai, CISO at University of Maryland Medical System.
When it comes to replacing or augmenting their SIEM, what should organizations look for? For one, cloud-native capabilities are a hallmark of a next-gen SIEM.
"One of the big trends driving SIEM replacement is the cloud,” said Mandy Andress, CISO at Elastic. “As workloads migrate to the cloud, monitoring cloud deployments becomes an essential element of the business.” In addition, while legacy SIEMs can ingest a lot of data, they don’t always embed analytics. A next-gen SIEM should correlate and process data to provide insights that empower timely response — without intense manual effort.
Expand advanced analytics with EDR and XDR
EDR and XDR and also top priorities for organizations. In fact, one in five organizations name EDR their biggest technology investment in two years. EDR uses machine learning to prevent ransomware and malware, detects advanced threats, and arms responders with vital context. When it comes to machine learning, this technology improves on a current gap in most organizations: Only 26% of organizations say they use advanced analytics, such as AI and ML, to identify security vulnerabilities and threats.
Meanwhile, XDR combines EDR capabilities plus machine learning-powered analytics to correlate activity and identify threats. “Speed of processing and real-time analytics are key advantages,” said Andress. One in five advanced organizations plan to invest in XDR in the next two years.
Interestingly in this context, one in three advanced organizations say they adopt security technologies providing a set of capabilities as a “platform” as opposed to deploying point solutions. XDR is typically delivered as a unified security platform that integrates across other tools and serves as a single reference point for analysts. "Newer XDR platforms address broader security operations with several embedded capabilities,” said Andress, “including cloud-specific out-of-the-box rules, analytics and machine learning to draw out anomalies, integrated endpoint capabilities for faster and deeper investigations, workflow integrations for response automation, and more.”
Plan for a future in the cloud
Cloud investment grew by 25% over the past year (as a percentage of IT spending). The focus comes as organizations expand their use of cloud providers, services, and interconnections with other technologies.
As organizations adopt more cloud-native technologies, they need to consider doing so securely. Nearly half of organizations (49%) anticipate misconfigurations will increase as a root cause of breaches over the next two years — more than any other root causes of their most significant recent breaches. Properly configuring security settings and frameworks on applications, systems and servers closes down opportunities for attackers to breach defenses.
With this in mind, investment in cloud security is critical. Advanced organizations named cloud workload protection platforms the second most effective technology that they currently invest in, after email security. In addition, one in five organizations say they lack visibility to threats beyond the endpoint, which includes networks, cloud, and infrastructure. As more organizations expand into hybrid multi cloud environments, cloud workload protection platforms can help security teams both protect server workloads and get consistent visibility.
Address security as a data challenge
When it comes to threat detection and data security, there are wide margins between leaders and others. Challenges with activities like continuous monitoring, anomaly detection, and identity management suggest some organizations are struggling to get adequate visibility into their data and keep it secure.
For example, while 81% of advanced organizations have managed or optimized detection processes, only 47% of others have achieved this progress. When it comes to continuous monitoring, 66% of advanced organizations ranked themselves highly, compared with 28% of others. The same goes for detecting anomalies and events, where the split is 68% of advanced organizations compared to 25% of others.
The story is similar in the realm of data security. 69% of advanced organizations have managed or optimized data security, compared to 44% of others. Overall, success with identity management and access controls is relatively low: 57% of advanced organizations and only 24% of others have made progress.
A significant portion of advanced organizations are improving in both these areas. As part of process initiatives in the next two years, 34% of advanced organizations plan to invest in developing and maintaining a security monitoring and threat detection capability, and 36% plan to invest in closely coordinating cybersecurity with data privacy initiatives. The latter is tied as a top process investment along with: conducting regular risk assessments, audits, stress tests, and penetration tests; and developing and maintaining a cyber incident response and recovery plan.
Train and upskill your team
An influx of more sophisticated threats requires a more robust and prepared team to defend against them — no small feat in an industry navigating a talent shortage. “While the threat of malware, ransomware, and data breaches will only continue to rise, the biggest challenge in front of many security executives is finding the next generation of cybersecurity professionals,” said Andress.
A shortage of skilled cybersecurity professionals was a current challenge for 24% of organizations, expected to increase as a challenge for 27% of organizations in two years. Advanced organizations, which tend to be larger enterprises with more employees, have larger IT and data security staffs, which can make a difference in cybersecurity preparedness.
To meet the challenge, 46% of all organizations are investing in upskilling cybersecurity and IT staff. Continued training and investment in people is even more critical when thinking about the two most common breach causes. Organizations predict phishing/social engineering and human error are most likely to increase as causes of breaches in the next two years, followed by ransomware.
At the same time, CISOs are becoming more strategic, with greater influence over their organization’s business and digital transformation plans. For instance, 42% of organizations report CISOs having greater management of customer and insider fraud. Cybersecurity is also evolving into a team effort across the C-Suite, with individuals like the CEO, COO, CIO, and legal, risk, privacy, and compliance officers seeing security as more of a strategic imperative. The CISO’s expanded role and greater collaboration with their peers could help organizations maintain this focus on security awareness training and upskilling to mitigate risks like insider fraud.
See how your strategies stack up
Where does your organization’s approach to cybersecurity excel, and where are there opportunities to improve? Explore the full report to further learn from the most advanced organizations and evaluate your own cybersecurity posture.