A new survey by cybersecurity firm Exabeam has found that 97% of US IT security professionals feel confident that they have the tools and processes to prevent and identify cyber breaches and intrusions. However, recent reports show that 83% of organizations had more than one data breach in 2022, highlighting a disconnect between market promises and team perceptions.
We sat down with Steve Moore, vice president and chief security strategist, Exabeam, to discuss the report's findings in more depth and how security leaders can manage burnout and top threats, like compromised credentials.
What were the most surprising results of this research?
The research findings indicate a sizable disconnect between market promises and team perceptions. What this means is that teams lack the holistic visibility and context to zero-in on adversary behavior to identify the causes of major incidents. One reason security teams struggle to prevent the intrusions that lead to major incidents is that adversaries are often already in the network, undetected.
I think it's surprising that nearly all respondents to the survey were certain they could prevent attacks. Upon being challenged, this level of confidence fades. For example, when asked if they felt confident telling a manager or the board that no adversaries had breached the network at a given time, we saw that more than a third had doubts.
As a result, large-scale data breaches and multi-million-dollar remediation efforts are taking a toll on organizations’ brands, customer retention, and ultimately act as a distraction to business momentum and budgets.
Why do you think security teams are overconfident in their ability to prevent attacks?
I think that respondents polled overconfident in our research. They want to believe in their abilities to prevent cyber attacks, but the fact is that when challenged, the confidence in their tools completely wilts.
For starters, they lack full visibility of the ecosystem due to security product integration issues. Without the ability to centralize a view of the network and systems, they cannot possibly understand the scope of an event or cyber incident. Secondly, as has been the case with legacy tools, SOC teams are inundated with too many false positive alerts and are simply unable to manage the volume. This constant distraction leaves them with concerns regarding whether they’ve resolved problems on the network.
How do you see staff burnout affecting the security posture of organizations?
Given the blind spots and false alerts that I just mentioned, security teams can’t match pace with adversaries, and even more commonly with the noise generated by normal operations. We know that data exfiltration typically begins minutes into an attack, and adversaries can do significant damage in just a few hours. But, merely 11% of respondents to our survey said they can scope the overall impact of detected malicious behaviors in less than one hour, with more than half reporting they need from one to four hours to analyze data. It's already too late for those organizations to protect themselves.
Now factor in that some security teams can’t even detect the difference between legitimate access and role-based behavior because they're using SIEM tools that don’t have behavioral analytics, to baseline “normal” behavior of users and devices — and thus, show risk faster. Without this, SIEM tools might incorrectly flag legitimate user actions as malicious, leading to the ever-increasing number of false positive alerts that teams must triage. These conditions add to mental fatigue, overall wasted time and distractions, and create job burnout.
Compounding this issue is the fact that many organizations over-rely on their top analyst, placing outsized pressure on a single individual. If the company loses that team member, 40% of respondent companies would be left uncertain whether they could keep pace with detecting attacks.
How can managers mitigate security staff burnout?
I think security teams are suffering some residual impacts from professional development taking a back seat to hunting threats during the pandemic. For this reason, cybersecurity leaders must push forward with career planning for their teams this year and create a path to retain their top talent.
I believe in the concept of servant leadership, which I think can really work well in this case. The principle is that servant leaders create authority by serving their employees. When cybersecurity executives are concerned about the well-being of their teams, and they regularly check in with team members or help them to remove roadblocks that might potentially harm operational performance, they are affecting the outcome of whether or not those employees suffer burnout.
Servant leaders exchange their own comfort for that of their teams. They remove barriers to success, create cooperation amongst peers, and support their staff along the way. They aren't 'yes men' to poorly thought-out actions that might burn out operational teams. They build talent from within, even if it means taking a slower, more deliberate path to success, because the growth of staff is a measure of success. Further, if they hold regular team meetings to discuss issues, they're better positioned to go to bat with upper management for an increased budget to acquire new tools or additional staff to balance the workload for their team. As a result, teams feel supported, and analysts are unafraid to share problems or new ideas, as they know their leaders will listen, consider them carefully and, most importantly, respond.
Compromised credentials continue to be a threat to an organization’s security. How can organizations strengthen their mitigations against bad actors that utilize compromised credentials?
More than 90% of security professionals in our research are battling a number of compromised credential cases, indicating that this attack vector continued its popularity with attackers again in 2022 and it shows no signs of easing in 2023. Phishing, ransomware, malware — these all tie to compromised credentials. Once a threat actor gets in the door, they’re often leveraging credentials to access their target. Our discussions with customers of all sizes show similar insights. Companies have spent a lot of money trying to prevent credential misuse from happening, and then learning that preventative controls still are not enough and as such, monitoring and response capabilities are necessary and required. But it’s no longer enough — time and time again we see bad actors bypass prevention tools.
The survey revealed that there continues to be more emphasis on incident prevention and not enough on detection and response. The script must be flipped in terms of budget dollars and actual time spent focusing on detecting the adversaries that are inevitably getting in. Prevention alone has, and will always fail. It's time to focus on detection tools that spot anomalies and use automation to respond swiftly to adversaries.